Identity Providers Compared — Auth0, Okta, Keycloak, and WSO2 IS
At some point, every engineering team faces the same question: “How do we handle authentication?” And the right answer, almost always, is: don’t build it yourself.
Rolling your own auth means implementing password hashing, session management, MFA, token issuance, token validation, key rotation, brute force protection, account lockout, password reset flows, social login integrations, SAML support, OIDC support, SCIM provisioning, and a hundred other things you haven’t thought of yet. Get any one of them wrong, and you have a security vulnerability.
That’s why Identity Providers (IdPs) exist. They handle all of this so you can focus on building your actual product.
But which one? The market has several strong options, each with different trade-offs. In this post, we’ll compare four of the most popular: Auth0, Okta, Keycloak, and WSO2 Identity Server.
The Contenders
Auth0 (Now Part of Okta)
Auth0 was founded in 2013 with a developer-first philosophy. It was acquired by Okta in 2021 but continues to operate as a separate product. Auth0 is known for its excellent documentation, quick setup, and generous free tier.
Architecture: Multi-tenant SaaS. Your identity infrastructure runs on Auth0’s cloud. Private cloud deployments are available for enterprise customers.
Okta
Okta is the enterprise heavyweight. Founded in 2009, it’s the most widely deployed workforce identity platform. If a Fortune 500 company uses SSO, there’s a good chance it’s Okta.
Architecture: Multi-tenant SaaS. Enterprise-focused with deep integrations into corporate IT ecosystems (Active Directory, HR systems, MDM).
Keycloak
Keycloak is an open-source IdP backed by Red Hat. It runs on Java (originally WildFly, now Quarkus) and is fully self-hosted. If you want complete control over your identity infrastructure without vendor lock-in, Keycloak is the go-to.
Architecture: Self-hosted Java application. Runs in containers (Docker/Kubernetes), on VMs, or bare metal. You manage everything.
WSO2 Identity Server
WSO2 IS is an open-source, enterprise-grade IAM platform. It’s built in Java and offers both self-hosted and managed (Asgardeo) options. It’s particularly strong in API security, adaptive authentication, and enterprise integration scenarios.
Architecture: Self-hosted Java application. Also available as Asgardeo — WSO2’s managed identity-as-a-service platform.
Protocol Support
| Protocol | Auth0 | Okta | Keycloak | WSO2 IS |
|---|---|---|---|---|
| OAuth 2.0 | Yes | Yes | Yes | Yes |
| OpenID Connect | Yes | Yes | Yes | Yes |
| SAML 2.0 | Yes | Yes | Yes | Yes |
| SCIM 2.0 | Yes | Yes | Yes (plugin) | Yes |
| LDAP | Yes (connector) | Yes (AD agent) | Yes (federation) | Yes (native user store) |
| WS-Federation | Yes | Yes | Limited | Yes |
| FIDO2/WebAuthn | Yes | Yes | Yes | Yes |
| XACML | No | No | Limited | Yes (native engine) |
WSO2 IS stands out here with its native XACML policy engine for fine-grained, attribute-based access control. If you need ABAC beyond what RBAC can offer, WSO2’s built-in entitlement engine is a significant differentiator.
Authentication Features
Local Authentication
All four support username/password authentication with configurable password policies (complexity, history, expiration, lockout).
Social Login
| Provider | Auth0 | Okta | Keycloak | WSO2 IS |
|---|---|---|---|---|
| Yes | Yes | Yes | Yes | |
| Yes | Yes | Yes | Yes | |
| GitHub | Yes | Yes | Yes | Yes |
| Apple | Yes | Yes | Yes | Yes |
| Custom OAuth/OIDC | Yes | Yes | Yes | Yes |
| Setup effort | Minutes (pre-built) | Minutes | Manual config | Manual config |
Auth0 has the edge here — social connections are literally click-to-enable with pre-built integrations. Keycloak and WSO2 IS require more manual configuration.
Multi-Factor Authentication
| MFA Method | Auth0 | Okta | Keycloak | WSO2 IS |
|---|---|---|---|---|
| TOTP | Yes | Yes | Yes | Yes |
| SMS OTP | Yes | Yes | Via plugin | Yes |
| Push notifications | Yes (Guardian app) | Yes (Okta Verify) | No | No |
| Hardware keys (FIDO2) | Yes | Yes | Yes | Yes |
| Email OTP | Yes | Yes | Via plugin | Yes |
Adaptive Authentication
This is where it gets interesting. Adaptive authentication adjusts the authentication flow based on risk signals — device, location, IP reputation, user behavior.
Auth0: Uses Actions (Node.js functions) in the login pipeline:
exports.onExecutePostLogin = async (event, api) => {
if (event.request.geoip.countryCode !== event.user.app_metadata.usual_country) {
api.multifactor.enable('any', { allowRememberBrowser: false });
}
};
Okta: Uses Sign-On Policies with conditions (network zone, device trust, group membership). Configuration is primarily UI-driven.
