Migrate users from Keycloak to Auth0 "custom_password_hash" problems

sequencemedia · February 1, 2023, 2:47pm

I’ve been following through a discussion posted back in July '21 about migrating users from Keycloak to Auth0

User @thameera posted the solution and following it I’ve been able to export the users from Keycloak, and import them using the Management API

But! I cannot log in with any of the credentials

It seems to me that I have created a valid JSON structure, but I have not set the values correctly

Here’s an example of a user I get from Keycloak

{
    "id" : "ac492a5c-df80-4012-b3c3-b2cd1dbc037c",
    "createdTimestamp" : 1675074404666,
    "username" : "the-user-1",
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
    "firstName" : "User",
    "lastName" : "One",
    "email" : "the-user-1@sequencemedia.net",
    "credentials" : [ {
      "id" : "d6d16776-c2a3-458f-97b8-719cd07a2f97",
      "type" : "password",
      "userLabel" : "My password",
      "createdDate" : 1675260278399,
      "secretData" : "{\"value\":\"zC9qCa/0XjQOt/fy/XFZ69rvnw6w6hueI294PnqmPeKOeMH3Qr8S5RWhg1v+b60DhkcSlw1FKZWpgNjsQflxYA==\",\"salt\":\"9xdUcOPkoYYS/kr2URMArw==\",\"additionalParameters\":{}}",
      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
    } ],
    "disableableCredentialTypes" : [ ],
    "requiredActions" : [ ],
    "realmRoles" : [ "default-roles-master" ],
    "notBefore" : 0,
    "groups" : [ ]
  }

And here is the user transformed for Auth0

{
    "email": "the-user-1@sequencemedia.net",
    "email_verified": false,
    "name": "User One",
    "custom_password_hash": {
      "algorithm": "pbkdf2",
      "hash": {
        "value": "$pbkdf2-sha256$i=27500,l=32$9xdUcOPkoYYS/kr2URMArw$zC9qCa/0XjQOt/fy/XFZ69rvnw6w6hueI294PnqmPeKOeMH3Qr8S5RWhg1v+b60DhkcSlw1FKZWpgNjsQflxYA"
      }
    }
  }

I used the pattern provided by @thameera to produce the value

$pbkdf2-${digest}$i=${iterations},l=${keylen}$${b64Salt}$${hash}

I noticed that the salt value is named “b64Salt” but the hash only “hash”. I’ve assumed that they are both expected to be in base64 format – is this where I have borked?

This is a test-only local instance user so I’m happy to supply the actual credentials:

Username the-user-1@sequencemedia.net
Password $b!6A6t7M7URi.

faraujo · February 1, 2023, 4:00pm

I don’t quite remember, as it has been a few years, but I do remember struggling with the answer.

However, I think the problem lies on the l parameter. According to the PHC string format, the l is the size of the decoded base 64 hash.

So basically I changed to l=64 and placed the base 64 value of the salt and worked.

Hope this helped.
Again I don’t remember very much the details, I think it was generally what happened.

sequencemedia · February 1, 2023, 4:30pm

That’s it! THANK YOU @faraujo

A corrected transformed user (for future readers) is

{
    "email": "the-user-1@sequencemedia.net",
    "email_verified": false,
    "name": "User One",
    "custom_password_hash": {
      "algorithm": "pbkdf2",
      "hash": {
        "value": "$pbkdf2-sha256$i=27500,l=64$9xdUcOPkoYYS/kr2URMArw$zC9qCa/0XjQOt/fy/XFZ69rvnw6w6hueI294PnqmPeKOeMH3Qr8S5RWhg1v+b60DhkcSlw1FKZWpgNjsQflxYA"
      }
    }
  }

l is the size of the decoded base 64 hash (so, 64)
The salt is a base64 string without the trailing == (so 9xdUcOPkoYYS/kr2URMArw== becomes 9xdUcOPkoYYS/kr2URMArw)
The hash is a base64 string without the trailing == (so zC9qCa/0XjQOt/fy/XFZ69rvnw6w6hueI294PnqmPeKOeMH3Qr8S5RWhg1v+b60DhkcSlw1FKZWpgNjsQflxYA== becomes zC9qCa/0XjQOt/fy/XFZ69rvnw6w6hueI294PnqmPeKOeMH3Qr8S5RWhg1v+b60DhkcSlw1FKZWpgNjsQflxYA)

And that’s that!

system · February 15, 2023, 4:30pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.