Features: Support upsert and management of accounts created while in passthrough mode
We recently completed a migration of accounts from an old identity provider to Auth0. For reference, that process was:
- Set up Auth0 connection database with an external data store and custom database scripts.
- Use Auth0 in passthrough mode (Import Users to Auth0 = false, Sync user profile attributes at each login = true).
- Switch Auth0 to migration mode (Import Users to Auth0 = false).
- Manually migrate users using user import jobs (upsert = false).
- Disable connection to external data store (modify custom scripts to always return null).
After the process was complete were noted that users whose profile was created in Auth0 during passthrough mode, but who had not returned until after step 5, are unable to log in. We are also unable to update their account, receiving the error “User with old email does not exist in Auth0 database.” To resolve the issue, we have to delete their account and recreate it.
The issue appears to be that the bulk upload process skips (when upsert = false) or fails (when upsert = true) for accounts created while the system was in passthrough mode with profile sync enabled. Essentially, a profile exists in the Auth0 user store, but a credential does not exist in the Auth0 internal database. This is based on my understanding of the information presented in the following article (which confirms the need to delete the account):
Compounding the issue is the fact that Auth0 does not provide a definitive means of identifying accounts in this state. When we look up these accounts they are presented with the same data structure as accounts that are fully migrated. There is no direct indication that the account does not have a credential record in Auth0’s internal database.
I did note some guidance about indicating migrated accounts, which we were doing during migration mode.
And there is some guidance on how to indirectly identify users without an Auth0 credential.
We are, however, now in the unpleasant position of having to identify impacted accounts so that we can resolve the issue.
In consideration of the issues we’ve run across I’d like to see the following management enhancements to the system:
- Provide an indicator in the account identity showing whether or not an account has a credential record in Auth0’s internal database.
- Allow creation of a credential record in Auth0 during upsert if the account does not currently have one
- Allow password reset or administrative password changes for an account without an existing credential