Using the upload APIs
Next, you will bulk upload all user accounts to Identity Toolkit with the uploadAccount API that were created before the dual-write started. If you currently support federated login with some IDPs, you will need to also upload these users with uploadAccount API and then use the setAccountInfo API to include the IDP information for that user. Since you will not have an IdToken for the user, you will use the setAccountInfo API with the service account you created when configuring the Identity Toolkit service.
- Note: The uploadAccount and setAccountInfo APIs are most easily accessed by using the libraries bundled with the per-language quick-start apps. Usage of the Java/Python/PHP/etc. wrapper functions is explained in the README in each library's directory.
Carefully rolling out Identity Toolkit
Now that both databases are in sync and should be kept in sync with the dual write for new users, you should build an authentication proxy to Identity Toolkit for all of your users while maintaining your old login user interface. Currently, your code accepts the username and password, performs a hash on the password and validates that against the user’s entry in your database. You will want to modify this sequence so that before you perform the local hash on the password, you use the verifyPassword API to authenticate via Identity Toolkit.
You can even perform the Identity Toolkit auth proxy in parallel with your legacy authentication logic and rely on the Identity Toolkit result for a fraction of your users until you’ve gained the confidence that everything is working properly. Be sure to properly log all results of both paths completely. Also, it is critical to deploy the auth proxy feature so that all auth requests that come from web or mobile get routed to the Identity Toolkit backend for password verification. Proxy logic should fall back to local verification if Identity Toolkit verification fails.