How to Migrate from Auth0 to Keycloak
·OSSAlt Team
auth0keycloakmigrationauthenticationguide
How to Migrate from Auth0 to Keycloak
Auth0's pricing climbs fast once you need SSO, MFA, or more than the free tier's 7,500 MAU. Keycloak is the enterprise-grade open source alternative — OIDC, SAML, LDAP, MFA, and more. Here's how to migrate.
Step 1: Deploy Keycloak
docker run -p 8080:8080 \
-e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
-e KC_BOOTSTRAP_ADMIN_PASSWORD=changeme \
-e KC_DB=postgres \
-e KC_DB_URL=jdbc:postgresql://db:5432/keycloak \
-e KC_DB_USERNAME=keycloak \
-e KC_DB_PASSWORD=secret \
quay.io/keycloak/keycloak:latest start
For production, use Docker Compose with PostgreSQL and a reverse proxy.
Step 2: Create Realm and Client
- Log in to Keycloak Admin Console
- Create a Realm (e.g., "production")
- Create a Client for your application:
- Client ID:
my-app - Client Protocol:
openid-connect - Root URL:
https://myapp.com - Valid Redirect URIs:
https://myapp.com/callback
- Client ID:
- Note the client secret
Step 3: Export Auth0 Users
# Use Auth0 Management API
curl -X GET "https://YOUR_DOMAIN.auth0.com/api/v2/users?per_page=100&page=0" \
-H "Authorization: Bearer YOUR_MGMT_TOKEN" \
> auth0-users.json
For large user bases, use Auth0's Export Job:
curl -X POST "https://YOUR_DOMAIN.auth0.com/api/v2/jobs/users-exports" \
-H "Authorization: Bearer YOUR_MGMT_TOKEN" \
-d '{"format": "json"}'
Step 4: Import Users to Keycloak
# Python script to import users via Keycloak Admin API
import requests
KEYCLOAK_URL = "https://keycloak.yourdomain.com"
REALM = "production"
# Get admin token
token = requests.post(f"{KEYCLOAK_URL}/realms/master/protocol/openid-connect/token", data={
"grant_type": "client_credentials",
"client_id": "admin-cli",
"client_secret": "admin-secret",
}).json()["access_token"]
# Import users
for user in auth0_users:
requests.post(
f"{KEYCLOAK_URL}/admin/realms/{REALM}/users",
headers={"Authorization": f"Bearer {token}"},
json={
"username": user["email"],
"email": user["email"],
"emailVerified": user["email_verified"],
"enabled": True,
"firstName": user.get("given_name", ""),
"lastName": user.get("family_name", ""),
"requiredActions": ["UPDATE_PASSWORD"],
}
)
Users will need to set new passwords (or use magic link/social login).
Step 5: Configure Social Login
| Auth0 Connection | Keycloak Setup |
|---|---|
| Identity Providers → Google | |
| GitHub | Identity Providers → GitHub |
| Apple | Identity Providers → Apple |
| Identity Providers → Facebook | |
| SAML enterprise | Identity Providers → SAML |
For each: create OAuth app on the provider, add Client ID and Secret in Keycloak.
Step 6: Update Application Code
Before (Auth0):
import { Auth0Client } from '@auth0/auth0-spa-js';
const auth0 = new Auth0Client({
domain: 'your-tenant.auth0.com',
clientId: 'YOUR_CLIENT_ID',
});
await auth0.loginWithRedirect();
After (Keycloak — using OIDC):
import Keycloak from 'keycloak-js';
const keycloak = new Keycloak({
url: 'https://keycloak.yourdomain.com',
realm: 'production',
clientId: 'my-app',
});
await keycloak.init({ onLoad: 'login-required' });
Or use any OIDC library (Keycloak is standard OIDC):
// next-auth example
import KeycloakProvider from "next-auth/providers/keycloak";
export const authOptions = {
providers: [
KeycloakProvider({
clientId: "my-app",
clientSecret: "secret",
issuer: "https://keycloak.yourdomain.com/realms/production",
}),
],
};
Step 7: Set Up MFA
- Authentication → Flows → Browser
- Add OTP Form step after username/password
- Or add WebAuthn for passkey support
- Configure as Required or Conditional
Cost Comparison
| MAU | Auth0 | Keycloak Self-Hosted | Savings |
|---|---|---|---|
| 7,500 | Free | $20/month (VPS) | N/A |
| 10,000 | $228/month | $30/month | $2,376/year |
| 50,000 | $800+/month | $50/month | $9,000/year |
| Enterprise (SSO) | $1,500+/month | $80/month | $17,040/year |
Migration Timeline
| Week | Task |
|---|---|
| Week 1 | Deploy Keycloak, configure realm, import users |
| Week 2 | Set up social login, MFA, update app code |
| Week 3 | Testing, QA, parallel login support |
| Week 4 | Cutover, sunset Auth0 |
Compare authentication platforms on OSSAlt — protocol support, features, and pricing side by side.