Import users with their passwords from Atlassian Crowd

Hi,
I have a user pool in Atlassian Crowd that I would like to import in auth0, ideally with their passwords.

I have installed the extension user import export and by looking at the documentation here I can pass custom hash parameters in the json file.

The passwords in Crowd look like this credential":“{PKCS5S2}…”

The only thing I could find in Atlassian is this post, specifically says " hashes with PBKDF2 and a round length of 10,000" and I can pbkdf2 listed in the auth0 extension so in theory it is possible.

I was wondering if anyone has ever attempted this and if not, get some guidance on how to start.
Thanks!

Hi @acaselli,

Welcome to the Auth0 Community!

Finding the correct format of the import can take some trial and error.

Do you have access to the params listed here?

I would suggest creating a dev/test user and trying to import their password successfully. For example, create a user with a password of password and try to import that to Auth0 and log in with those values.

You may also want to search for related info about the algo you are using. For example, here is a thread that could be insightful.

Let me know if you have any questions.

1 Like

Hi @dan.woda ,

Thank you so much for your reply, this is very useful information.

Yes, I have access to the params listed in your link. I get quite confused when it comes to the custom password hash and the second link you sent helped me a bit, but I am still very confused as I don’t know much about password salt, hash, etc…

Following the example you linked, the correct parameter is:

“custom_password_hash”: {
“algorithm”: “pbkdf2”,
“hash”: {
“value”: “$pbkdf2-sha1$i=1000,l=32${salt}${hash}”,
“encoding”: “utf8”
}
}

focusing on the part “value”: “$pbkdf2-sha1$i=1000,l=32${salt}${hash}”,

My first doubt is “-sha1” .

i=1000 I think it refers to the number of rounds and in my case should be 10000

l=32 totally lost here, no idea what should be the value

${salt}${hash} same… if my password is (random example) {PKCS5S2}123abc the salt is “{PKCS5S2}” and the hash is “123abc”? If yes it should be ${PKCS5S2}${123abc} ?

Any help is appreciated as I am really new at this.
Thanks!

From the doc provided in the Crowd support thread, here is what is an example of what I would try:

Original hash export from Crowd (base64 encoded)

{PKCS5S2}DQIXJU038u4P7FdsuFTY/+35bm41kfjZa57UrdxHp2Mu3qF2uy+ooD+jF5t1tb8J

Isolate the base64 encoded hash value (everything after {PKCS5S2})

DQIXJU038u4P7FdsuFTY/+35bm41kfjZa57UrdxHp2Mu3qF2uy+ooD+jF5t1tb8J

Base64 decode that value to hex

0D 02 17 25 4D 37 F2 EE 0F EC 57 6C B8 54 D8 FF ED F9 6E 6E 35 91 F8 D9 6B 9E D4 AD DC 47 A7 63 2E DE A1 76 BB 2F A8 A0 3F A3 17 9B 75 B5 BF 09

Remove spaces and change to lowercase

0d0217254d37f2ee0fec576cb854d8ffedf96e6e3591f8d96b9ed4addc47a7632edea176bb2fa8a03fa3179b75b5bf09

Seperate salt (first 16 bytes) and checksum/hash (remaining 32 bytes)

Salt: 0d0217254d37f2ee0fec576cb854d8ff

Checksum/hash: edf96e6e3591f8d96b9ed4addc47a7632edea176bb2fa8a03fa3179b75b5bf09

Plug in the salt and checksum/hash for the final hash “value” for Auth0

$pbkdf2-sha1$i=1000,l=32$0d0217254d37f2ee0fec576cb854d8ff$edf96e6e3591f8d96b9ed4addc47a7632edea176bb2fa8a03fa3179b75b5bf09

Let me know if you have any questions.

Thank you so much @dan.woda !!

This is fantastic. One stupid question:

I have the original hash export from Crowd, where can I run the intermediate steps in order to obtain the salt and the checksum/hash?

Thanks!

If you want to do this for a single test user, you can try the command line or an online GUI tool (never put sensitive data like a real user’s hash into these online tools, only use test values).

I like base64.guru for converting. Here is the tool I used:

To convert to lowercase/remove spaces I used the command line.

Wow! Thanks, this is super useful!

So basically, I can test it with that online tool, and then, for the real user’s hash, I need to use the command line (and find all the correct commands). I am on MacOS, do I need to install any specific (Java) libraries?

Yep, that’s right. I would create a test user in Crowd and make sure you are able to successfully export/import their hash AND log in with the same password in Auth0. I would use the online tools if that’s easier for you.

Then, when you are ready to export, create a script that formats all of your users hashes correctly and, ideally, puts them into the JSON file ready for import to Auth0 – you can do this in a bash script, python, really whatever you are most comfortable with.

I would make sure your test user is working perfectly before doing any scripting, just so you are sure the hash format is correct.

Important note: A successful import does not necessarily mean a hash is going to match correctly, make sure to actually log in and test the hash is working as expected on your test user before attempting to import all of your users.

1 Like

Got it. Thank you so much for all your help, I will absolutely try to follow all your advice and guidance. Thanks again!

1 Like

Sounds good! Please let us know if this ends up working for you. Thanks!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.