Hi,
I’m new to Okta, and will have to migrate users from an existing Django application. After reading this guide, I expect that the method which will least frustrate and confuse users is to bulk migrate them with Okta’s Users API.
In our database, passwords are stored using the BCryptSHA256PasswordHasher, a common and recommended hasher (seen here). As the name implies, this stores passwords by bcrypt hashing sha-256 encoded passwords.
For the sake of example, I’ve set a user’s password on my local db instance to ‘example_pass’ which was stored in the db as ‘bcrypt_sha256$$2b$12$6X7LjTN/vlrJ7XdmUbIva.U5.l0dS9fvPTQamsNCa8WmcL34fY.ZK’. From this, it is possible to extract the work factor (12) the salt (6X7LjTN/vlrJ7XdmUbIva.) and the hash (U5.l0dS9fvPTQamsNCa8WmcL34fY.ZK).
Using the User API described here, I was able to create a test account using these values. However, as I feared I was unable to log in with ‘example_pass’ and was instead able to log in with ‘0d8a95a2eaf80ba3ccc397bc40c49019ba1e6ae32a84b48ea6f549367e7a988b’ calculated as such:
You can see django calculating encrypted secrets in an almost identical fashion here
This brings be to my question: Is it possible to migrate passwords as sha-256 encrypted bcrypt instead of simply raw bcrypt? I don’t think all of our user’s will be as willing as me to manually encrypt their own passwords before sending them (joke). If this were possible and I am simply missing some api argument or whatnot this would save a me great deal of time and effort
Best wishes,
Nick