User import from SAP Commerce (pbkdf2-sha1), login fails

I am exporting users from SAP commerce which have pbkdf2 encoded passwords (sha1) with 1000 iterations and 512 length. Import is fine and works but for some reason I cannot login with my imported user. I followed this instruction Bulk User Import Database Schema and Examples and used User Import / Export Extension.

What could be wrong? Has someone else tried SAP Commerce / Hybris user import? The SAP commerce encodes passwords with PBKDF2WithHmacSHA1 I think.

Here is on import example that I tried:
[
{
“user_id”: “myexample@example.com”,
“name”: “Example”,
“given_name”: “Example”,
“custom_password_hash”: {
“algorithm”: “pbkdf2”,
“hash”: {
“value”: “$pbkdf2-sha1$i=1000,l=512$33a4b650b42fd660a192706dbe91c505$0d9cd09395a9470ced62c1e9395fb31b50e229ba3b93d911737b672891795f5479a3eff0e1926979efb50eb6a48bc69f7853e2ca965adc76dc68b4635bd5689f”
}
},
“email”: “myexample@example.com”,
“email_verified”: true
}
]

Hey @teemu.alander , one issue here is that the salt and hash values seem to be hex-ecnoded, whereas Auth0 requires them to be in base64 encoding (which is the standard): Bulk User Import Database Schema and Examples
You can use a script to convert the two values to base64, embed them in the PHC string, and try importing again.

If that doesn’t work, we can take a look if you can post a password hash for a known plain text value (eg: hello). Don’t paste the hash of an actual password.

I manageed to convert hex to base64. And now it looks like:

[

{
“user_id”: “myexample@example.com””,
“name”: “Example”,
“given_name”: “Example”,
“custom_password_hash”: {
“algorithm”: “pbkdf2”,
“hash”: {
“value”: “$pbkdf2-sha1$i=1000,l=512$idlJ8SjQJr4hg9FDpKeyKA==$6ZZ+oZ26X5GNPq6xQ6wnchMzXpLFAmBQ32m56p105lZV7syujaAK2RmFQur6jsmEo8KkvOIJGbWQ7CeWmSIBoA==”
}
},
“email”: "myexample@example.com
}
]

But the problem in import is:

    "errors": [
        {
            "code": "ONE_OF_MISSING",
            "message": "",
            "path": "custom_password_hash"
        }
    ]

So I guess the “=” is not according to PHC? But how do I change the new Base64 encoded string “6ZZ+oZ26X5GNPq6xQ6wnchMzXpLFAmBQ32m56p105lZV7syujaAK2RmFQur6jsmEo8KkvOIJGbWQ7CeWmSIBoA==” to correct one without “==”? Can I just remove the “==”? I guess not?

Got this working. What I needed to do was:

  • Ensure salt + password was base64 encoding without padding (in java: Base64.getEncoder().withoutPadding().encodeToString(decodedHexSalt):wink:
  • Ensure that my keylen was in BYTES (instead of bits)
1 Like

Perfect! Glad you have figured it out and thanks for sharing with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.