DEV Community

Cover image for Stop Paying for Authentication: Migrate from Clerk & Google OAuth to Open Source
Mayur Pawar
Mayur Pawar

Posted on

Stop Paying for Authentication: Migrate from Clerk & Google OAuth to Open Source

Authentication is one of the first things developers add to an application. Today, many teams use services like Google OAuth, Clerk, Auth0, or Firebase Authentication because they are easy to integrate and handle most of the security for you.

But what happens if you want complete control over your authentication system? Maybe you want to avoid vendor lock-in, reduce costs, or host everything yourself.

The good news is that you don't need to build authentication from scratch. You can replace managed authentication platforms with open source identity providers that offer the same core features.

In this article, we'll understand how Google OAuth and Clerk work, and how we can replace them with open source implementations in simple words.


How Authentication Works Today

Let's imagine a user wants to log into your application.

google oauth or clerk sigin flow

Here's what happens behind the scenes:

  1. The user clicks Sign in.
  2. Google or Clerk displays the login page.
  3. The user enters their credentials.
  4. The authentication provider verifies them.
  5. A JWT (JSON Web Token) is generated.
  6. The frontend sends this token with every API request.
  7. The backend verifies the token before allowing access.

Notice something important:

Your backend never checks the user's password.

Google or Clerk does that for you.

The Problem

Managed authentication services are great, but they come with trade-offs.

  • Monthly subscription costs
  • Vendor lock-in
  • Limited customization
  • Your authentication depends on a third-party service
  • Less control over user management

As your application grows, you might want to host authentication yourself.

The Idea Behind Replacing Them

Many developers think they need to rebuild OAuth.

You don't.

OAuth is a standard.

What you're actually replacing is the Identity Provider.

Instead of asking Google or Clerk to verify users, you'll run your own authentication server.

That's it.

The New Architecture

Instead of this:

normal flow

You'll have:

keycloak sigin flow

The flow stays almost exactly the same.

Only the service performing authentication changes.

Which Open Source Tools Can Replace Clerk?

Some popular options are:

  • Keycloak
  • Authentik
  • Ory Kratos
  • Zitadel
  • SuperTokens Community Edition

Among these, Keycloak is one of the most mature and widely used solutions.

It already supports:

  • OAuth 2.0
  • OpenID Connect
  • JWT Tokens
  • User Management
  • Role-Based Access Control
  • Multi-Factor Authentication
  • Social Login
  • Single Sign-On (SSO)

Step 1: Deploy Your Authentication Server

Install an authentication server like Keycloak.

Instead of relying on Google, Keycloak becomes responsible for:

  • Managing users
  • Managing passwords
  • Creating sessions
  • Generating JWT tokens
  • Handling login and logout

Think of it as your own private version of Google Login.

Step 2: Store Users Yourself

Instead of Google storing user accounts, your authentication server stores them.

User data flow

Passwords are never stored as plain text.

They are securely hashed using algorithms like bcrypt or Argon2.

Step 3: User Logs In

The user enters:

  • Email
  • Password

The frontend sends these credentials to Keycloak.

Keycloak checks the credentials.

If they're correct, it generates a JWT token.

Step 4: Return the JWT

Keycloak sends a JWT token back to the frontend.

The frontend stores it securely.

Now the user is authenticated.

Step 5: Call Protected APIs

Whenever the frontend calls your backend, it includes the JWT.

GET /profile

Authorization: Bearer <JWT_TOKEN>
Enter fullscreen mode Exit fullscreen mode

Step 6: Verify the Token

The backend checks whether the JWT is valid.

If it is valid:

  • Allow the request.

If it is invalid:

  • Return 401 Unauthorized.

This is exactly how Google OAuth and Clerk work.

The only difference is that your own server issued the token.

Before vs After

Before

After

Nothing changes for your backend except who issues the token.


Migration Steps

If you're moving away from Clerk or Google OAuth, your migration looks like this:

  1. Deploy Keycloak (or another open source identity provider).
  2. Create your application (client) inside Keycloak.
  3. Configure login, registration, and roles.
  4. Update the frontend to authenticate with Keycloak.
  5. Update the backend to verify JWTs issued by Keycloak.
  6. Test login, logout, and protected routes.
  7. Remove Clerk or Google OAuth from your application.

Benefits of Self-Hosted Authentication

  • No vendor lock-in
  • Lower long-term costs
  • Full control over user data
  • Custom authentication workflows
  • Support for OAuth 2.0 and OpenID Connect
  • Enterprise-ready features like SSO, MFA, and RBAC

Challenges

Self-hosting also comes with responsibilities.

  • You must maintain the authentication server.
  • You need to install security updates.
  • You are responsible for backups and monitoring.
  • Initial setup takes more effort than using a managed service.

For small projects, managed authentication may still be the better choice.

For larger applications or organizations that need complete control, open source identity providers can be an excellent solution.

Final Thoughts

Replacing Google OAuth or Clerk doesn't mean replacing OAuth itself.

You're simply replacing the service that proves a user's identity.

Instead of trusting a third-party provider, you run your own identity server while continuing to use industry standards like OAuth 2.0, OpenID Connect, and JWT.

The overall login flow remains almost identical, but you gain full ownership of your authentication infrastructure.

If you're building products that require flexibility, customization, or long-term control, open source authentication is definitely worth exploring.

Top comments (0)