User import from SAP Commerce (pbkdf2-sha1), login fails

teemu.alander · May 24, 2021, 10:13am

I am exporting users from SAP commerce which have pbkdf2 encoded passwords (sha1) with 1000 iterations and 512 length. Import is fine and works but for some reason I cannot login with my imported user. I followed this instruction Bulk User Import Database Schema and Examples and used User Import / Export Extension.

What could be wrong? Has someone else tried SAP Commerce / Hybris user import? The SAP commerce encodes passwords with PBKDF2WithHmacSHA1 I think.

Here is on import example that I tried:
[
{
“user_id”: “myexample@example.com”,
“name”: “Example”,
“given_name”: “Example”,
“custom_password_hash”: {
“algorithm”: “pbkdf2”,
“hash”: {
“value”: “$pbkdf2-sha1$i=1000,l=512$33a4b650b42fd660a192706dbe91c505$0d9cd09395a9470ced62c1e9395fb31b50e229ba3b93d911737b672891795f5479a3eff0e1926979efb50eb6a48bc69f7853e2ca965adc76dc68b4635bd5689f”
}
},
“email”: “myexample@example.com”,
“email_verified”: true
}
]

thameera · May 28, 2021, 8:01am

Hey @teemu.alander , one issue here is that the salt and hash values seem to be hex-ecnoded, whereas Auth0 requires them to be in base64 encoding (which is the standard): Bulk User Import Database Schema and Examples
You can use a script to convert the two values to base64, embed them in the PHC string, and try importing again.

If that doesn’t work, we can take a look if you can post a password hash for a known plain text value (eg: hello). Don’t paste the hash of an actual password.

teemu.alander · June 1, 2021, 8:38pm

I manageed to convert hex to base64. And now it looks like:

{
“user_id”: “myexample@example.com””,
“name”: “Example”,
“given_name”: “Example”,
“custom_password_hash”: {
“algorithm”: “pbkdf2”,
“hash”: {
“value”: “$pbkdf2-sha1$i=1000,l=512$idlJ8SjQJr4hg9FDpKeyKA==$6ZZ+oZ26X5GNPq6xQ6wnchMzXpLFAmBQ32m56p105lZV7syujaAK2RmFQur6jsmEo8KkvOIJGbWQ7CeWmSIBoA==”
}
},
“email”: "myexample@example.com”
}
]

But the problem in import is:

    "errors": [
        {
            "code": "ONE_OF_MISSING",
            "message": "",
            "path": "custom_password_hash"
        }
    ]

So I guess the “=” is not according to PHC? But how do I change the new Base64 encoded string “6ZZ+oZ26X5GNPq6xQ6wnchMzXpLFAmBQ32m56p105lZV7syujaAK2RmFQur6jsmEo8KkvOIJGbWQ7CeWmSIBoA==” to correct one without “==”? Can I just remove the “==”? I guess not?

teemu.alander · June 2, 2021, 7:55am

Got this working. What I needed to do was:

Ensure salt + password was base64 encoding without padding (in java: Base64.getEncoder().withoutPadding().encodeToString(decodedHexSalt)
Ensure that my keylen was in BYTES (instead of bits)

konrad.sopala · June 2, 2021, 8:47am

Perfect! Glad you have figured it out and thanks for sharing with the rest of community!

Topic		Replies	Views
Importing users from SAP Commerce Cloud (pbkdf2-sha1), login fails Get Help user-management , user-import-export	0	1001	May 1, 2023
Bulk User Import of pbkdf2-whirlpool hashed passwords Get Help user-management , user-import-export	3	811	October 26, 2023
"Wrong email or password" after bulk user import Get Help password-hash , bulk-user-import	8	1969	November 21, 2023
Migration of users (bulk import) with pbkdf2 - not working - encoding not clear Get Help user-management , automatic-migration	5	999	November 17, 2023
Can't log in using imported pbkdf2 hashed passwords Get Help bulk-user-import , import-password	9	4387	May 11, 2021

User import from SAP Commerce (pbkdf2-sha1), login fails

Related topics