Hello ! At our company we use ory for new projects but we are thinking about migrating to ory for extisting projet (currently on auth0). I saw migrations guides, but I'm wondering about something. Currently we store the auth "sub" claim in our databases, when we migrate the "sub" will change. So our users data will not match the sub anymore. Do you have documentation about how to migrate when existing sub are stored ? We have hundreds of application so we would like a way that doesn't need to update the existing databases

Do you need to fetch users by sub, or only find the sub per user?

It is more "give me user with sub xyz", when we receive the oidc token, we look in our db to find the user associated with a given sub. For example for a todo app, we receive user "sub" in the token, we have a user table (one per app) where we search the sub to get an user id, then we query the todo items with the user id.

If you were to migrate to Ory, you would not receive the OIDC token anymore though (unless you want to keep that part and use OAuth2). Either way what you get is the Ory Identity including metadata where you can store the "old" sub during migration. In the OAuth2 case you would just add this metadata as a separate claim in the token, or look up the identity by ID (will be in the sub claim). We always recommend to not use OAuth2 for first-party cases.

Thanks a lot !!