Migrating identity data from one platform to another can feel risky and complex—especially when users, passwords, and applications are involved. We came up with a solution that will make the transition from Auth0 to the latest release of WSO2 Identity Server secure, repeatable, minimally disruptive for users, and flexible enough to support multiple applications.
In this blog post, we share the high-level strategy we designed and implemented for several of our customers.
1. Organization or tenant migration from Auth0
In WSO2 Identity Server (IS), the organization helps to cleanly separate applications and users. This is similar to the hierarchical organization management in Auth0, so we can directly migrate organizations in Auth0 to WSO2 Identity Server Organizations.
In this process, we decided to have each Auth0 organization map to one of the organizations in WSO2 IS. This keeps user stores, application configurations, and authentication policies isolated, and makes future scaling or separation much easier.
2. Migrating apps from Auth0
For less than 5 applications, we can manually create applications in WSO2 IS with different client ids and secrets. When we would like to migrate exact client ids and secrets from Auth0, we can use our Yenlo created client to migrate all the apps from Auth0 via a json export.
3. Migrating users from Auth0
In Auth0 we can export user information in different ways:
- Critical data like password hashes can be exported as json, after a special request from Auth0 support
- Other user meta data can be exported as csv from the Auth0 Portal
These exports contain the essential identity attributes we need to recreate accounts inside WSO2 IS. At Yenlo, we have prepared a special client that can use these exported json and csv files and generate the same set of users and passwords in WSO2 IS.
To manage data consistency during the migration, we decide to not allow new sign-ups or password resets or any user profile updates in Auth0 or WSO2.
Next, we add a new flag “isOAuth0User = true” as a system attribute in WSO2. This allows us to differentiate between two sets of users from different sources. This flag also becomes crucial for authentication logic later.
As WSO2 IS doesn’t support bcrypt at the moment, initially the users are created with a temporary password because WSO2 IS cannot store Auth0’s bcrypt hash directly. The real hash still remains safely stored in a temporary table.
Once all users are migrated to WSO2 IS, the bcrypt hashes from the temporary table are copied into the WSO2 Userstore. There will not be salt for bcrypt hash because it is internally built with a salt.
At this point both users and Auth0 password hashes exist in WSO2, but WSO2 Identity Server still needs to understand how to authenticate them
This is where our other extension comes into the picture.
A custom extension for seamless first login
To provide a frictionless login experience, Yenlo has created an extension for the userstore that handles Auth0-migrated users intelligently. How it works during the login:
Step 1 — Check for the Auth0 flag
If isOAuth0User = false → WSO2 uses its normal authentication. If isOAuth0User = true → The system knows the user still has an Auth0 bcrypt hash.
Step 2 — Validate using the Auth0 bcrypt hash
The custom user store performs bcrypt verification against the migrated bcrypt hash and if it is validated correctly.
Step 3 — Upgrade the password silently
The correct password is immediately re-hashed using WSO2’s native hashing algorithm. The user’s WSO2 record is updated with the new hash and salt.
Step 4 — Turn off the migration flag
We set “https://wso2.org/claims/isOAuth0User = false” to signal that the user has fully transitioned, and future logins use the standard WSO2 authentication flow. From the user’s perspective, this entire process is invisible. They simply log in once, and the system handles the rest.
Why this approach works
✔ Zero downtime – Users can continue to use their existing passwords, except new password resets and new user creations.
✔ No forced password resets – A major usability win—no mass reset campaigns.
✔ Passwords remain secure – Plaintext passwords are never exposed.
✔ Smooth migration path – Users seamlessly transition to the new hashing algorithm on first login.
✔ Scalable – Each application / tenant can be migrated independently.
Final thoughts
Identity migration doesn’t have to be painful. By combining organizational mapping, a controlled import process via a dynamic client, temporary storage for password hashes, and a smart custom user-store extension we were able to migrate users from Auth0 to WSO2 Identity Server securely, smoothly, and without interrupting their experience.
If you’re planning a similar migration or want a deeper technical dive into any of the components, download our Integration solutions with WSO2 vendor summary or let’s talk!
