How does the API on User Import with Hashed Password work with SHA-256

I am testing the user creation API with imported hashed password. It’s on SHA-256 algo.

Here are the steps that I tested -

password -> Testing123!

salt -> MPu13OmY

salt order -> PREFIX

Take the string “MPu13OmYTesting123!” and generate a hash via https://passwordsgenerator.net/sha256-hash-generator/ and I got a hash -> “4DD2ED3C3DAC519EA09D10D492F69082A65C66DB58061A01A9019223FA57AA75”

now what’s the value of the hash goes to the API request in the credential object? I tried the whole 64 char string and it apparently doesn’t work.

would appreciate any insights on this!

“credentials”: {
“password” : {
“hash”: {
“algorithm”: “SHA-256”,
“salt”: “MPu13OmY”,
“saltOrder”: “PREFIX”,
“value”: “4DD2ED3C3DAC519EA09D10D492F69082A65C66DB58061A01A9019223FA57AA75”
}
}
}

What was the response you got?

I was able to make this post and it worked:

POST /api/v1/users?activate=false
{
  "profile": {
    "firstName": "Isaac",
    "lastName": "Brock",
    "email": "isaac.brock@example.com",
    "login": "isaac.brock@example.com",
    "mobilePhone": "555-415-1337"
  },
  "credentials": {
    "password" : {
      "hash": {
        "algorithm": "SHA-256",
        "salt": "MPu13OmY",
        "saltOrder": "PREFIX",
        "value": "4DD2ED3C3DAC519EA09D10D492F69082A65C66DB58061A01A9019223FA57AA75"
      }
    }
  }
}

the user can be created in Okta but the password “Testing123!” cannot login the user.

Ah. I see. The issue is that you want the sha256 base64 hash, not the hex version, which is what the site you’re using provides. Try this one: https://approsto.com/sha-generator/ and use the SHA256 base64 hash value in your request.

Using your salt and password, I get:

TdLtPD2sUZ6gnRDUkvaQgqZcZttYBhoBqQGSI/pXqnU

I verified that I can log in as the user with Testing123!

1 Like

Thank you Micah. that solved the issue.

1 Like

Can OKTA migrate users with SHA-1 password?? I have tried the below code. The user gets added to OKTA, but I am unable to login using my password (Test$123!). When I have generated the hash using SHA-256 and used [“algorithm”] = “SHA-256”, I was able to login.

                ["password"] = new Dictionary<string, object>
                {
                    ["hash"] = new Dictionary<string, string>
                    {
                        ["algorithm"] = "SHA-1",
                        ["salt"] = "qsBix3+FvBzW6jDjS+h3O6I7XQY=",
                        ["saltOrder"] = "PREFIX",
                        ["value"] = "Yqz2D3NqIFsWVLiZKQWVcVUHrQ4"
                    }
                }

Hi @mail2eldo

I’ve checked also on my end now and I was unable to authenticate successfully users using SHA-1 passwords. Can you please open a support case with us at support@okta.com in order to have this reviewed internally and sent to the engineering team?