Import user with custom password hash

cjones · March 27, 2023, 5:05pm

I’ve imported a user with a custom password hash. There are no errors, but when I attempt to log in to Auth0 with the user’s password, the login fails and this message appears in the Auth0 logs:

 {
  "date": "2023-03-27T15:50:56.200Z",
  "type": "fp",
  "description": "Password change required.",
  "connection": "Username-Password-Authentication",
  "connection_id": "con_AFgPRyO4FnWb3N5Y",
  "client_id": "UKPTkTvlq8B6tQRbtwRSTZrOCenqxwmE",
  "client_name": "All Applications",
  "ip": "2600:1702:3870:7140:6860:d079:da:6b",
  "user_agent": "Chrome 111.0.0 / Windows 10.0.0",
  "details": {
    "error": {
      "message": "Password change required.",
      "reason": "Verification failed for the provided custom_password_hash: {'algorithm':'sha1','hash':{'value':'c32c737848...','encoding':'hex'},'salt':{'value':'87c11281...','encoding':'hex','position':'suffix'}}"
    }
  },
  "user_id": "auth0|foo",
  "user_name": "foo@bar.com",
  "strategy": "auth0",
  "strategy_type": "database",
  "log_id": "90020230327155100400915000000000000001223372036991371193",
  "_id": "90020230327155100400915000000000000001223372036991371193",
  "isMobile": false,
  "id": "90020230327155100400915000000000000001223372036991371193"
}

The JSON file containing this user looks like this:

[
    {
        "email":"foo@bar.com",
        "email_verified":true,
        "user_id":"foo",
        "given_name": "foo given name",
        "family_name": "bar family name",
        "name": "foo j. bar",
        "nickname": "nick foo",
        "blocked": false,
        "custom_password_hash": {
            "algorithm": "sha1",
            "hash": {
                "value": "c32c7378....c47536f3a4",
                "encoding": "hex"
            },
            "salt": {
                "value": "87c112810....9b62611627813",
                "encoding": "hex",
                "position": "suffix"
            }
        }
    }
]

the Python code that generated the hash and salt is as follows:
pass_salt = uuid.uuid4().hex
pass_hashed = hashlib.sha1((new_pass + pass_salt).encode(‘utf-8’)).hexdigest()

Can anyone tell me if there’s something I can change in the way I import a user to make this salt and hash scheme to work?

Thanks, Chris

dan.woda · March 30, 2023, 4:32pm

Hi @cjones,

Welcome to the Auth0 Community!

Can you please provide an example password, salt, and matching hash for testing? I’d like to try and import a user and see if I can get it working.

Thanks,
Dan

cjones · March 31, 2023, 6:54pm

Thanks Dan, I just got this working based on a suggestion from Lihua Zhang. The solution was to remove the line “encoding”: “hex” from the HASH. it turns out that uuid4.hex doesn’t mean hex encoded.

system · May 1, 2023, 1:43pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Import user with custom password hash using pbkdf2 algorithm Help user-management , user-import-export	2	1167	July 17, 2023
Error importing users with custom password hash Help import , user-import , password-hash , bulk-user-import	4	5260	June 11, 2020
Password change is required after importing Help	2	1512	May 11, 2023
Does Auth0 uses default hashing algorithm for user imported with custom password hash after a first login? Help user-management , user-import-export	0	1178	March 21, 2023
Can't log in using imported pbkdf2 hashed passwords Help bulk-user-import , import-password	9	4184	May 11, 2021

Import user with custom password hash

Related Topics