To transform the given hashed password into a format that Ory Kratos would understand, we need to adjust it to match the PBKDF2 format supported by Kratos. Based on the information provided in the knowledge sources, we can format the password as follows:

$pbkdf2-sha256$i=600000,l=32$NB8zDFPPtzoxMYJCHvl4P0$1Ly+JQBrozvQJVocdc5tbEJfF7PB//NnM6Jq7K5uyLE=

Let's break down the transformation: 1. The format Kratos expects for PBKDF2 hashes is:

$pbkdf2-<algorithm>$i=<iteration>,l=<length>$<salt>$<hash>

[Kratos Import Identities - Format](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#format-1) 2. From the original hash, we can identify: - Algorithm: sha256 - Iterations: 600000 - Salt: NB8zDFPPtzoxMYJCHvl4P0 - Hash: 1Ly+JQBrozvQJVocdc5tbEJfF7PB//NnM6Jq7K5uyLE= 3. The length parameter (l=32) is derived from the fact that SHA-256 produces a 32-byte (256-bit) hash. By reformatting the original hash into this structure, we've created a version that Ory Kratos can understand and use for password verification. This format allows Kratos to compare stored PBKDF2 hashes and potentially migrate them to the configured hasher algorithm if it's different.

@chilly-king-10285 This does not seem to work. When I update an identity with this:

"credentials": {
        "password": {
            "config": {
                "hashed_password": "$pbkdf2-sha256$i=600000,l=32$NB8zDFPPtzoxMYJCHvl4P0$1Ly+JQBrozvQJVocdc5tbEJfF7PB//NnM6Jq7K5uyLE="
            }
        }
    }

Submitting a login flow gives a 400 error.

I apologize for the confusion in my previous answer. Let's investigate this issue further based on the information provided in the knowledge sources. The problem you're experiencing is likely related to the format of the hashed password. According to the Ory documentation, there's a specific format for PBKDF2 hashed passwords that Kratos expects. Let's adjust the format based on the information provided in the knowledge sources:

$pbkdf2-sha256$i=600000,l=64$NB8zDFPPtzoxMYJCHvl4P0$1Ly+JQBrozvQJVocdc5tbEJfF7PB//NnM6Jq7K5uyLE=

The key difference here is the

l=64

instead of

l=32

. This is because the length parameter should represent the length of the hash in bytes, and for PBKDF2-SHA256, the output is typically 64 bytes when encoded in base64. Here's why this might be causing issues: 1. The format is very specific, and any deviation can cause validation errors. 2. The length parameter (l=64) should represent the length of the base64-encoded hash, not the raw byte length of the SHA-256 output. To update the identity, try using this format in your JSON payload:

json {     "credentials": {         "password": {             "config": {                 "hashed_password": "$pbkdf2-sha256$i=600000,l=64$NB8zDFPPtzoxMYJCHvl4P0$1Ly+JQBrozvQJVocdc5tbEJfF7PB//NnM6Jq7K5uyLE="             }         }     } }

If you're still encountering issues, it might be helpful to: 1. Double-check that the salt and hash parts are correctly base64-encoded. 2. Ensure that you're using the correct endpoint for updating the identity. 3. Verify that the identity exists and you have the necessary permissions to update it. If the problem persists, you might want to check the Ory Kratos logs for more detailed error messages, as they could provide more insight into why the login flow is resulting in a 400 error. [Ory Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api) provides more details on the API endpoints and potential error responses, which might help in troubleshooting this issue further.

A message from kapa.ai

New message text here