We’re working on migrating authentication for our Meteor app to Auth0 - we’re trying to figure out the best way to do this, but there does not seem to be a canonical solution - there have been some posts and some experience reports, but (for us at least), the best approach remains unclear (I guess there are also different requirements and technologies are changing etc etc).
Ideally, we would like to have a solution which does not require users to reset passwords, but we can live with one which does as long as we have a way for users to understand that they need to do this, prob at login.
We looked into the password verification mechanisms both on the Auth0 end and the Meteor end - it seems they differ by a single SHA256 operation; Meteor performs this on a cleartext pw before checking with bcrypt but Auth0 does not. We can use the Auth0 Bulk Import functionality and it does support importing bcrypt’d passwords but because of the above SHA256 operation, the standard Auth0 popup or ULP does not verify the pw correctly (or more accurately, the token that it tries to verify against was generated using a different process and hence it correctly does not verify).
Auth0 does provide the migration solution in which multiple DBs are operating concurrently - this is one approach we could use, but it does seem a bit heavy handed for what we want to do (which is just to import a modestly sized set of users and have their accounts recognized and managed by Meteor with minimal user friction).
If anyone has any thoughts on the best approach, we’d love to hear them…
Thanks in advance for any pointers,