Api validation failed: salt

Questions API
1

We wanted to migrated users with encrypted password, so that users can continue using their old passwords. We currently use one way salt to encrypt the password.

I see example in the Users | Okta Developer but when I try to exercise the following example, I am getting the following error:

POST
{
  "profile": {
    "firstName": "Test",
    "lastName": "Test",
    "email": "test@example.com",
    "login": "test@example.com",
    "mobilePhone": "555-415-1337"
  },
  "credentials": {
    "password" : {
      "hash": {
        "algorithm": "BCRYPT",
        "workFactor": 10,
        "salt": "XXXXXXXX",
        "value": "XXXXXXXX.XXX.XXXX/XXXX/XXXXX"
      }
    }
  }
}

error:

{
    "errorCode": "E0000001",
    "errorSummary": "Api validation failed: salt",
    "errorLink": "E0000001",
    "errorId": "oaeGaT9edJVSiawdLlAVrhdBg",
    "errorCauses": [
        {
            "errorSummary": "salt: The field is too long"
        }
    ]
}
2

The request you are making should work (I’ve tested it with bcrypt in the past). Would you be willing to share (via private message) an example of test credentials that do not work?

Just curious, how are you getting the bcrypt-ed passwords out of AD?

3

Hi,

Just to clarify more, we saved the password in our own database and would like to migrate to Okta without user changing their passwords.

Do you have any real example of how you test the bcrypt password?

Thanks,
Moumita

4

Hi,

I am getting the following error while creating user with salted password.

POST
{
“profile”: {
“firstName”: “Test”,
“lastName”: “Test”,
“email”: "test@example.com",
“login”: "test@example.com",
“mobilePhone”: “555-415-1337”
},
“credentials”: {
“password” : {
“hash”: {
“algorithm”: “BCRYPT”,
“workFactor”: 10,
“salt”: “XXXXXXXX”,
“value”: “XXXXXXXX.XXX.XXXX/XXXX/XXXXX”
}
}
}
}

{
“errorCode”: “E0000001”,
“errorSummary”: “Api validation failed: password”,
“errorLink”: “E0000001”,
“errorId”: “oaeLLxhMF3DSYmg_3lrlv-bAQ”,
“errorCauses”: [
{
“errorSummary”: “password: Password importation requires the IMPORT_PASSWORD_HASH feature flag”
}
]
}

5

@mmandal That error means that a feature isn’t turned on (for some reason). Reach out to support@okta.com to get it resolved.

6

The API call here expects JUST the Salt and Hash. Here is a working code sample (Node) and POST.

var bcrypt = require('bcryptjs');

var password = "bacon";

var salt = "JHkOUAmerSNVHyKqR6xww.";
console.log("API Salt: " + salt);

var hashAlgo = "$2a$"; // bcrypt
var workFactor = "10"; // salt rounds
var workingSalt = hashAlgo + workFactor + "$" + salt;

bcrypt.hash(password, workingSalt, function(err, hash) {
	console.log("salt: " + workingSalt);
	console.log("full hash: " + hash);

	var apiHash = hash.split('.');
	console.log("API Salt: " + salt);
	console.log("API hash: " + apiHash[1]);
});

Create User with Password API Call Payload:
{
“profile”: {
“firstName”: “Bcrypt”,
“lastName”: “Test2”,
“email”: “bcrypttest2@asdf.com”,
“login”: “bcrypttest2@asdf.com
},
“credentials”: {
“password” : {
“hash”: {
“algorithm”: “BCRYPT”,
“workFactor”: 10,
“salt”: “JHkOUAmerSNVHyKqR6xww.”,
“value”: “6RJQf/19XSoNp9tUKGRJQUZyJRP4c7a”
}
}
}
}