I am trying to bulk import users to Auth0. We don’t use their standard hashing algorithm, so I’ve had to convert our hashes to fit their “custom_password_hash” requirements. However, when I try to log in as one of those users, the Auth0 gives an incorrect password error.
Here is how we were generating salts and hashes pre Auth0:
var salt = crypto.randomBytes(32).toString('hex');
var hash = crypto
.pbkdf2Sync(password, salt, 10000, 64, 'sha512')
.toString('hex');
Here is how I am creating the custom_password_hash object Auth0 requests for each user to be imported:
I am able to successfully import users via the Auth0 import/export extension. The users appear in the user management section (though without any password appearing in “raw json”, but maybe this is normal.
But when I go to log in, I get an error “Wrong email or password”. This is unexpected. I should just be able to log in.
Ran into this issue today and what the api needs is base64url encoded salt and hash, not hex encoded as shown in the “pre Auth0” example above. In our db we had hex encoded hashes and base64url encoded salts, so the hashes needed to be re-encoded as base64url before sending to Auth0.
Example js code to generate a password that Auth0 will process correctly: