Migrate users to Okta from Ruby's devise: bcrypt, salt AND pepper

I’m looking at migrating an application to Okta.

I see that here is a user migration API that supports importing users WITH passwords.

The bcrypt instructions mention separating the salt and the value.

However, there is (seemingly) no way to also define what pepper was used:

  bcrypt   = ::BCrypt::Password.new(hashed_password)
  if klass.pepper.present?
    password = "#{password}#{klass.pepper}"
  password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
  Devise.secure_compare(password, hashed_password)

Source code in repo: devise/encryptor.rb at 8593801130f2df94a50863b5db535c272b00efe1 · heartcombo/devise (github.com)

Here we can see that user’s input gets a pepper added to it, and that result gets matched against the existing bcrypted salt & password.

Does Okta support this use case or do we need to rely on the Password Hook for this case?

You are correct. I don’t see an option to include “pepper” as a parameter in the request.

I am not sure if the Password Hook will support the use case but here is an example of the payload Okta sends.