PBKDF2 - import users

Hi Okta Developers,

I’m looking for a way to import users that have passwords encrypted with PBKDF2.

I saw this article on the forum for SHA1
https://devforum.okta.com/t/importing-users-with-hashed-passwords-into-okta/15635

Example of the JSON format from the forum link:

curl --location --request POST 'https://{ORG}.okta.com/api/v1/users?activate=true' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS {API_TOKEN}' \
--data-raw '{
  "profile": {
    "firstName": "Hashed",
    "lastName": "Pass",
    "email": "hash@pass.com",
    "login": "hash@pass.com"
  },
  "credentials": {
    "password" : {
      "hash": {
        "algorithm": "SHA-1",
        "value": "LOsCqF9tTebCiy5Z/aiG1Sba+w0="
      }
    }
  }
}'

I was wondering if you have an example for PBKDF2.

For example:

If the password is Test123456!

It might be stored something like:

20000:kcs2gJGOI4Nn2bgiWM8E3P83ZHhIanj1:fBNzjuyyyDghtShOdQNORxp7ppTZQPBZ

Where

Iterations = 20000
Salt in base64 = kcs2gJGOI4Nn2bgiWM8E3P83ZHhIanj1
Hash in base64 = fBNzjuyyyDghtShOdQNORxp7ppTZQPBZ

I’m looking for the json structure. :grinning:

Maybe it looks something like…

"credentials": {
    "password" : {
      "hash": {
        "algorithm": "PBKDF2",
        "value": "fBNzjuyyyDghtShOdQNORxp7ppTZQPBZ",
        "salt": "kcs2gJGOI4Nn2bgiWM8E3P83ZHhIanj1",
        "iterations": "20000",
        "encryption": "SHA512",
        "byteSize": "24",
      }
    }
  }

Any suggestions would be greatly appreciated!
Thanks

Hi there,

We do support PBKDF2 Password Hash algorithm and we do have an example for the same here in the Okta Users API documentation - https://developer.okta.com/docs/reference/api/users/#pbkdf2-hashed-password-object-example.

The example that you have provided is almost correct, but kindly make sure to use the correct property names in the hash object.

Here you can find all the available properties for the password hashing - https://developer.okta.com/docs/reference/api/users/#hashed-password-object.

Let me know if that helps.

1 Like