> Like how do you get the passwords into your system without forcing everyone to reset them?
Disclosure: I work for an auth provider, FusionAuth.
I've written a number of migration guides and some hosted auth providers allow you to export password hashes (usually through a support ticket/out of band process; it's sensitive data). Others do not.
Definitely worth asking. It's your data, you should be able to get it.
Here are the ones I know that allow you to get your hands on password hashes:
* Auth0 (you have to be on a paid plan)
* Firebase
* FusionAuth (my employer, you get the whole encrypted database export)
Here are the ones that don't:
* Amazon Cognito
* Azure AD B2C
Once you have the hashes, it's a matter of ensuring that you can implement the same hashing algorithm so that the same user password entered into both systems ends up creating the same hash. Not rocket science, but sometimes, depending on the intricacies of the algorithm, can require a bit of spelunking. For instance, I was working on a keycloak migration guide and while both systems use Salted PBKDF2 with SHA-256, one used a 512-bit derived key and the other used a 256-bit derived key. I had to dig in a bit to figure that out.
Disclosure: I work for an auth provider, FusionAuth.
I've written a number of migration guides and some hosted auth providers allow you to export password hashes (usually through a support ticket/out of band process; it's sensitive data). Others do not.
Definitely worth asking. It's your data, you should be able to get it.
Here are the ones I know that allow you to get your hands on password hashes:
* Auth0 (you have to be on a paid plan)
* Firebase
* FusionAuth (my employer, you get the whole encrypted database export)
Here are the ones that don't:
* Amazon Cognito
* Azure AD B2C
Once you have the hashes, it's a matter of ensuring that you can implement the same hashing algorithm so that the same user password entered into both systems ends up creating the same hash. Not rocket science, but sometimes, depending on the intricacies of the algorithm, can require a bit of spelunking. For instance, I was working on a keycloak migration guide and while both systems use Salted PBKDF2 with SHA-256, one used a 512-bit derived key and the other used a 256-bit derived key. I had to dig in a bit to figure that out.