Migrate users to Okta from Ruby's devise: bcrypt, salt AND pepper

FlippedBit · November 4, 2022, 5:42pm

I’m looking at migrating an application to Okta.

I see that here is a user migration API that supports importing users WITH passwords.

The bcrypt instructions mention separating the salt and the value.

However, there is (seemingly) no way to also define what pepper was used:

  bcrypt   = ::BCrypt::Password.new(hashed_password)
  if klass.pepper.present?
    password = "#{password}#{klass.pepper}"
  end
  password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
  Devise.secure_compare(password, hashed_password)

Source code in repo: devise/encryptor.rb at 8593801130f2df94a50863b5db535c272b00efe1 · heartcombo/devise (github.com)

Here we can see that user’s input gets a pepper added to it, and that result gets matched against the existing bcrypted salt & password.

Does Okta support this use case or do we need to rely on the Password Hook for this case?

okra-okta · November 8, 2022, 9:38pm

You are correct. I don’t see an option to include “pepper” as a parameter in the request.

I am not sure if the Password Hook will support the use case but here is an example of the payload Okta sends.

system · February 12, 2024, 10:20pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.