Hi,
I have a user pool in Atlassian Crowd that I would like to import in auth0, ideally with their passwords.
I have installed the extension user import export and by looking at the documentation here I can pass custom hash parameters in the json file.
The passwords in Crowd look like this credential":“{PKCS5S2}…”
The only thing I could find in Atlassian is this post, specifically says " hashes with PBKDF2 and a round length of 10,000" and I can pbkdf2 listed in the auth0 extension so in theory it is possible.
I was wondering if anyone has ever attempted this and if not, get some guidance on how to start.
Thanks!
I would suggest creating a dev/test user and trying to import their password successfully. For example, create a user with a password of password and try to import that to Auth0 and log in with those values.
You may also want to search for related info about the algo you are using. For example, here is a thread that could be insightful.
Thank you so much for your reply, this is very useful information.
Yes, I have access to the params listed in your link. I get quite confused when it comes to the custom password hash and the second link you sent helped me a bit, but I am still very confused as I don’t know much about password salt, hash, etc…
Following the example you linked, the correct parameter is:
focusing on the part “value”: “$pbkdf2-sha1$i=1000,l=32${salt}${hash}”,
My first doubt is “-sha1” .
i=1000 I think it refers to the number of rounds and in my case should be 10000
l=32 totally lost here, no idea what should be the value
${salt}${hash} same… if my password is (random example) {PKCS5S2}123abc the salt is “{PKCS5S2}” and the hash is “123abc”? If yes it should be ${PKCS5S2}${123abc} ?
Any help is appreciated as I am really new at this.
Thanks!
If you want to do this for a single test user, you can try the command line or an online GUI tool (never put sensitive data like a real user’s hash into these online tools, only use test values).
I like base64.guru for converting. Here is the tool I used:
To convert to lowercase/remove spaces I used the command line.
So basically, I can test it with that online tool, and then, for the real user’s hash, I need to use the command line (and find all the correct commands). I am on MacOS, do I need to install any specific (Java) libraries?
Yep, that’s right. I would create a test user in Crowd and make sure you are able to successfully export/import their hash AND log in with the same password in Auth0. I would use the online tools if that’s easier for you.
Then, when you are ready to export, create a script that formats all of your users hashes correctly and, ideally, puts them into the JSON file ready for import to Auth0 – you can do this in a bash script, python, really whatever you are most comfortable with.
I would make sure your test user is working perfectly before doing any scripting, just so you are sure the hash format is correct.
Important note: A successful import does not necessarily mean a hash is going to match correctly, make sure to actually log in and test the hash is working as expected on your test user before attempting to import all of your users.