Keycloak: Supports custom authenticators via SPIs (Service Provider Interfaces) in Java. Powerful but requires Java development.
WSO2 IS: Uses Adaptive Authentication Scripts — JavaScript-based logic that runs during the authentication flow:
var onLoginRequest = function(context) {
executeStep(1, {
onSuccess: function(context) {
var user = context.currentKnownSubject;
var loginIP = context.request.ip;
// Step up authentication for unknown IPs
if (!isWithinAllowedIPRange(loginIP)) {
executeStep(2); // Trigger TOTP
}
// Step up for admin users
if (hasRole(user, 'admin')) {
executeStep(2);
}
}
});
};
WSO2’s approach is one of the most flexible — it’s essentially a programmable authentication pipeline with access to user context, risk signals, and conditional logic.
User Management and Provisioning
| Capability | Auth0 | Okta | Keycloak | WSO2 IS |
|---|---|---|---|---|
| Built-in user store | Yes | Yes | Yes | Yes |
| LDAP/AD integration | Yes (connector) | Yes (AD agent) | Yes (federation) | Yes (native LDAP user store) |
| SCIM provisioning | Yes | Yes | Via plugin | Yes |
| Self-registration | Yes | Yes | Yes | Yes |
| Password reset | Yes | Yes | Yes | Yes |
| User import/export | Yes (Management API) | Yes | Yes | Yes |
WSO2 IS has a unique advantage here — it can use an external LDAP/AD as its primary user store rather than requiring users to be imported. This means you can point WSO2 IS at your existing Active Directory, and it works immediately without migration. Keycloak supports federated user storage but it’s more complex to configure.
Extensibility and Customization
This is where the platforms diverge significantly.
Auth0:
- Actions — Node.js functions that run at specific points in the auth pipeline (post-login, pre-registration, etc.)
- Custom DB Connections — Write Node.js scripts to authenticate against your own database
- Rules (deprecated, replaced by Actions)
- Developer experience: Excellent. Fast iteration, great docs.
Okta:
- Event Hooks — HTTP callbacks triggered by Okta events
- Inline Hooks — Modify Okta’s behavior by calling your external API during the flow
- Okta Expression Language — For dynamic attribute mapping
- Developer experience: Good for simple cases, but limited for complex customization.
Keycloak:
- SPIs (Service Provider Interfaces) — Write custom authenticators, user storage providers, protocol mappers in Java
- Themes — Customize login pages with FreeMarker templates
- Developer experience: Very powerful, but requires Java development and deployment.
WSO2 IS:
- Adaptive Authentication Scripts — JavaScript-based authentication logic
- Custom Connectors — Java-based federated authenticators
- XACML Policies — Fine-grained authorization rules
- Developer experience: Strong for enterprise use cases. Java expertise required for deep customization.
Login Page Customization
| Platform | Approach | Effort |
|---|---|---|
| Auth0 | Universal Login (hosted), Lock widget, or fully custom | Low — good defaults, easy to customize |
| Okta | Okta-hosted or Sign-In Widget (embeddable) | Low-Medium |
| Keycloak | FreeMarker themes | Medium — template-based, requires frontend work |
| WSO2 IS | JSP-based themes, React-based MyAccount portal | Medium-High |
Pricing and Licensing
This is often the deciding factor.
| Platform | Free Tier | Pricing Model | Open Source? |
|---|---|---|---|
| Auth0 | 7,500 MAU, unlimited logins | Per MAU (monthly active user) | No |
| Okta | Developer tier (limited) | Per user/month (workforce), per MAU (customer) | No |
| Keycloak | Unlimited (self-hosted) | Free — you pay for infrastructure | Yes (Apache 2.0) |
| WSO2 IS | Unlimited (self-hosted) | Free — commercial support available | Yes (Apache 2.0) |
Hidden costs to consider:
- Keycloak/WSO2 IS (self-hosted): Free software, but you pay for servers, monitoring, upgrades, security patches, high availability setup, and operational expertise. A production Keycloak cluster needs at least 2-3 nodes, a database (PostgreSQL), load balancing, and someone who knows how to manage it.
- Auth0/Okta: You pay per user, but infrastructure, upgrades, and security are handled for you. At scale (100K+ users), costs can become significant.
Rough cost comparison at 50,000 MAU:
| Platform | Approximate Monthly Cost |
|---|---|
| Auth0 | $500-$1,500 (depending on plan) |
| Okta | $1,000-$3,000 (depending on features) |
| Keycloak | $200-$500 (infrastructure only) |
| WSO2 IS | $200-$500 (infrastructure only, or Asgardeo pricing for managed) |
Security Features
| Feature | Auth0 | Okta | Keycloak | WSO2 IS |
|---|---|---|---|---|
| Brute force protection | Yes | Yes | Yes | Yes |
| Bot detection | Yes (paid) | Yes | Limited | Limited |
| Breached password detection | Yes | Yes | No | No |
| Anomaly detection | Yes | Yes (ThreatInsight) | No | Limited |
| Audit logging | Yes | Yes | Yes | Yes |
| Token revocation | Yes | Yes | Yes | Yes |
| Account lockout | Yes | Yes | Yes | Yes |
| IP-based blocking | Yes | Yes | Manual | Yes |
When to Choose What
Here’s a decision guide:
Starting a new project with a small team?
