Migrating from Auth0

Guides

This guide walks you through migrating from Auth0 to Skycloak, including users, applications, and authentication flows.

Why Migrate to Skycloak?

Cost Savings: Transparent pricing without per-MAU charges
Open Source: Built on Keycloak, avoiding vendor lock-in
Full Control: Complete access to all features and configurations
Better Performance: Dedicated clusters for your workload
EU Data Residency: Available for compliance requirements

Migration Overview

The migration process involves:

Setting up your Skycloak cluster
Migrating applications and configurations
Exporting and importing users
Updating your application code
Testing and verification
Switching over production traffic

Estimated Timeline: 2-5 days depending on complexity

Step 1: Prepare Your Skycloak Environment

Create Your Cluster

Sign up for Skycloak
Create a production cluster:
- Choose a location close to your users
- Select appropriate size based on your Auth0 usage
- Enable high availability for production

Configure Basic Settings

Match your Auth0 tenant settings:

# Realm Settings
Login Theme: Match Auth0 Universal Login
Token Lifespan:
  Access Token: 300s (5 minutes)
  Refresh Token: 2592000s (30 days)
Session Idle: 1800s (30 minutes)

Step 2: Migrate Applications

Map Auth0 Applications to Keycloak Clients

Auth0	Keycloak	Notes
Single Page Application	Public Client	Enable PKCE
Regular Web Application	Confidential Client	Uses client secret
Machine to Machine	Service Account	Client credentials flow
Native Application	Public Client	Mobile/desktop apps

Export Auth0 Application Settings

Use Auth0 Management API to export:

# Get all applications
curl -X GET "https://YOUR_DOMAIN.auth0.com/api/v2/clients" \
  -H "Authorization: Bearer YOUR_MGMT_TOKEN" > auth0-apps.json

Create Keycloak Clients

For each Auth0 application, create a Keycloak client:

// Example: SPA Migration
const auth0App = {
  name: 'My React App',
  app_type: 'spa',
  callbacks: ['http://localhost:3000/callback'],
  allowed_origins: ['http://localhost:3000'],
  allowed_logout_urls: ['http://localhost:3000'],
};

// Keycloak equivalent
const keycloakClient = {
  clientId: 'my-react-app',
  name: 'My React App',
  publicClient: true,
  redirectUris: ['http://localhost:3000/callback'],
  webOrigins: ['http://localhost:3000'],
  attributes: {
    'pkce.code.challenge.method': 'S256',
  },
};

Step 3: Migrate Users

Export Users from Auth0

Use Auth0 export extension or Management API:

# Export users (paginated)
curl -X GET "https://YOUR_DOMAIN.auth0.com/api/v2/users?per_page=100&page=0" \
  -H "Authorization: Bearer YOUR_MGMT_TOKEN" > users-page-0.json

Transform User Data

Map Auth0 user structure to Keycloak format:

function transformUser(auth0User) {
  return {
    username: auth0User.email || auth0User.user_id,
    email: auth0User.email,
    emailVerified: auth0User.email_verified,
    enabled: !auth0User.blocked,
    firstName: auth0User.given_name,
    lastName: auth0User.family_name,
    attributes: {
      auth0_user_id: auth0User.user_id,
      picture: auth0User.picture,
      // Preserve custom attributes
      ...auth0User.user_metadata,
    },
    credentials: [
      {
        type: 'password',
        temporary: false,
        // Password migration handled separately
      },
    ],
  };
}

Import Users to Keycloak

Use Keycloak Admin API:

const axios = require('axios');

async function importUsers(users, accessToken) {
  const keycloakUrl = 'https://your-cluster-id.app.skycloak.io/admin/realms/master/users';

  for (const user of users) {
    try {
      await axios.post(keycloakUrl, user, {
        headers: {
          Authorization: `Bearer ${accessToken}`,
          'Content-Type': 'application/json',
        },
      });
      console.log(`Imported user: ${user.email}`);
    } catch (error) {
      console.error(`Failed to import ${user.email}:`, error.response.data);
    }
  }
}

Password Migration Strategies

Option 1: Reset All Passwords

Simplest approach
Send password reset emails to all users
Good for smaller user bases

Option 2: Lazy Migration

Keep Auth0 active temporarily
Migrate passwords on first login
Implement custom authenticator in Keycloak

Option 3: Bulk Password Migration

If you have password hashes
Implement custom password hash provider
Seamless user experience

Step 4: Update Application Code

Before (Auth0)

