Migrate Keycloak user to Auth0 problems

Hello,

We are currently in the process of moving from Keycloak to Auth0 and we are having issues trying to migrate users using the User Import / Export Extension, as we want users to retain their old passwords. We want the migration process to be as seamless as possible.

Our Keycloak hashed passwords are encrypted using pbkdf2-sha256 with 27500 hash iterations.
According to the User JSON schema there is no field were we can configure the number of hash iterations under the “custom_password_hash”.

For reference, the Keycloak user has this set as credentials (real values obfuscated):

"secretData" : "{\"value\":\"hashedPassword==\",\"salt\":\"someSalt==\"}",
"credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}"

If I try to adapt that in to a JSON file to use to import, I get an error saying “Additional properties not allowed: salt”. I feel that since there is no field to insert the number of hash iterations, I might not be able to use that extension, but I might be missing something or someone might have some other alternative.
The JSON file I used to import the users looked something like this:

[
	{
		"email": "example@test.com",
		"email_verified": true,
		"name": "Imported User",
		"custom_password_hash": {
			"algorithm": "pbkdf2",
			"hash": {
				"value": "hashedPassword==",
				"encoding": "utf8",
				"digest": "sha256"
			},
			"salt": {
				"value": "someSalt==",
				"position": "suffix"
			}
		}
	}
]

Thank you,
Francisco Araújo.

1 Like

Hi @faraujo , the number of iterations is embedded in PBKDF2 hashes, and does not need to be specified separately. Auth0 requires that you import the hashes in PHC format: Bulk User Import Database Schema and Examples

A PHC PBKDF2 hash has the following format:

$pbkdf2-${digest}$i=${iterations},l=${keylen}$${b64Salt}$${hash}

The JSON file would look like this:

[
  {
    "email": "example@test.com",
    "email_verified": true,
    "name": "Imported User",
    "custom_password_hash": {
      "algorithm": "pbkdf2",
      "hash": {
        "value": "$pbkdf2-sha256$i=27500,l=32$a2V5Ym9hcmRjYXQ$BlVeTAF9FMHUF3sn39M6vywv1aZcAqW/FrVW+XTtFWM"
      }
    }
  }
]

If you can share the hash and salt of a known example password (eg: password123), we can help you generate the PHC string.

2 Likes

Thanks for helping on this one Thameera!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.