We are in the progress of migrating a database to Auth0 which contains some people having multiple users ( unique user IDs and emails across users). These people have access to multiple tenants of our application for different business customers, and currently different credentials for each tenant. Our plan is to update our mobile app to allow selection from accessible tenants (they aren’t visiting a specific domain, so we only know based on user ID). Until then, merging these accounts isn’t an option. We need unique user ID in order to know which tenant’s data to return.
In the short term, our plan is to keep these accounts separate, and prevent any user from updating their email if it already exists. Does this sound like the right approach?
In the long term, what is the best workflow for handling a user that tries to update their email address to one that already exists? Is it to delete the user of the no longer used email and merge the metadata on the user with the email that will remain? Is it to link the users (with one having a potentially no longer valid email)? I assume in either case the user would need to authenticate against the user already with the new email address in order to ensure that they are that person.
Thanks in advance for any advice.