Unsupported password hash algorithm during bulk user import job

Help
1

Hi,

Is it possible to force the user to change his password after first login? I’m using a bulk user import job and each user has a custom hashed password section filled. However, I need the user to change the pass after login. I import ~500 users, so I don’t want to create a 500 ‘password change’ requests, especially because there is no way to do that for several users in a row. Please, correct me if I’m wrong.
After searching I found this article: Bulk User Imports and this particular pre-request::

  • If you are importing passwords, make sure the passwords are hashed using one of the supported algorithms. Users with passwords hashed by unsupported algorithms will need to reset their password when they log in for the first time after the bulk import.*
    I tried to use an unsupported hash algorithm, but in that case users weren’t imported at all. Is this way still relevant? If so, how should I modify my user object so Auth0 understands unsupported algorithm, imports a user and forces him to change the pass?
2

Sorry, formatting issue. It should be:
…and this particular pre-request:: If you are importing passwords, make sure the passwords are hashed using one of the supported algorithms. Users with passwords hashed by unsupported algorithms will need to reset their password when they log in for the first time after the bulk import.

I tried to use an unsupported hash algorithm, but in that case users weren’t imported at all. Is this way still relevant? If so, how should I modify my user object so Auth0 understands unsupported algorithm, imports a user and forces him to change the pass?

3

I have exactly the same question. @djrazor308 Did you find a solution?

4

Or @dan.woda , do you have any idea on this?

1 Like
5

Yes, this is possible. The Classic Universal Login experience will throw an error if you pass a bad hash. There is an example of it in this thread:

6

Thank you for the very quick response, will test it!

1 Like
7

@dan.woda I tried to willingly create an invalid hash for the examples listed here Bulk User Import Database Schema and Examples. For some algorithms, like bcrypt, an incorrect hash will not even import the new user; and for some others, like md4, I couldn’t create an incorrect hash.

Do you happen to know which incorrect hash (if possible please with an example, including which algorithm and which hash value), will:

  1. Import the user
  2. When that users tries to login, will see a screenshot like in Error after importing user with custom password hash

Thank you so much for your help!

1 Like
9

Here’s and example of what I used:

[
  {
    "user_id": "2000",
    "email": "examplecouser20@example.com",
    "given_name": "ExampleCo User",
    "name": "ExampleCoUser20",
    "custom_password_hash": {
      "algorithm": "bcrypt",
      "hash": {
        "value": "$2a$10$aHF7mbpWTzzz7PJVtwtjNelaKbszikcYBCB2jibvbFcGFmOsu/s4K"
      }
    }
  }
]
10

Thanks…unfortunately for me that results in a message ‘Wrong password’ when I try to login for that user and does not result in this ‘Password needs to be updated because of first time login’ message. Are you sure it is an incorrect hash?

11

Are you using Classic UL?

12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.