Migrate from Auth0 to Supabase Auth
Learn how to migrate your users from Auth0
You can migrate your users from Auth0 to Supabase Auth.
Changing authentication providers for a production app is an important operation. It can affect most aspects of your application. Prepare in advance by reading this guide, and develop a plan for handling the key migration steps and possible problems.
With advance planning, a smooth and safe Auth migration is possible.
Before you begin
Before beginning, consider the answers to the following questions. They will help you need decide if you need to migrate, and which strategy to use:
- How do Auth provider costs scale as your user base grows?
- Does the new Auth provider provide all needed features? (for example, OAuth, password logins, Security Assertion Markup Language (SAML), Multi-Factor Authentication (MFA))
- Is downtime acceptable during the migration?
- What is your timeline to migrate before terminating the old Auth provider?
Migration strategies
Depending on your evaluation, you may choose to go with one of the following strategies:
- Rolling migration
- One-off migration
Strategy | Advantages | Disadvantages |
---|---|---|
Rolling |
|
|
One-off |
|
|
Migration steps
Auth provider migrations require 2 main steps:
- Export your user data from the old provider (Auth0)
- Import the data into your new provider (Supabase Auth)
Step 1: Export your user data
Auth0 provides two methods for exporting user data:
- Use the Auth0 data export feature
- Use the Auth0 management API. This endpoint has a rate limit, so you may need to export your users in several batches.
To export password hashes and MFA factors, contact Auth0 support.
Step 2: Import your users into Supabase Auth
The steps for importing your users depends on the login methods that you support.
See the following sections for how to import users with:
Password-based methods
For users who sign in with passwords, we recommend a hybrid approach to reduce downtime:
- For new users, use Supabase Auth for sign up.
- Migrate existing users in a one-off migration.
Sign up new users
Sign up new users using Supabase Auth's signin methods.
Migrate existing users to Supabase Auth
Migrate existing users to Supabase Auth. This requires two main steps: first, check which users need to be migrated, then create their accounts using the Supabase admin endpoints.
-
Get your Auth 0 user export and password hash export lists.
-
Filter for users who use password login.
- Under the
identities
field in the user object, these users will haveauth0
as a provider. In the same identity object, you can find their Auth0user_id
. - Check that the user has a corresponding password hash by comapring their Auth0
user_id
to theoid
field in the password hash export.
- Under the
-
Use Supabase Auth's admin create user method to recreate the user in Supabase Auth. If the user has a confirmed email address or phone number, set
email_confirm
orphone_confirm
totrue
._10const { data, error } = await supabase.auth.admin.createUser({_10email: 'valid.email@supabase.io',_10password_hash: '$2y$10$a9pghn27d7m0ltXvlX8LiOowy7XfFw0hW0G80OjKYQ1jaoejaA7NC',_10email_confirm: true,_10})Supported password hashing algorithms
Supabase supports BCrypt and Argon2 password hashes.
If you have a plaintext password instead of a hash, you can provide that instead. Supabase Auth will handle hashing the password for you. (Passwords are always stored hashed.)
_10const { data, error } = await supabase.auth.admin.createUser({_10email: 'valid.email@supabase.io',_10password: 'supersecurepassword123!',_10}) -
To sign in your migrated users, use the Supabase Auth sign in methods.
To check for edge cases where users aren't successfully migrated, use a fallback strategy. This ensures that users can continue to sign in seamlessly:
- Try to sign in the user with Supabase Auth.
- If the signin fails, try to sign in with Auth0.
- If Auth0 signin succeeds, call the admin create user method again to create the user in Supabase Auth.
Passwordless methods
For passwordless signin via email or phone, check for users with verified email addresses or phone numbers. Create these users in Supabase Auth with email_confirm
or phone_confirm
set to true
:
_10const { data, error } = await supabase.auth.admin.createUser({_10 email: 'valid.email@supabase.io',_10 email_confirm: true,_10})
Check your Supabase Auth email configuration and configure your email template for use with magic links. See the Email templates guide to learn more.
Once you have imported your users, you can sign them in using the signInWithOtp
method.
OAuth
Configure your OAuth providers in Supabase by following the Social login guides.
For both new and existing users, sign in the user using the signInWithOAuth
method. This works without pre-migrating existing users, since the user always needs to sign in through the OAuth provider before being redirected to your service.
After the user has completed the OAuth flow successfully, you can check if the user is a new or existing user in Auth0 by mapping their social provider id to Auth0. Auth0 stores the social provider ID in the user ID, which has the format provider_name|provider_id
(for example, github|123456
). See the Auth0 identity docs to learn more.
Mapping between Auth0 and Supabase Auth
Each Auth provider has its own schema for tracking users and user information.
In Supabase Auth, your users are stored in your project's database under the auth
schema. Every user has an identity (unless the user is an anonymous user), which represents the signin method they can use with Supabase. This is represented by the auth.users
and auth.identities
table.
See the Users and Identities sections to learn more.
Mapping user metadata and custom claims
Supabase Auth provides 2 fields which you can use to map user-specific metadata from Auth0:
auth.users.raw_user_meta_data
: For storing non-sensitive user metadata that the user can update (e.g full name, age, favorite color).auth.users.raw_app_meta_data
: For storing non-sensitive user metadata that the user should not be able to update (e.g pricing plan, access control roles).
Both columns are accessible from the admin user methods. To create a user with custom metadata, you can use the following method:
_10const { data, error } = await supabase.auth.admin.createUser({_10 email: 'valid.email@supabase.io',_10 user_metadata: {_10 full_name: 'Foo Bar',_10 },_10 app_metadata: {_10 role: 'admin',_10 },_10})
These fields will be exposed in the user's access token JWT so it is recommended not to store excessive metadata in these fields.
These fields are stored as columns in the auth.users
table using the jsonb
type. Both fields can be updated by using the admin updateUserById
method. If you want to allow the user to update their own raw_user_meta_data
, you can use the updateUser
method.
If you have a lot of user-specific metadata to store, it is recommended to create your own table in a private schema that uses the user id as a foreign key:
_10create table private.user_metadata (_10 id int generated always as identity,_10 user_id uuid references auth.users(id) on delete cascade,_10 user_metadata jsonb_10);