As a bit of background, I’m introducing Auth0 for our existing web application built using ASP.NET MVC 5, and therefore switching to using a hosted page / Universal Login for logins and signup. We are using the Auth0.net OWIN middleware. Our existing system uses GUIDs (UUIDs) for our user ID, yet Auth0 uses a different format (hexadecimal string) by default.
We need the ability to efficiently query Auth0 by our system’s user ID (GUID), and I had originally considered storing this ID in the app_metadata field. Unfortunately, Auth0 no longer allows querying users by properties in the app_metadata field following some prior incident at Auth0.
Given that our preference is not to change all our IDs in the rest of the application, how can we coerce the storage of user IDs in our preferred format in the user_id field via auth0.js (which is what our customised hosted page uses) or any step in the Auth0 pipeline from there?
- We can do this via the Management API (POST to /api/v2/users), though I’m aware that the Management API is designed to be run from our controlled environment instead of anything client-side that can be abused.
- I considered including the user ID in the script that calls the Authentication API via auth0.js, though for similar reasons, I do not want to have the GUID generated in script running on the client.
- I considered writing a rule to set this ID, though I understand that the rules pipeline only runs after the user record has been created and stored (not before) - therefore the user_id cannot be changed.
Please let me know how we can use a GUID as our user_id. Also, how can we control the user_id when migrating existing users from our existing SQL database when each given user logs in after we go live with Auth0 integration? Many thanks.