Migrate from Keycloak to Faable Auth
Short answer: Migrating from self-hosted Keycloak to Faable Auth removes the servers, upgrades, and database you currently operate, while keeping the same OAuth 2.0 / OpenID Connect standards. You map each Keycloak realm to a Faable Account, your Keycloak clients to Faable Clients, and your identity providers to Faable Connections, then export your users and import them into Faable. The motivation is almost always the same: stop operating identity infrastructure while staying 100% in Europe under GDPR — Faable Auth is fully managed, so there is nothing to patch, scale, or back up.
Concept mapping
| Keycloak | Faable Auth | Notes |
|---|---|---|
| Realm | Account | Your isolated identity boundary |
| Client | Client | SPA, native, regular web, or M2M |
| Identity Provider (social/OIDC/SAML) | Connection | social, oidc categories |
| User federation (LDAP/AD) | OIDC/enterprise Connection | Connect via standard protocols |
| Authentication SPI (Java) | Actions | Custom in-flow logic, no Java/SPI to maintain |
| Admin REST API | Management API | Called with client credentials |
| Self-hosted servers + DB | Fully managed | No infrastructure for you to run |
Migration steps
- Create your Account in the Faable Dashboard and note your issuer URL.
- Map realms to accounts. Each Keycloak realm becomes a Faable Account; if you ran one realm per customer, model those as teams/accounts.
- Recreate Connections. Translate each Keycloak Identity Provider into a Faable Connection (social or generic OIDC), reusing upstream client credentials.
- Recreate Clients with the same redirect URIs, web origins, and flow types.
- Replace SPIs with Actions. Move custom authenticator SPIs to Actions — JavaScript in the flow instead of compiled Java extensions.
- Export and import users. Use Keycloak’s export (
realm-export/ Admin REST API) to extract users and credentials, then import into Faable. Password hashes can be carried over so users don’t reset. - Decommission your Keycloak deployment once traffic is on Faable — and reclaim the operational time you spent running it.
What you stop maintaining
- Server provisioning, JVM tuning, and clustering
- Database backups, migrations, and version upgrades
- Security patching of the Keycloak runtime
- High-availability and scaling for login spikes
Related
- Faable Auth vs Auth0, Clerk & Keycloak
- What is a multi-tenant identity server?
- Get Started with Faable Auth · Connections
Last updated on
Last updated on