Storing ID Best Practices -> Relationships in Database

Developing an application that has many data points internally.

I need to store the authenticated user’s ID so that I can handle the relationships on the API/DB side of things.

My first thought was to store the provider in a field, and then use the identity ID as the unique ID in my database, but I realized that if I do this I can open myself up to duplicates if say, a google auth ID happens to match a randomly generated Auth0 ID.

So, what would the suggested best practice be in this case?

Is it safe to store i.e.: “auth0|5dfae7feb435c60e955956e7” in its entirety as a unique ID?

The purist in me feels that this is a bad idea, but the only other thing I can think of right now is to store the ID itself alone, provider, and email address and match to all three but, email address feels like a problem as well b/c what if the user decides to change it with the social provider?

Thanks!

1 Like

Auth0 guarantees that the global user ID (the sub in the ID token, i.e. auth0|5dfae7feb435c60e955956e7) uniquely identifies an identity (there will be no collisions from users coming from other identity providers). You can use that ID to look up the user if you need to.

You should definitely avoid using the connection’s user ID (the part that comes after the pipe character), and treat the user ID as an opaque string without attempting to parse it in any way.

As for storing other information about the user, like the email address, it could be a good idea both for optimization (queries can be answered fully from your database) but also because some data can change over time and Auth0 will only provide a snapshot of what the user looks like when queried.

Not sure if that answers your questions fully, happy to clarify if needed.

Thanks for the answer Nicolas!

So if I’m understanding correctly, I should use auth0|5dfae7feb435c60e955956e7 as the id.

The form it is served in will be consistent in the future?

The form it is served in will be consistent in the future?

What’s guaranteed is that you will get the same ID every time the same identity logs in. If the user is deleted and re-created, you will get a new ID (even if the email matches the previous user).

Also, and sorry for repeating myself, you should not attempt to parse it in any way. Just a simple string matching to look up the same identity in your database.