// React with Auth0
import { Auth0Provider, useAuth0 } from '@auth0/auth0-react';

<Auth0Provider
  domain="YOUR_DOMAIN.auth0.com"
  clientId="YOUR_CLIENT_ID"
  redirectUri={window.location.origin}
>
  <App />
</Auth0Provider>;

// Using auth
const { loginWithRedirect, logout, user, isAuthenticated } = useAuth0();

After (Skycloak/Keycloak)

// React with Keycloak
import { AuthProvider, useAuth } from 'react-oidc-context';

const oidcConfig = {
  authority: 'https://your-cluster-id.app.skycloak.io/realms/master',
  client_id: 'your-client-id',
  redirect_uri: window.location.origin,
  scope: 'openid profile email',
};

<AuthProvider {...oidcConfig}>
  <App />
</AuthProvider>;

// Using auth
const { signinRedirect, signoutRedirect, user, isAuthenticated } = useAuth();

API Updates

Update your backend to validate Keycloak tokens:

// Before: Auth0
const { auth } = require('express-oauth2-jwt-bearer');
const checkJwt = auth({
  audience: 'YOUR_API_IDENTIFIER',
  issuerBaseURL: 'https://YOUR_DOMAIN.auth0.com/',
});

// After: Keycloak
const jwt = require('express-jwt');
const jwksRsa = require('jwks-rsa');

const checkJwt = jwt({
  secret: jwksRsa.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: 'https://your-cluster-id.app.skycloak.io/realms/master/protocol/openid-connect/certs',
  }),
  audience: 'your-client-id',
  issuer: 'https://your-cluster-id.app.skycloak.io/realms/master',
  algorithms: ['RS256'],
});

Step 5: Migrate Auth0 Features

Universal Login → Keycloak Theme

Export Auth0 Universal Login customizations
Create custom Keycloak theme
Apply branding in Skycloak dashboard

Auth0 Rules → Keycloak Authenticators

Auth0 Feature	Keycloak Equivalent
Rules	Authentication Scripts / Custom Authenticators
Hooks	Event Listeners
Actions	Authentication Flow Steps
Connections	Identity Providers

Social Connections

Configure social providers in Keycloak:

Google:
  Client ID: your-google-client-id
  Client Secret: your-google-secret

GitHub:
  Client ID: your-github-client-id
  Client Secret: your-github-secret

Step 6: Testing & Verification

Test Checklist

User login with existing credentials
Social login providers
Password reset flow
MFA/2FA if enabled
API authentication
User profile updates
Admin operations

Parallel Testing

Run both systems in parallel:

Update applications to support both providers
Use feature flags to control routing
Gradually migrate traffic
Monitor error rates

// Feature flag approach
const authProvider = featureFlags.useKeycloak ? keycloakConfig : auth0Config;

Step 7: Production Cutover

Pre-Cutover Checklist

All users migrated
Applications updated and tested
DNS entries prepared
Monitoring configured
Rollback plan ready

Cutover Steps

Enable maintenance mode (optional)
Final user sync from Auth0
Update DNS/configuration to point to Keycloak
Monitor closely for first 24 hours
Keep Auth0 data for 30 days as backup

Post-Migration

Monitor authentication metrics
Gather user feedback
Optimize performance
Document new processes

Common Issues & Solutions

Issue: Different Token Claims

Solution: Map Auth0 claims to Keycloak:

// Add protocol mapper in Keycloak
{
  name: "auth0_user_id",
  protocol: "openid-connect",
  protocolMapper: "oidc-usermodel-attribute-mapper",
  config: {
    "user.attribute": "auth0_user_id",
    "claim.name": "sub",
    "jsonType.label": "String"
  }
}

Issue: CORS Errors

Solution: Configure proper web origins in Keycloak client settings

Issue: Session Timeout Differences

Solution: Adjust Keycloak session settings to match Auth0 behavior

Migration Tools & Scripts

We provide migration scripts to help:

# Clone migration toolkit
git clone https://github.com/skycloak/auth0-migration-toolkit

# Configure credentials
cp .env.example .env
# Edit .env with your Auth0 and Skycloak details

# Run migration
npm install
npm run migrate:users
npm run migrate:applications

Getting Help

📧 Migration Support: [email protected]
📚 Documentation: Full migration guide
🎫 Enterprise: Custom migration assistance available

Next Steps

After successful migration:

Welcome to Skycloak! 🎉

Custom Domains Architecture Migrating from Self-Hosted Keycloak