Automatic migration with social login account linking


I’m setting up automatic migration of my existing username/password auth users. It works just as you’d expect: a user attempts password login the first time, my database is accessed for a representation of the user, and they are created in the Auth0 system.

I’m also using account linking. Again, this works exactly as you’d expect: a user logs in with a social account, Auth0 checks for their email, and links their account with an existing user if possible.

My question, then, is how these systems work together… It appears that Auth0 does NOT attempt to run automatic migration for a social login. Is this true? My observation is this:

  1. I login with my Gmail account before ever logging in with username/password. Automatic migration does no run, so a new gmail-specific user is created.

  2. Next, I logout and then log back in with my username/password. This runs automatic migration, and pulls my user record from my database. It also detects that the account email matches a Gmail login, so attempts to link them.

While this process technically works, what I end up with is a gmail user that has my password user attached to it. It would expect the reverse to be true: I want a password user with a gmail user attached to it. Should automatic migration have run to create the password user for that email address before creating the social account? If not, is there a way to specify which account candidate is primary/secondary while performing account linking?


Hi @greg.macwilliam

Auth0 does not automatically migrate the linked account.

You will have to do something like:
Create an Auth0 DB of all social users (export all users, filter only the social users, and import them into a username/password DB in the new Auth0 tenant)
Bulk migrate your username/password users, save all linking info.
Immediately after the migration, link the new username/password users with the corresponding social user in the Auth0 DB you created above.
Have a rule that fires on first social login, pulling the info from the social DB to find out if the user logged in socially on the old platform, if so, then import metadata as needed and relink as needed.


Thanks for the reply, John. Can you say more about the above? How does one programmatically relink within an action… just API transactions? As for detecting first social login within a rule, is that as simple as just looking at the connection name and the user’s login count?

Hi @greg.macwilliam

As you can guess, there is some code involved here. Yes to both your questions: you’ll be making API calls to the management API from rules (you can try the linking extension just for an example), and the first social login is as you described.