Where to Store Tokens
Determining how users get signed up is important to address early, and the decisions you make here will influence many of the decisions you will need to make going forward. We’ve found there are a typical set of patterns for how users will get added to your system, and things to take note of when considering workflow design too.
Whilst Auth0 supports numerous workflows, web based workflows using Auth0 Universal Login for sign up are considered both industry and Auth0 best practice as they provide for optimal functionality and the best security.
Auth0 supports user sign up via a number of different identity providers. During sign up, Auth0 provisions the user profile so that it contains the user’s account information. There are a number of things to consider when looking at functionality and workflow:
Auth0 provides out-of-the-box identity storage that can be leveraged to store user credentials safely and securely. See Self Sign Up for more information. If you already have a legacy identity store and you want to offload the management of it, then the User Migration capabilities provide you with a number of options to do so.
Alternatively, if you have to maintain your legacy identity store - perhaps because you’ve got applications which you aren’t ready to migrate or which can’t be migrated - then you can use the identity store proxy capability. Allowing your customers to use “bring their own identity” is also an attractive proposition and though we find our customers don’t initially do so, you can use the Social Sign Up capability to provide it.
Regular web apps
In addition to hosting the User Profile, Auth0 also has the capability to both proxy your own legacy identity store and provide a secure Auth0 hosted replacement. Both of these capabilities are supported via the use of Auth0 Database Connections. If you decide to use Auth0 as a replacement for your legacy identity store then you can migrate users either all at once with Bulk Migration, or progressively with Automatic Migration.
Customers often opt for a two-stage approach to user migration, using Automatic Migration first to migrate as many users as possible, then using Bulk Migration for the users that remain. See User Migration Scenarios for more information.
Automatic Migration is preferred as it allows users to be migrated individually and also allows them to retain their existing password in almost all situations. For Bulk Migration, we recommend using the Management API over the User Import/Export extension in all but the most simple cases, as the Management API provides for greater flexibility and control.
With Bulk Migration users typically need to reset their password once migration is complete, unless passwords are stored hashed in your legacy identity store using bcrypt (or you can generate them in bcrypt form). In this case, you may be able to use bulk migration and preserve user passwords as part of the process, depending on the bcrypt algorithm and the number of salt rounds used. See Bulk Import Database Schema Examples for more information.
Identity store proxy
Auth0 Database Connection types can also be configured to proxy an existing (legacy) identity store. If you need to keep user identities defined in your own legacy store - for example, if you have one or more business critical applications that you can’t migrate to Auth0, but which still need access to these identities - then you can easily integrate with Auth0. See Authenticate Users Using Your Database for more information.
Self sign up
Self sign up leverages Auth0 Database Connections to store the user ID, password, and (optional) username identity information collected from new users during the sign up process. Database connection policies governing things such as minimum username length or password strength and complexity can be configured via the Auth0 Dashboard.
Auth0 Universal Login as well Auth0 widgets such as Lock integrate with Database Connections to provide comprehensive user interface functionality for sign up out-of-the-box. These UI artifacts are fully reactive, and with feature rich configuration and comprehensive customization, you can deploy functionality for user self sign up as well as login.
Don't store tokens in local storage
Project Planning Guide
We provide planning guidance in PDF format that you can download and refer to for details about our recommended strategies.