Identity Server Hashing Passwords For Existing Users

Recently we started working on a new IdentityServer4 project - something to give a new facelift and security to an existing product usin C# and .Net Core 3.

The idea was to create a portal for users to log in through, then forward on to the existing products.

The plus side of this: using the latest .Net Core 3 technologies, adding extra security through the IdentityServer4 and future proof.

The negative: IdentityServer4 used it’s own users table in our Microsoft SQL Server DB.

We already had a number of users that had created account in the old product; so the minimum we wanted to do was to transfer the login details without having to manually recreate them through the Identity Server interface.

The first real issue

The first real issue is the hashing algorithm. The existing user table had hashed passwords and a salt value. We were unable to see what the original password was and so could not reproduce.

To add to that, the salt used for these was generated through a different, PHP based, algorithm. We could not simply copy the passwords and salts into the new table.

This added a second issue; IdentityServer4 had its own password hashing algorithm - so we needed to use this to create the hashed password when we copied/created the users in the copy.

The C# .Net Core3 algorithm I used

After a little digging I round out a little more about the PasswordHasher object. It sounded like the tools for the job. After a little more digging I came up with the following code which I used to hash passwords for my existing users after transferring to the new tables.

IdentityUser _identityUser = new IdentityUser(); 
Guid _guid = new GUID(); String _password;
While Loop() 
{ 
    Read existing table(...) 

    _guid = Guid.NewGuid(); 
    _identityUser.UserName = ReadUserName; 
    _identityUser.Email = ReadEmail; 
    _identityUser.Id = guid.ToString(); 
    _identityUser.NormalisedEmail = Email To Upper;
    var _hasher = new PasswordHasher<IdentityUser>();
    _password = _hasher.HashPassword(_identityUser, @“password”);

    Save to new table(...);
} 

In the above code: you create a new identity user, guid and string for the password. 

Next you create your own method for reading the details from the existing table. Add the appropriate details from this into the identity user structure.

Next you create a object of type PasswordHasher. Finally, pass in the user and password text and you get the hashed password out as a string.

Save all this to the AspNetUsers table (the one used by Identity Server as default) and you’ve will have now created a user that you can use to log into your Identity Server project.

This will allow you to build a small application to bulk copy existing users into the new user login - though they may need to change their password on first login.

As part of this tool you may create a random password generation code then save that out to a log file so that each user has an independent password. 

Check out a future post where I will detail the random password generator code I have used in my project.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram