Skip to main content

Keycloak

gitlab

Official Github Repository

Keycloak is a robust and highly configurable Open Source Identity and Access Management (IAM) solution, developed by Red Hat (originally by the JBoss community). It aims to simplify application and service security, allowing developers to focus on business logic instead of reimplementing complex authentication and authorization mechanisms.

What is Identity and Access Management (IAM)?​

Before diving into Keycloak, it's crucial to understand the IAM concept. IAM is the framework of policies and technologies that ensures:

  1. Correct identities: Users, services, or devices are who they claim to be (authentication). This is Keycloak's primary function, ensuring who the user is.
  2. Appropriate access: These identities have the proper permissions to access specific resources (authorization).
  3. Efficient management: Identities and their access are managed centrally and securely throughout their lifecycle.

So, Keycloak sits on the authentication line with authorization capability β€” but it's not an IAM manager.

Important concepts to keep in mind:

  • Workforce IAM (Identity and Access Management for the Workforce):
    • Who are the users? Employees, contractors, business partners – basically, anyone who needs access to your company's internal systems to do their job.
    • What do they access? Internal applications, HR systems, corporate email, VPN, development tools, and also SaaS applications the company uses (like Salesforce, Office 365, Slack, Jira, etc.).
    • Main objective: Corporate security, employee productivity, compliance (ensuring the right people have the right access to the right resources), identity lifecycle management (onboarding, offboarding, promotions).
    • Example: A marketing employee using their corporate login to access Salesforce (the company's CRM), the email system, and the intranet.
    • Solutions focused here: Okta (traditionally very strong here), Azure AD (for companies in the Microsoft ecosystem), OneLogin, and Keycloak itself can be used for this.
  • CIAM (Customer Identity and Access Management):
    • Who are the users? Customers, consumers, end-users of your digital products or services.
    • What do they access? Your public website, your online store, your mobile app, your customer portal, community forums.
    • Main objective: Smooth user experience (easy registration and login), scalability for millions of users, personalization, data collection for marketing (with consent), customer account security.
    • Example: A customer creating an account on your e-commerce site to make a purchase, or logging into your video streaming app.
    • Solutions focused here: Auth0 (very strong in CIAM), Azure AD B2C, Amazon Cognito, Firebase Authentication, and Keycloak is also widely used for CIAM.

Why use Keycloak? (Main Problems it Solves)​

In environments with multiple applications and services, managing identities and access can become a nightmare:

  • Multiple Logins: Users need different credentials for each application, resulting in poor user experience and password fatigue.
  • Duplicate Security Logic: Each application reimplements login flows, registration, password recovery, session management, etc., increasing development effort and vulnerability risk.
  • Decentralized User Management: Difficulty maintaining users and their permissions synchronized across systems, especially regarding groups and roles assigned to each user, which are used for access control.
  • Security Inconsistency: Different implementations can lead to different security levels.
  • Complex Integration: Adding social login or integration with corporate identity providers (like LDAP/AD) is complex.
  • API Security: Protecting APIs consistently is challenging.

Keycloak solves these problems by providing a centralized platform for:

  • Single Sign-On (SSO) and Single Sign-Out (SLO): Authenticate once and access multiple applications.
  • Identity Management: Create and manage users, their attributes, and credentials.
  • Identity Brokering: Integrate with external identity providers (Google, Facebook, GitHub, SAML, OIDC).
  • User Federation: Synchronize users from existing stores (LDAP, Active Directory).
  • API Security: Protect your APIs using OAuth 2.0.
  • Fine-Grained Authorization: Allows defining granular access policies within the managed ecosystem, based on roles, groups, and attributes, ideal for simple to intermediate controls, but not ideal for very complex, dynamic policies involving multiple different systems as it's not a dedicated policy engine.
    • In practice, many teams use Keycloak only for authentication + basic roles, and delegate fine-grained authorization to external systems.
  • Standards Support: Implements industry-standard protocols like OpenID Connect (OIDC), OAuth 2.0, and SAML 2.0.

Alternatives to Keycloak​

Keycloak is a robust and very popular open-source Identity and Access Management (IAM) solution. To understand how good it is or isn't, it's always good to compare it with other tools or another technology stack.

Its competitors can be divided into several categories:

Open Source / Self-Hosted Solutions:**​

Ory Stack (Kratos, Hydra, Keto, Oathkeeper):​

The great advantage of Ory Stack over Keycloak lies in:

  1. Total Control over User Experience (Headless):

    • Keycloak: Gives you ready-made login, registration pages, etc. You can customize them (themes), but you're fundamentally working within the framework Keycloak offers. For radical UI changes or very specific flows, it can be limiting or require considerable effort in Java (SPIs).
    • Ory Stack (Kratos): Doesn't give you ANY ready-made user interface. It just gives you APIs. You build your login, registration, profile screens, etc., from scratch, exactly as you want, using your preferred front-end technology (React, Vue, Angular, etc.), and these screens call Kratos APIs.
    • Ory advantage here: Absolute freedom to create a user experience 100% integrated with your brand and flows, without the constraints of a pre-defined UI. Ideal if you have a strong front-end team and want identity to be an imperceptible and fluid part of your application.

  2. Modularity and Microservices Architecture:

    • Keycloak: It's a more monolithic application (although it can be scaled). If you only need an OAuth2 server, for example, you still run "all of Keycloak".
    • Ory Stack: It's a set of specialized tools:
      • Need user management (login, registration)? Use Kratos.
      • Need just an OAuth2/OIDC server to protect APIs? Use Hydra.
      • Need a super granular and decoupled permissions system? Use Keto.
      • Need a proxy to validate tokens at the edge? Use Oathkeeper.
    • Ory advantage here: You only deploy and scale what you need. Each component is independent, written in Go (generally lighter on resources than Java for the same concurrency level), and fits naturally into microservices architectures where each service has a clear responsibility.

  3. Decoupled and Powerful Authorization (with Keto):

    • Keycloak: Offers a good authorization system based on RBAC (Role-Based Access Control) and can be extended.
    • Ory Keto: It's a dedicated permissions server, inspired by Google's Zanzibar. It allows modeling complex relationships and permission queries ("Can user X perform action Y on resource Z?"), centrally and decoupled from your applications.
    • Ory advantage here: If you have very complex, dynamic authorization requirements or that need to be centrally managed for multiple microservices, Keto is a very powerful and specialized tool that Keycloak doesn't offer natively at the same level of sophistication.

When is Keycloak better then?

  • I need a complete and robust IAM solution "out-of-the-box" with ready-made administration and user interfaces.
  • Time to market is critical and I don't want (or don't have resources to) build all identity UIs from scratch.
  • The team has more familiarity with Java and the JVM ecosystem.
  • I need features like SAML/OIDC federation with many enterprise providers in a simple way.
  • UI customization via themes is sufficient for brand needs.
  • The project is a monolith or fewer services where Keycloak's more integrated nature is not a problem.
  • I need a mature ecosystem with extensive documentation, community, and many tutorials.

Keycloak: It's like buying a complete car from the factory. It already comes with everything you need to drive, has a dashboard, seats, etc. You can change the color, wheels, sound system (customize), but the basic structure of the car is that. It's great for most people who want a functional car quickly.

When would I use Ory Stack then?

  • I'm building a product where the identity user experience needs to be 100% customized and integrated (no "standard login page" look).
  • The architecture is microservices-based and I want each IAM component (identity, OAuth2, permissions) to be an independent, scalable, and lightweight service (Go).
  • I have a capable and willing development team (especially front-end) to build identity UIs consuming APIs.
  • I need a very granular, decoupled, and centralized authorization (permissions) system (Ory Keto).
  • I want the flexibility to use only the IAM parts I need (e.g., just Ory Hydra as OAuth2 server).
  • The team has preference or experience with Go.
  • I'm seeking a more "modern" and "cloud-native" approach to IAM, even if it means more initial development work on the UI.

Ory Stack: It's like receiving a high-performance engine (Kratos for identity, Hydra for OAuth2), a lightweight chassis (Oathkeeper), and a super advanced navigation and control system (Keto). You need to build the body, interior, dashboard from scratch, exactly as you dream. It's more work, but the final result is totally yours and adapted to your most specific needs.

Gluu Server:​

Gluu Server is an open source IAM platform, known mainly for its strong support of the UMA (User-Managed Access) standard, ideal for giving users granular control over sharing their data. However, in practice, for most scenarios, Gluu Server doesn't present significant advantages that justify choosing it instead of Keycloak. Keycloak generally wins due to its much larger community, greater ease of use perceived for common tasks, and a more vibrant ecosystem and development. Therefore, unless UMA is a critical and irreplaceable differentiator for your project, Keycloak tends to be the more pragmatic and widespread choice for a complete open source IAM solution.

WSO2 Identity Server:​

Another robust open source IAM platform, built in Java. It excels in complex enterprise integration scenarios, especially if you already use other WSO2 products (like the API Manager). Additionally, it offers native and strong support for XACML for fine-grained policy-based access control, a differentiator for very specific authorization requirements. However, for most IAM needs, WSO2 Identity Server can be considered more complex and "heavier" than Keycloak.

Keycloak, with its larger community, more accessible documentation, and a generally smoother learning curve for common features, tends to be a more agile choice. The configuration and depth of resources of WSO2 IS can be overkill if your needs are more straightforward (like SSO, basic user management, and API protection with OIDC).

The combination of Keycloak + OPA (Open Policy Agent) and Ory Stack are often considered a more modern, flexible, and in many ways more powerful approach to authorization than the XACML engine embedded in WSO2 Identity Server.

Dex:​

Here the difference is quite clear because they have fundamentally distinct purposes, although both operate in the identity space and use OpenID Connect (OIDC). Dex is primarily an OpenID Connect (OIDC) identity provider that acts as a "connector" or "broker" for other identity providers (IdPs).

  • Main Function: It allows applications that only understand OIDC (like Kubernetes) to authenticate through a variety of identity backends that may not speak OIDC natively or that you want to federate.
  • Supported Backends (Connectors): LDAP, SAML 2.0, GitHub, Google, Microsoft, etc.
  • Doesn't do (or does very little):
    • Doesn't manage users directly: Dex doesn't have its own user database to create, update, or delete accounts. It delegates this to upstream IdPs.
    • Doesn't have robust admin UI: Configuration is done mainly via YAML files.
    • Doesn't have advanced IAM functionalities: Like fine-grained authorization, complex authentication flows, advanced session management, user portals, etc.
    • Typical Use Case: Allow users to authenticate in Kubernetes (or other OIDC-compatible applications) using Active Directory credentials (via LDAP), a corporate SAML provider, or GitHub accounts.

Casdoor:​

Casdoor is a newer player in the open source IAM scene, but has been drawing attention for its approach and focus. An open source Identity and Access Management (IAM) platform, built in Go (lower resource consumption and lighter deployment) and with a strong focus on developer and user experience, featuring a modern user interface (UI). It tries to offer a complete IAM solution, but with an emphasis on ease of use, simplified configuration, and a more friendly UI for both administrators and end users.

  • Features:**
    • Support for OIDC, OAuth 2.0, SAML.
    • User, organization, application management.
    • Social login.
    • MFA.
    • Extensibility through "providers" and "models".
    • Has a focus on being "cas" (Central Authentication Service), hence the name.

Casdoor is a promising and interesting alternative to Keycloak, but is it the right time? Casdoor is one to watch, as it could become a stronger competitor as it matures.

  1. Maturity and Community: Much newer. Although development is active and the community is growing, it still doesn't compare in size, maturity, and amount of available resources to Keycloak. This may mean fewer ready-made solutions for specific problems and a smaller knowledge base.

  2. Language and Resources:

    • Keycloak: Java (JVM). Can be more resource-intensive (memory, CPU) especially at startup, although Keycloak.X (Quarkus) has improved this significantly.
    • Casdoor: Go. Generally, Go applications are known for being lighter on resources and having faster startup times. This can be an advantage in resource-constrained environments or for more efficient scalability in certain scenarios.

  3. User Interface (UI) and User Experience (UX):

    • Keycloak: Keycloak's UI is functional and powerful, but sometimes criticized for not being the most modern or intuitive, especially for less technical administrators. End-user UI customization is done through themes.
    • Casdoor: This is one of Casdoor's main appeals. Its UI is often praised for being more modern, clean, and easy to use, both for administrators and end-user flows (login, registration).

  4. Ease of Configuration and Initial Use:

    • Keycloak: Can have a learning curve to explore all its advanced features. Initial configuration for simple cases is relatively straightforward.
    • Casdoor: Seeks to simplify configuration and the "getting started" process, with a more friendly approach for developers who may not be deep IAM experts.

  5. Feature Set and Extensibility:

    • Keycloak: Has an extremely comprehensive IAM feature set, covering almost all imaginable scenarios. Its extensibility via SPIs is very powerful.
    • Casdoor: Offers essential IAM features, but may not have the same depth or breadth of advanced or niche features that Keycloak has accumulated over the years. Its extensibility is under development.

  6. Ecosystem and Integrations:

    • Keycloak: Benefits from a vast ecosystem of integrations, adapters for various languages and frameworks, and third-party support.
    • Casdoor: Being newer, its ecosystem of integrations and support tools is still under construction.

Identity as a Service Solutions (IDaaS - Cloud-Based):**​

Auth0 (now part of Okta):​

CIAM (Customer Identity and Access Management), with a huge emphasis on developer experience (DX), ease of integration, and flexibility through "Rules" and "Actions" (custom JavaScript code that runs on the platform). You integrate your applications with Auth0 using SDKs and APIs. Authentication and user management happen on Auth0's servers.

  • Ease of Use and Quick Integration: Excellent SDKs for various languages and frameworks, abundant and developer-focused documentation. It's very quick to get up and running.
  • "Actions" (formerly "Rules" and "Hooks"): Allow extensively customizing authentication and registration flows with JavaScript code directly on the platform, without needing to modify the application "core". This is extremely powerful for specific business logic.
  • Universal Login: A centralized and customizable login page that can be easily integrated.
  • Social and Enterprise Login: Ready-made connectors for dozens of social providers (Google, Facebook, etc.) and enterprise (SAML, ADFS, etc.).
  • Managed Security and Scalability: You don't worry about infrastructure, security patches, scalability – Auth0 takes care of that.
  • Advanced CIAM Features: Breached password detection, adaptive MFA, consent management.

What does Auth0 do that Keycloak doesn't (or does with more effort)?

  1. Extreme Speed to Start and Integrate: Auth0's "out-of-the-box" experience, with SDKs and developer-focused documentation, is unbeatable for rapid prototyping and product launches.
  2. Flow Customization with JavaScript ("Actions"): The ability to inject custom JavaScript logic into authentication flows so simply and powerfully is a major differentiator. In Keycloak, similar customizations would require writing and deploying SPIs in Java, which is more complex.
  3. Managed Infrastructure: Not worrying about scalability, availability, and security of the identity infrastructure is a huge advantage for many teams, allowing them to focus on their main product.
  4. Advanced CIAM Features "Ready to Use": Things like compromised password detection, adaptive MFA, and security analytics are offered as part of the service. In Keycloak, some of these would require customization or integration with external tools.

When to choose Auth0:

  • When you don't have time.
  • When you don't have a security team.
  • The subscription cost fits your budget and business model (especially for CIAM, where cost per user can be low).
  • When you want to outsource responsibility for user data. This might be one of the factors that catches most companies.

