This is a great question.
It’s a good idea to go straight for OpenID-Connect, using a third-party to store users and their passwords. If you go this route, you’ll need to choose an identity provider, such as AWS Cognito, Auth0, Google, onelogin, okta and others. If you want something on-premise, Keycloak is a good choice.
If you do this your Clojure application will need to support the OAuth2 client functionality to integrate with the identity provider. Specifically you’ll have to write a callback that will code the logic for exchanging the OAuth2 code for the identity token containing the user’s details. There is some Ring middleware that might help you here: https://github.com/weavejester/ring-oauth2
You’ll also need to create a session for users, and store session identifiers in a browser cookie. This can get quite involved.
Note if you do decide on AWS Cognito, there’s an option to integrate with AWS Application Load Balancer, you should read this: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html - the benefit is that ALB will perform this code exchange on your behalf, and will even do the cookie/session management, forwarding you the user’s details in custom HTTP request headers.