Provisioning (B2C)
Determining how users get signed up is important to address early, and the decisions you make here will influence many of the decisions you will need to make going forward. We’ve found there are a typical set of patterns for how users will get added to your system, and things to take note of when considering workflow design too.
Best practice
While Auth0 supports numerous workflows, web based workflows using Auth0 Universal Login for sign up are considered both industry and Auth0 best practice as they provide for optimal functionality and the best security.
Auth0 supports user sign up via a number of different identity providers. During sign up, Auth0 provisions the user profile so that it contains the user’s account information. There are a number of things to consider when looking at functionality and workflow:
Should you use Auth0 as an identity store?
Can you use your own (legacy) identity store with Auth0?
How do you migrate user identities from your identity store to Auth0?
Can your users sign up using their existing social accounts such as Google and Facebook?
Auth0 provides out-of-the-box identity storage that can be leveraged to store user credentials safely and securely. See Self Sign Up for more information. If you already have a legacy identity store and you want to offload the management of it, then the User Migration capabilities provide you with a number of options to do so.
Alternatively, if you have to maintain your legacy identity store - perhaps because you’ve got applications which you aren’t ready to migrate or which can’t be migrated - then you can use the identity store proxy capability. Allowing your customers to use “bring their own identity” is also an attractive proposition and though we find our customers don’t initially do so, you can use the Social Sign Up capability to provide it.
Get Started with Auth0 Videos
Watch these two short videos Provision: Users Stores and Provision: Import Users to learn how user profiles are provisioned within an Auth0 tenant and how Auth0 allows you to move your existing users to an Auth0 user store.
User migration
In addition to hosting the User Profile, Auth0 also has the capability to both proxy your own legacy identity store and provide a secure Auth0 hosted replacement. Both of these capabilities are supported via the use of Auth0 Database Connections. If you decide to use Auth0 as a replacement for your legacy identity store then you can migrate users either all at once with bulk migration, or progressively with automatic migration.
Best Practice
Customers often opt for a two-stage approach to user migration, using Automatic Migration first to migrate as many users as possible, then using Bulk Migration for the users that remain. See User Migration Scenarios for more information.
Automatic Migration is preferred as it allows users to be migrated individually and also allows them to retain their existing password in almost all situations. For Bulk Migration, we recommend using the Management API over the User Import/Export extension in all but the most simple cases, as the Management API provides for greater flexibility and control.
With Bulk Migration users typically need to reset their password once migration is complete, unless passwords are stored hashed in your legacy identity store using bcrypt (or you can generate them in bcrypt form). In this case, you may be able to use bulk migration and preserve user passwords as part of the process, depending on the bcrypt algorithm and the number of salt rounds used. See Bulk Import Database Schema Examples for more information.
Best Practice
Calls to the Management API are subject to Auth0 Rate Limiting policy. You must take this into consideration, and to assist, Auth0 generally recommends use of the appropriate Auth0 SDK for your development environment rather than calling our APIs directly.
Identity store proxy
Auth0 Database Connection types can also be configured to proxy an existing (legacy) identity store. If you need to keep user identities defined in your own legacy store - for example, if you have one or more business critical applications that you can’t migrate to Auth0, but which still need access to these identities - then you can easily integrate with Auth0. See Authenticate Users Using Your Database for more information.
Self sign up
Self sign up leverages Auth0 Database Connections to store the user ID, password, and (optional) username identity information collected from new users during the sign up process. Database connection policies governing things such as minimum username length or password strength and complexity can be configured via the Auth0 Dashboard.
Best Practice
Auth0 Universal Login as well Auth0 widgets such as Lock integrate with Database Connections to provide comprehensive user interface functionality for sign up out-of-the-box. These UI artifacts are fully reactive, and with feature rich configuration and comprehensive customization, you can deploy functionality for user self sign up as well as login.
Social sign up
Social signup is synonymous with sign in via social authentication - there’s no distinction here *per se*, as user profile creation happens automatically upon first social login.
Project Planning Guide
We provide planning guidance in PDF format that you can download and refer to for details about our recommended strategies.
B2C IAM Project Planning Guide