Best practice for migrating user ids

Hello,

We were wondering what the best practice is for migrating user ids. Currently, we are using a system of randomly generated user ids (~20 characters). I know that auth0 generates an identifier that looks like this 102437854499766869014 (21 characters).

In terms of security, we looked into uuidv4 which looks like ad076419-fde7-4940-b18c-1d86607491f0 and we weren’t sure what the best practices are for migrating these ids.

Should we migrate the current ids (~20 characters) into auth0 and use auth0’s generated ids in the future or keep our own set of ids?

Thanks!

Hi @victoryun,

Thanks for joining the Community!

Auth0 stores user IDs as {identity provider id}|{unique id in the provider} or facebook|1234567890. This way within a tenant, a user’s ID will be unique.

If you plan to use a Custom Database , then the most important thing would be to structure the ID in a way that the IDs will not collide, for example:

function login (email, password, callback) {
  var user = getUserFromDB(email);
  var profile = {
    user_id: 'MyConnection|' + user.id,
    email: user.email,
    [...]
  };
  callback(null, profile);
}

If you’re interested in how you might use a UUID in user metadata in order to identify users in a universally unique way (not just unique within a tenant), you can take a look at the answer in this topic: Using another user identifier (UUID) than the user_id - #2 by jmangelo

Please let me know if that is the info you’re looking for. Thanks!

Thank you, I was wondering if I were to store a uuid (that I use in my DB) in app_metadata, is that feasible and secure?

Yes, you can use app_metadata to store external IDs associated with the user. It is recommended as one of the uses in the docs: Metadata

The app metadata is not automatically exposed to the application in an ID Token, but you can return it to the app by adding a custom claim: How to get user_metadata and app_metadata in id_token - #3 by James.Morrison

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.