I'm breaking out our authentication logic to a separate OIDC server. It's technically pretty straightforward, but just the thought of moving all those users and making sure that the communication between the system and the auth server works properly makes me shiver...

You can always set it up while having the legacy system still in place. Just need to sync the users/sessions for a while.

@hjk101 Yeah, though that "just" isn't really "just"...

@ScriptCoded compared to setting up the separate Auth service it's not that much. You probably need to script the migration from A to B (at least the users) so you have that anyway.

Now you can test the new system with real data. Perhaps let your organisation members use the new method.

If you also develop B to A (again at least the users) you can always revert back.

Together with the big rollout (switch all applications to use the new Auth system for everything) you probably want to log/alert all attempts of using the old method. This way you can leave the original user base in tact and still see subsystems you missed in the switch.

Never going to say it's super easy but doable.