COMMAND-CahN2 when migrating an existing user
I'm trying to migrate a user to Zitadel using the AddHumanUser endpoint.
The user's password hash is: $scrypt$ln=15,r=8,p=3$nSiEc4X4LqdTnUE9T8E0NaW8wRpuru5LAB25ScJVD+M=$XSJ5bXrlYBNXmylT1QjFo7bqr1l0MzUsWg2iLF1+BCE=
The AddHumanUser call is successful, but if I try to login with the user and it's password (using the default Zitadel login screen), i get redirected to the login with the error " An internal error occurred" and the code "COMMAND-CahN2"
I've verified the password using python's passlib, the password is "test1234".
Any idea what is going on?
I'm running Zitadel in docker, version 2.71.8.
6 Replies
Hi @Johan Alkemade thanks for the question, I'll look into it.
Looks like the something's not right during password imports.
I'll look into this and get back to you
@Rajat Singh any update?
hey @Johan Alkemade thanks for thr bump , checking it now
hey @Johan Alkemade I will tell you exactly what needs to be done.
If you look at your password hash, they are hashed with
$scrypt. BUT if you check your docker compose setup, its actually bcrypt which is enabled by default which is something you do not want.
You can look it up here under defaults.yaml if the menu collapses.
to migrate existing users (with hashed passwords), you should use the ImportHumanUser endpoint documented in the “Migrate Users” guide https://zitadel.com/docs/guides/migrate/users
The AddHumanUser endpoint is primarily for creating brand-new users and is deprecated for import scenarios. When you call AddHumanUser, Zitadel treats it as “create a new human user with a password,” which triggers a password‐verification step against the configured hasher/verifier setup. If you passed a scrypt hash, the default (bcrypt) verifier fails and throws the error.
Ensure that you set isEmailVerified: true if you do not want an initialization email to be sent.
Setting passwordChangeRequired: false ensures the user can log in immediately without being forced to reset their password on first login.
Hope this helps 🙂@Rajat Singh thanks for the response.
In our docker compose, I have set the
ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS to scrypt,argon2, so that shouldn't be an issue.
I will use ImportHumanUser endpoint and see if that fixes the issue.ah okay then it could be because you didn't use
ImportHumanUseras it was made for that 🙂Hi there @Johan Alkemade! Following up on this thread to see if the solution that @Rajat provided helped you to resolve your issue? ☺️