Migrating users from Magento2 to Auth0

I am trying to migrate users from my Magneto 2 database to Auth0

I am using the bulk import endpoints (Too new for link). The user passwords are hashed using "Argon 2ID13” algorithm in php. I am reasonably confident the built in php function “sodium_crypto_pwhash” is being used. (Doc found by googling sodium_crypto_pwhash, account to new to link).

I’m reasonably confident the implementation of all this within Magneto can be found here (magento2/Encryptor.php at 1c3837ce0183180d40d4c0e0fd0ae7baca38673f · magento/magento2 · GitHub)
Relevant snippet

	sodium_crypto_pwhash(
		SODIUM_CRYPTO_SIGN_SEEDBYTES,					 // 32?
		$data,
		$salt,
		SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,      	 // Unknown
		SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE,           // Unknown
		$this->hashVersionMap[self::HASH_VERSION_ARGON2ID13] // 2 
	)

I’m not a PHP developer and it seems nearly impossible to find the values for constants online. Here is a list of the constants (https://www.php.net/manual/en/sodium.constants.php) with no values, how helpful.

Similar looking constants can be found in the source looking in these files: (libsodium/crypto_pwhash_argon2id.h at master · jedisct1/libsodium · GitHub)

	crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE 2U
	crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE 67108864U // 65,536 KB

Looking elsewhere, according to the PHP RFC: Argon2 Password Hash it looks like the defaults for hashing Argon in PHP are

  • memory_cost = 1024 KiB
  • time_cost = 2
  • threads = 2

I’ve tried many permutations of these values and have not been able to get the “right" output

As a test I created a user in a staging env which I have since deleted with these facts:

  • Salt: FGzVvZzPx67rz4um
  • B64 Salt: Rkd6VnZaelB4NjdyejR1bQ
  • Hash:
  • B64 Hash:
  • m: ?
  • t: ?
  • p: ?

ULTIMATE QUESTION:
What should the end result be for my “custom_password_hash.hash.value”. I know it should be something like this:

$argon2id$m=?,t=?,p=?$Rkd6VnZaelB4NjdyejR1bQ$<b64 hash>

Thank you

1 Like

I am trying to figure out the same thing. Any luck here @zack.bessler

The following function converts ARGON2ID13 Magento hashes (hash version = 2) to the PHC format understood by Auth0:

function argon2Phc(string $hash): string
{
    [$hash, $salt,] = explode(':', $hash);
    return sprintf(
        '$argon2id$v=19$m=%s,t=%s,p=1$%s$%s',
        SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE / 1024,
        SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
        rtrim(base64_encode(substr($salt, 0, SODIUM_CRYPTO_PWHASH_SALTBYTES)), '='),
        rtrim(base64_encode(hex2bin($hash)), '='),
    );
}

The input hash is the hash stored in the database.

I was able to import Magento users (with v1 and v2 Magento password hashes [SHA256 and Argon2id13]) to Auth0 with the following loop:

while ($row = $pdoStmt->fetch()) {
    [$hash, $salt, $algorithmId] = explode(':', $row['password_hash']);
    if ($algorithmId == '1') {
        $passwordHash = [
            'algorithm' => 'sha256',
            'hash' => [
                'value' => $hash,
                'encoding' => 'hex',
            ],
            'salt' => [
                'value' => $salt,
                'encoding' => 'utf8',
                'position' => 'prefix',
            ],
        ];
    } else {
        $passwordHash = [
            'algorithm' => 'argon2',
            'hash' => [
                'value' => argon2Phc($row['password_hash']),
                'encoding' => 'utf8',
            ],
        ];
    }
    $rows[] = [
        'email' => $row['email'],
        'email_verified' => true,
        'custom_password_hash' => $passwordHash,
        'app_metadata' => [
            'external_id' => $row['entity_id'],
        ],
    ];
    if (count($rows) >= $pageSize) {
        importPage();
    }
}

The importPage() function I used is mostly the same as in the official documentation so I will not copy it here.

Please test this code thoroughly on your side before using it as it may miss some cases and was not tested on v3 hashes (ARGON2ID13_AGNOSTIC).

1 Like

Thanks for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.