App migration so transparent that it's invisible

Hi all

I have a strange request for an application to be migrated to Auth0 without the user knowing about it. In the current state the mobile application can get and validate access tokens but they are not issued by auth0 but a custom AS.

The idea would be to divide the migration of this app in two stages:

First stage: the app would get the tokens issued by Auth0 through a backend (that would in turn use ROPG to authenticate the user with Auth0). After most users have a valid access and refresh token, we would advance to the second stage.

Second stage: with a valid refresh token (obtained in the previous stage) we would change the grant type in auth0 to access code+pkce so that the app can get valid access tokens without the users having to login again.

Does this make sense? Is there any docs regarding this process that I might have missed?

Hi @msiracusa

This is possible, but if you are migrating refresh tokens this is hard.
I don’t know of any available docs unfortunately. Professional Services has experience with this, if that is an option for you.

I think you have the access portion figured out. But since refresh tokens can live a long time, possibly forever, the refresh token is more difficult.


1 Like

Thank you @john.gateley

We will check with professional services.