Okta user creation with password bcrypt hash fail

nishantam · August 24, 2021, 6:58pm

I am trying to create a user by setting the password hash from our existing database, so that user doesn’t need not change their password to be migrated to Okta.

I used Okta example at this Okta doc

The example works but when I try to replace the password hash with values from my user
But I keep getting this error.

{
    "errorCode": "E0000003",
    "errorSummary": "The request body was not well-formed.",
    "errorLink": "E0000003",
    "errorId": "oaeUsyzXleyS5y6YifKiheQnA",
    "errorCauses": []
}

Also what should be set in the value field of the password hash?
The Bcrypt hash value doesn’t seem to match the format i see in the example.

 "credentials": {
      "hash": {
        "algorithm": "BCRYPT",
        "workFactor": 12,
        "salt": "xxxxxxxxxxxxxxxxxx",
        "value": "xxxxxxxxxxxxxxxxxxx."
      }
  }

nishantam · August 24, 2021, 8:03pm

I tried to create the user with a dummy passowrd.
The user shows as active and credential as verified.
But I am not able to login using the same password even though it was created using the hash of same password.

Below is the credential part which comes back in response of the create user call.

"credentials":{"password":{},"emails":[{"value":"abc1234@test.com","status":"VERIFIED","type":"PRIMARY"}],"provider":{"type":"IMPORT","name":"IMPORT"}}

nishantam · August 24, 2021, 8:04pm

Just FYI, I was able to create a new user with hash of a dummy password.

But the actual DB password hashes are still being rejected showing the error in the original thread

okra-okta · August 24, 2021, 9:07pm

The bcrypt hash should match this format:
$2<a/b/x/y>$[cost]$[22 character salt][31 character hash]

Do you have the example values you are testing with that’s not working?

You may also find this blog post to be helpful:

nishantam · August 25, 2021, 2:31pm

This is the create user request I am making:

{
  "profile": {
    "firstName": "some.name",
    "lastName": "test",
    "email": "some@test.com",
    "login": "some@test.com",
    "mobilePhone": "555-415-1337"
  },
  "credentials": {
    "password" : {
      "hash": {
        "algorithm": "BCRYPT",
        "workFactor": 12,
        "salt": "BUPSowM.telGb4DCWTWIA.",
        "value": "BUPSowM.telGb4DCWTWIA.GNJcF9mhR.V2JMQikmUGW./m1HFsvB."
      }
    }
  }
}

The original has generated was :

$2a$12$BUPSowM.telGb4DCWTWIA.GNJcF9mhR.V2JMQikmUGW./m1HFsvB.

The bcrypt data:

entire hash = $2a$12$BUPSowM.telGb4DCWTWIA.GNJcF9mhR.V2JMQikmUGW./m1HFsvB.
version = 2a
cost = 12
Strength (another name for cost): = 12
"Password" (salt + hash)  = BUPSowM.telGb4DCWTWIA.GNJcF9mhR.V2JMQikmUGW./m1HFsvB.
"salt" = BUPSowM.telGb4DCWTWIA.
"hash" = GNJcF9mhR.V2JMQikmUGW./m1HFsvB.

In the response, I can see the credentials is shown as verified and user is active:

"credentials":{"password":{},"emails":[{"value":"some@test.com","status":"VERIFIED","type":"PRIMARY"}],"provider":{"type":"IMPORT","name":"IMPORT"}}

But I am not able to login user using the password for the bcrypt hash in request above.

cc: @okra-okta

Just an update:
I even tried setting the entire hash in the value instead of just password. The request to create user passes, but we cannot sign-in the user with correct password.
I see invalid credential error on Okta

nishantam · August 25, 2021, 3:58pm

I was able to create a user and sign it correct.
issue was with the value of hash we were setting.

system · August 26, 2021, 3:59pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.