Import user with custom password hash

I’ve imported a user with a custom password hash. There are no errors, but when I attempt to log in to Auth0 with the user’s password, the login fails and this message appears in the Auth0 logs:

 {
  "date": "2023-03-27T15:50:56.200Z",
  "type": "fp",
  "description": "Password change required.",
  "connection": "Username-Password-Authentication",
  "connection_id": "con_AFgPRyO4FnWb3N5Y",
  "client_id": "UKPTkTvlq8B6tQRbtwRSTZrOCenqxwmE",
  "client_name": "All Applications",
  "ip": "2600:1702:3870:7140:6860:d079:da:6b",
  "user_agent": "Chrome 111.0.0 / Windows 10.0.0",
  "details": {
    "error": {
      "message": "Password change required.",
      "reason": "Verification failed for the provided custom_password_hash: {'algorithm':'sha1','hash':{'value':'c32c737848...','encoding':'hex'},'salt':{'value':'87c11281...','encoding':'hex','position':'suffix'}}"
    }
  },
  "user_id": "auth0|foo",
  "user_name": "foo@bar.com",
  "strategy": "auth0",
  "strategy_type": "database",
  "log_id": "90020230327155100400915000000000000001223372036991371193",
  "_id": "90020230327155100400915000000000000001223372036991371193",
  "isMobile": false,
  "id": "90020230327155100400915000000000000001223372036991371193"
}

The JSON file containing this user looks like this:

[
    {
        "email":"foo@bar.com",
        "email_verified":true,
        "user_id":"foo",
        "given_name": "foo given name",
        "family_name": "bar family name",
        "name": "foo j. bar",
        "nickname": "nick foo",
        "blocked": false,
        "custom_password_hash": {
            "algorithm": "sha1",
            "hash": {
                "value": "c32c7378....c47536f3a4",
                "encoding": "hex"
            },
            "salt": {
                "value": "87c112810....9b62611627813",
                "encoding": "hex",
                "position": "suffix"
            }
        }
    }
]

the Python code that generated the hash and salt is as follows:
pass_salt = uuid.uuid4().hex
pass_hashed = hashlib.sha1((new_pass + pass_salt).encode(‘utf-8’)).hexdigest()

Can anyone tell me if there’s something I can change in the way I import a user to make this salt and hash scheme to work?

Thanks, Chris

Hi @cjones,

Welcome to the Auth0 Community!

Can you please provide an example password, salt, and matching hash for testing? I’d like to try and import a user and see if I can get it working.

Thanks,
Dan

Thanks Dan, I just got this working based on a suggestion from Lihua Zhang. The solution was to remove the line “encoding”: “hex” from the HASH. it turns out that uuid4.hex doesn’t mean hex encoded.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.