└── Auth0 — Fast setup, generous free tier, great DX
Enterprise with budget and compliance needs?
└── Okta — Deep enterprise features, compliance certs, vendor support
Want full control and have DevOps capacity?
└── Keycloak — Free, self-hosted, no vendor lock-in
Need advanced IAM + API security + XACML?
└── WSO2 IS — Enterprise-grade, open-source, strong authorization engine
Need managed + open-source?
└── WSO2 Asgardeo or Auth0
More specifically:
-
Startup building a SaaS product — Auth0. You’ll be up and running in an afternoon. The free tier covers you until you have revenue. Focus on your product, not auth.
-
Enterprise migrating to cloud — Okta. It integrates with everything enterprises use (AD, SCIM, HRIS). The compliance certifications (SOC 2, ISO 27001, FedRAMP) are already done.
-
Team that values control and has Java expertise — Keycloak. No licensing costs, no vendor lock-in, full source code access. But you own the operations.
-
Organization needing fine-grained authorization (ABAC/XACML) + strong federation — WSO2 IS. The native XACML engine and adaptive authentication scripts give you capabilities the others don’t have out of the box.
-
Government or regulated industry — Consider self-hosted options (Keycloak, WSO2 IS) for data sovereignty, or Auth0/Okta private cloud for managed compliance.
The Big Comparison Table
| Aspect | Auth0 | Okta | Keycloak | WSO2 IS |
|---|---|---|---|---|
| Type | Managed SaaS | Managed SaaS | Self-hosted | Self-hosted (+ Asgardeo) |
| Open Source | No | No | Yes | Yes |
| Primary Language | N/A (SaaS) | N/A (SaaS) | Java | Java |
| OAuth/OIDC | Excellent | Excellent | Good | Good |
| SAML | Good | Excellent | Good | Excellent |
| SCIM | Yes | Yes | Plugin | Yes |
| XACML | No | No | Limited | Yes (native) |
| Adaptive Auth | Actions (JS) | Policies (UI) | SPIs (Java) | Scripts (JS) |
| Social Login | 30+ pre-built | 15+ pre-built | Manual config | Manual config |
| MFA | TOTP, SMS, Push, FIDO2 | TOTP, SMS, Push, FIDO2 | TOTP, FIDO2 | TOTP, SMS, FIDO2 |
| Free Tier | 7,500 MAU | Limited dev | Unlimited | Unlimited |
| Setup Time | Minutes | Hours | Hours-Days | Hours-Days |
| Operational Burden | None | None | High | High |
| Best For | Developers, SaaS | Enterprise workforce | Self-hosted control | Enterprise IAM + API security |
Migration Considerations
Switching IdPs is painful. Plan for it.
The hard parts:
- Password hashes — If users authenticate with passwords, you need to migrate the hashes. Auth0 and Okta support importing bcrypt hashes. Keycloak and WSO2 IS depend on the user store format. If hashes are incompatible, users will need to reset passwords.
- Social connections — OAuth tokens from social providers are bound to a specific client_id. You’ll need to re-register your app with each social provider.
- SAML/OIDC configurations — Every SP/RP integration needs to be reconfigured with the new IdP’s metadata/endpoints.
- Custom logic — Auth0 Actions don’t translate to Keycloak SPIs. You’re rewriting, not migrating.
- User IDs — If your application stores the IdP’s user ID (
subclaim), and the new IdP generates different IDs, you need a mapping strategy.
Migration strategies:
- Big bang — Switch everything at once. Risky but fastest.
- Gradual — Run both IdPs in parallel. Route new users to the new IdP, migrate existing users in batches. More complex but lower risk.
- Lazy migration — On each login, authenticate against the old IdP, create the user in the new IdP, and issue new tokens. Over time, all active users are migrated.
The best time to think about migration is before you choose an IdP — by using standard protocols (OIDC, SAML) and avoiding deep vendor-specific features where possible.
Final Thoughts
There’s no universally “best” Identity Provider. The right choice depends on your team, your budget, your compliance requirements, and how much operational burden you’re willing to take on.
If I had to give a default recommendation:
- Start with Auth0 if you need to move fast and don’t have dedicated IAM expertise
- Move to Keycloak or WSO2 IS when you need more control, have the ops capacity, or the costs of a managed solution become prohibitive
- Use Okta if your organization is enterprise-first and needs deep AD/HR integration
Whatever you choose, stick to standard protocols (OIDC, SAML, OAuth), implement proper token handling, and get your authentication fundamentals right. The IdP is a tool — the security comes from how you use it.
Stay secure!
