Migrate Keycloak user to Auth0 problems

faraujo · July 2, 2021, 7:52am

Hello,

We are currently in the process of moving from Keycloak to Auth0 and we are having issues trying to migrate users using the User Import / Export Extension, as we want users to retain their old passwords. We want the migration process to be as seamless as possible.

Our Keycloak hashed passwords are encrypted using pbkdf2-sha256 with 27500 hash iterations.
According to the User JSON schema there is no field were we can configure the number of hash iterations under the “custom_password_hash”.

For reference, the Keycloak user has this set as credentials (real values obfuscated):

"secretData" : "{\"value\":\"hashedPassword==\",\"salt\":\"someSalt==\"}",
"credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}"

If I try to adapt that in to a JSON file to use to import, I get an error saying “Additional properties not allowed: salt”. I feel that since there is no field to insert the number of hash iterations, I might not be able to use that extension, but I might be missing something or someone might have some other alternative.
The JSON file I used to import the users looked something like this:

[
	{
		"email": "example@test.com",
		"email_verified": true,
		"name": "Imported User",
		"custom_password_hash": {
			"algorithm": "pbkdf2",
			"hash": {
				"value": "hashedPassword==",
				"encoding": "utf8",
				"digest": "sha256"
			},
			"salt": {
				"value": "someSalt==",
				"position": "suffix"
			}
		}
	}
]

Thank you,
Francisco Araújo.

thameera · July 7, 2021, 8:14am

Hi @faraujo , the number of iterations is embedded in PBKDF2 hashes, and does not need to be specified separately. Auth0 requires that you import the hashes in PHC format: Bulk User Import Database Schema and Examples

A PHC PBKDF2 hash has the following format:

$pbkdf2-${digest}$i=${iterations},l=${keylen}$${b64Salt}$${hash}

The JSON file would look like this:

[
  {
    "email": "example@test.com",
    "email_verified": true,
    "name": "Imported User",
    "custom_password_hash": {
      "algorithm": "pbkdf2",
      "hash": {
        "value": "$pbkdf2-sha256$i=27500,l=32$a2V5Ym9hcmRjYXQ$BlVeTAF9FMHUF3sn39M6vywv1aZcAqW/FrVW+XTtFWM"
      }
    }
  }
]

If you can share the hash and salt of a known example password (eg: password123), we can help you generate the PHC string.

konrad.sopala · July 7, 2021, 11:49am

Thanks for helping on this one Thameera!

system · July 22, 2021, 11:49am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Migrate KeyCloak to Auth0 error with Password Change Required message Help auth0 , migration	0	2262	May 16, 2022
Migrate users from Keycloak to Auth0 "custom_password_hash" problems Help user-management , user-import-export	3	2555	February 1, 2023
Import user with custom password hash using pbkdf2 algorithm Help user-management , user-import-export	2	1175	July 17, 2023
"Wrong email or password" after bulk user import Help password-hash , bulk-user-import	7	1767	November 21, 2023
Bulk Import of User Data from dotnet 4.7.1 membership to Auth0 Help	4	3006	October 2, 2020

Migrate Keycloak user to Auth0 problems

Related topics