I’m looking at migrating an application to Okta.
I see that here is a user migration API that supports importing users WITH passwords.
The bcrypt instructions mention separating the salt and the value.
However, there is (seemingly) no way to also define what pepper was used:
bcrypt = ::BCrypt::Password.new(hashed_password)
if klass.pepper.present?
password = "#{password}#{klass.pepper}"
end
password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
Devise.secure_compare(password, hashed_password)
Source code in repo: devise/encryptor.rb at 8593801130f2df94a50863b5db535c272b00efe1 · heartcombo/devise (github.com)
Here we can see that user’s input gets a pepper added to it, and that result gets matched against the existing bcrypted salt & password.
Does Okta support this use case or do we need to rely on the Password Hook for this case?