Just-in-time migration / pre-authentication action
Hello, I'm trying to figure out options for migrating an existing system to Zitadel. I came up with this guide https://zitadel.com/docs/guides/migrate/introduction#just-in-time-migration telling to create a pre-authentication action in order to get user info from the old system.
However I can't find this type of actions either in my local zitadel instance or in the documentation (only post-authentication, pre-creation and post-creation).
Am I missing something?
Thanks!
ZITADEL Docs
This section of guides shows you how to migrate from your current auth system to ZITADEL.
6 Replies
Hey! We're facing the same issue. Any guidance here?
I am not sure, but i actually think this is a mistake in the docs. And it should be pre creation
Could you try it with the pre creation, and let me know if that works?
Thanks for your reply! I've created different action types locally to log outputs in the console, and I believe the post-authentication action might be the one I'm looking for.
To clarify my use case:
- All users are currently stored in a legacy system that uses a custom encrypted password algorithm.
- I can migrate users to Zitadel using the Zitadel API, but I cannot set their existing passwords during the migration.
To ensure a seamless migration for end-users, my plan is to:
1. Mark migrated users by adding a metadata field (
2. Implement a post-authentication action: - When a user tries to sign-in, check if
- If so, call the legacy system's API to validate the email/password combination.
- If authentication is successful, update the user’s password in Zitadel and remove the
Would this approach work with Zitadel actions, particularly post-authentication?
"legacy_auth_required": true). This signals Zitadel to verify the password using the legacy system.2. Implement a post-authentication action: - When a user tries to sign-in, check if
legacy_auth_required is true.- If so, call the legacy system's API to validate the email/password combination.
- If authentication is successful, update the user’s password in Zitadel and remove the
legacy_auth_required metadata.Would this approach work with Zitadel actions, particularly post-authentication?
Oh, well we missed the mark for our JIT deployment deadline at this point, just going to do a full migration during a maintenance window instead now. Don't really have the bandwidth to try to impliment a JIT migration that we won't actually use now. Thanks for following up though.
thanks for the feedback
@fabienne how can I "retrieve" the input password field from the post authentication action JavaScript parameters? I can't find this info in the documentation... Maybe it won't be possible?