Best practice for migrating user ids

victoryun · February 17, 2021, 7:16pm

Hello,

We were wondering what the best practice is for migrating user ids. Currently, we are using a system of randomly generated user ids (~20 characters). I know that auth0 generates an identifier that looks like this 102437854499766869014 (21 characters).

In terms of security, we looked into uuidv4 which looks like ad076419-fde7-4940-b18c-1d86607491f0 and we weren’t sure what the best practices are for migrating these ids.

Should we migrate the current ids (~20 characters) into auth0 and use auth0’s generated ids in the future or keep our own set of ids?

Thanks!

stephanie.chamblee · February 18, 2021, 8:33pm

Hi @victoryun,

Thanks for joining the Community!

Auth0 stores user IDs as {identity provider id}|{unique id in the provider} or facebook|1234567890. This way within a tenant, a user’s ID will be unique.

If you plan to use a Custom Database , then the most important thing would be to structure the ID in a way that the IDs will not collide, for example:

function login (email, password, callback) {
  var user = getUserFromDB(email);
  var profile = {
    user_id: 'MyConnection|' + user.id,
    email: user.email,
    [...]
  };
  callback(null, profile);
}

If you’re interested in how you might use a UUID in user metadata in order to identify users in a universally unique way (not just unique within a tenant), you can take a look at the answer in this topic: Using another user identifier (UUID) than the user_id - #2 by jmangelo

Please let me know if that is the info you’re looking for. Thanks!

victoryun · February 18, 2021, 9:19pm

Thank you, I was wondering if I were to store a uuid (that I use in my DB) in app_metadata, is that feasible and secure?

stephanie.chamblee · February 19, 2021, 11:13am

Yes, you can use app_metadata to store external IDs associated with the user. It is recommended as one of the uses in the docs: Understand How Metadata Works in User Profiles

The app metadata is not automatically exposed to the application in an ID Token, but you can return it to the app by adding a custom claim: How to get user_metadata and app_metadata in id_token - #3 by James.Morrison

system · March 6, 2021, 11:14am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.