Federation · auth0-as-source
Auth0 as a Hub federation source — migration overlay
Federate Hub to an existing Auth0 tenant during a migration window. Customers stay logged in via Auth0; Hub takes over gradually.
- auth0
- oidc
- idp
- migration
Tested against:hub: 1.0.0auth0: 2026 Q1
What this enables
The customer's Auth0 tenant becomes a federation source for Hub during a migration. Users keep logging in through Auth0; Hub minted tokens are the new source of truth for downstream apps. When the migration completes, the federation member is decommissioned.
This pairs with /en/alternatives/auth0 — the customer reads the alternatives page, books a migration conversation, and this is the technical handoff.
Prereqs
- Auth0 tenant URL (
https://YOUR-TENANT.auth0.com) - Auth0 admin access to register a regular web application
Step 1 — In Auth0
Applications → Create → Regular Web Application. Configure:
| Field | Value |
|---|---|
| Allowed Callback URLs | https://hub.thoryn.org/login/oauth2/code/auth0 |
| Allowed Logout URLs | https://hub.thoryn.org/logout |
| Grant Types | Authorization Code, Refresh Token |
Note the Client ID and Client Secret.
Step 2 — In Thoryn
id: auth0-as-source
name: "Auth0 — migration overlay"
type: oidc
issuer: https://YOUR-TENANT.auth0.com/
client_id: ${AUTH0_CLIENT_ID}
client_secret: ${AUTH0_CLIENT_SECRET}
scopes:
- openid
- email
- profile
claim_mappings:
sub: sub
email: email
given_name: given_name
family_name: family_name
# Optional — mark this member as transitional
metadata:
migration_phase: "active"
decommission_after: "2026-12-31"Step 3 — Migration phases
- Phase 1 — Federate: Auth0 stays the user-facing IdP; Hub federates to it. Apps switch to Hub for tokens. Auth0 still owns the user database.
- Phase 2 — Dual-write: New users register through Hub directly (passwords / passkeys hosted in Hub); existing Auth0 users keep using Auth0 federation. Hub is the user-facing IdP for new sign-ups.
- Phase 3 — Decommission: Migrate the remaining Auth0 user records into Hub (passwords are hashed; users do a password reset on first Hub login). Federation member retired.
Troubleshooting
- Custom Auth0 Rules / Actions: claims that come from Auth0 Rules need to be reconfigured in Hub's claim-enrichment layer, or they disappear during the migration.
- MFA continuity: Auth0's MFA enrollments don't migrate. Plan a cutover when users re-enrol MFA at the Hub layer.
See also
hub-in-auth0— the inverse direction (Hub inside an existing Auth0 tenant as a Custom OIDC connection). Pick that one when Auth0 stays long-term.- /alternatives/auth0 — buyer-facing comparison
- Hub — How it works