Honestly, properly configuring, maintaining and scaling Keycloak is an absolute pain in my experience. Keyclaok does not come close to the ease of use of Okta and Auth0 imho
Can you please elaborate on the issues you are seeing?
I just got started, but so far my experience setting Keycloak up has been the best I've experienced for an open source project in a while. I was up and running within a few hours-
Got a simple JS app working, and was able to secure all my existing services by integrating with my ingress controller.
Recently moved away from Keycloak (which I think overall is a great piece of software but was just a PITA for our use case) and my observations:
* Zero-downtime deployments don't really work. They kinda-sorta do but it was too clunky for us to do it effectively during periods when we had significant traffic. Not generally an issue if you are just using out-of-the-box components but if you are deploying custom components (Storage providers, authenticators, etc) then it doesn't work that well.
* It uses an in-memory distributed cache for authentication sessions so if your instance goes down (or you need to shut it down for a major version upgrade) then everyone is logged out. It also seems to have a lot of trouble scaling out to more than ~8 nodes. At the minimum you have to do a lot of tuning of infinispan parameters to get it to work at scale.
* Configuration is kind of a pain because it has to be done through the UI. There is a REST API but it is really hard to work with if you want to do something like deploy a change to an authentication flow configuration. So forget about managing your configs in source control (and prepare for the inevitable issues that happen when configs aren't properly updated with deployment because someone fat-fingers something in the configuration UI).
* There is a LOT of stuff that is hard-coded in the core Keycloak engine that makes customization impossible short of modifying the actual Keycloak source itself and running your own build (not recommended!).
* One small thing that nonetheless drove me crazy is the Keycloak injects a JS snippet into rendered templates to munge the browser history and has no way for you to insert a nonce in the script tag, so setting up CSP headers was way harder than it should have been.
All that said, it was more that Keycloak was not the right tool for our use case (an always-on user-facing identity provider) but if you just need a basic login/registration screen and are fine using Keycloak's built-in components (with maybe just some thumbing) then it works great.