We’r looking for an elegant way to migrate users, from various sources where they might have different passwords, to consolidate them all on auth0 and give them an easy way to migrate their own accounts without really noticing it.
Summary
The idea would be to create accounts with passwordless email login. At the same time we create the classical username-password-authentication accounts but deactivated with the same email and link them together.
We would expect then, that the passwordless email login has precedence (this is unfortunately not the case). After a successful login with the help of actions we would then forward the user to the previously created password reset token url. Then again with the help of Actions we would disable the passwordless email account. This point would then mark the end of the user migration.
Maybe there is better, more auth0’ish way to achieve the same?
But in this Flow we’r facing one issue which is killing the attempt. Whatever we do, as long as connection=email is not specified in the login url the “Username-Password-Authentication” account has always precedence.
Details:
Under Authentication → Authentication Profile we have Identifier First activated.
first create the primary user:
{
"email": "this.is@my.email",
"email_verified": true,
"given_name": "Firstname",
"family_name": "Lastname",
"verify_email": false,
"connection": "Username-Password-Authentication",
"password": "xxxxxxxx",
"blocked": true
}
then create the secondary user:
{
"email": "this.is@my.email",
"email_verified": true,
"given_name": "Firstname",
"family_name": "Lastname",
"verify_email": false,
"connection": "email",
"blocked": false
}
then link the secondary to the primary
{
"provider": "auth0",
"user_id": "auth0|<USER_ID_OF_SECONDARY>"
}
this all works fine and looks good in the auth0 dashboard. The two users appear as one. But if i try to login without specifying the query parameter connection=email It ALWAYS uses the account with the “Username-Password-Authentication” connection.
https://MYURL/authorize?response_type=token&state=xxxxx&client_id=yyyyyy&redirect_uri=https://oidcdebugger.com/debug
What i’ve also tried:
- Switching primary and secondary user
- set blocking to “true” on the “Username-Password-Authentication” Account
Whatever i do; it keeps always using the “Username-Password-Authentication” account.