Using Custom Authentication Logic

[BraianPita]

I have users, password hashes, and salts stored on a postgres DB, and I want to start using authentik to add OAuth/OIDC, Groups, roles, etc. However, I want to connect to my current database to do so and reuse my current users and passwords to avoid having to reset their passwords. Is there a way to do this?

I was thinking either being able to set the secret and method used to verify password hashes, or being able to setup a custom auth script so I can use my user's to authenticate. I don't have OAuth or any other procotol on this system so I can't use an external source.

[ImmanuelVonNeumann]

The only feasible solution I see is to add any of authentik's supported federated- and social sources to your current setup (i.e. by developing a connector of sorts).

[severin]

From my understanding Authentik (actually Django) stores password hashes in the following format in the database:

ALGORITHM$OPTIONS

I.e. in the case of the default PBKDF2PasswordHasher:

pbkdf2_sha256$ITERATIONS$SALT$HASH

So I assume you could implement a custom hasher that mimicks the implementation of your old system. Then export the records from your old database in a compatible format, i.e. (if you named the algorithm of your custom hasher legacy_hasher):

legacy_hasher$SALT$HASH

And import these into the Authentik database as password column.

When the Authentik code then calls verify_password for a user that you imported Django should detect your custom hasher implementation based on the legacy_hasher$ prefix and invoke it to verify the password (and reencode the password with the default hasher).