When to choose Keycloak:

  • Full control over user data and infrastructure is a non-negotiable requirement** (regulations, security policies).
  • Cost is a major concern** and you have the capacity to manage infrastructure (Keycloak software is free).
  • You need an IAM solution that can run in offline or "air-gapped" environments.
  • You need very deep customizations in the platform core that are only possible with access to source code and SPIs.
  • Avoiding "vendor lock-in" is a high priority.

It's worth remembering that Auth0's focus is not workforce, although it's possible to use it that way, but for that we have OKTA.

Okta:​

Okta already has all its differentiator based on workforce and that's why it bought Auth0 to solve its CIAM flaws. For workforce today it's the market leader, period.

  • Strengths:
    • Unbeatable Integration Catalog: Thousands of pre-built connectors for popular SaaS applications (Office 365, Salesforce, G Suite, Slack, Zoom, Workday, etc.) and support for standards like SAML, OIDC, SCIM.
    • Robust Single Sign-On (SSO): Seamless SSO experience for end users.
    • Identity Lifecycle Management (LCM): Automates user provisioning and deprovisioning in connected applications, often integrated with HR systems.
    • Advanced Multi-Factor Authentication (MFA): Various MFA options, including Okta Verify (push), WebAuthn, and adaptive MFA policies.
    • Universal Directory: A flexible cloud directory for managing users and groups.
    • Okta Workflows: Automation of identity and IT processes with no-code or low-code.
    • Security and Compliance: Strong security focus, audit reports, and helps companies meet compliance requirements.
    • Ease of Administration (for IT): Powerful and relatively intuitive admin interface for managing a large number of users and applications.

What does Okta (Workforce) do that Keycloak doesn't (or does with much more effort)?

  1. Vast Range of Ready-Made Integrations for Corporate SaaS Applications: This is the biggest differentiator. Setting up SSO and provisioning for hundreds of apps like Salesforce, Workday, Office 365 is significantly simpler and faster with Okta's catalog. In Keycloak, you may need to manually configure SAML/OIDC for each one or rely on community connectors, if they exist.
  2. Deeply Integrated Identity Lifecycle Management (LCM): Okta's ability to integrate with HR systems (like Workday) to automate the "joiner-mover-leaver" (employee entry, movement, and exit) robustly is a major advantage for companies.
  3. Okta Workflows for Automation: A powerful tool for creating complex identity and IT process automations without writing much code. Keycloak would require custom development for equivalent functionalities.
  4. Specialized Focus and Resources on Workforce IAM: Okta's platform was built from scratch with Workforce IAM needs in mind, including compliance reports, granular security policies for corporate access, etc.
  5. Less Infrastructure Management Overhead for IT: For the IT department, not having to worry about maintaining, patching, and scaling the identity platform is a huge relief, but you pay for it.

When to choose Okta (Workforce):

  • Your main need is managing employee access to a large number of SaaS and internal applications.
  • Automating the identity lifecycle (provisioning/deprovisioning) integrated with HR systems is crucial.
  • You need an extensive catalog of ready-made integrations to save time and effort.
  • The company prefers a SaaS model to reduce infrastructure management burden and is willing to pay for the subscription.
  • Security and compliance for employee access are top priorities.

When to choose Keycloak:

  • You need a solution for both CIAM and Workforce IAM and want a unified platform under your control.
  • The need for SaaS application integrations is not so vast, or you have the capacity to manually configure SAML/OIDC.
  • Avoiding "vendor lock-in" and having the flexibility of open source are important.

Most companies I've worked for use Okta, surprisingly, mainly because of the HR factor mentioned above. In an environment where personnel changes are constant, the need to maintain and adapt these custom integrations could become a considerable burden.

There are other solutions like OneLogin, Azure AD, etc.

Azure Active Directory B2C (Azure AD B2C), Amazon Cognito and Google Cloud Identity Platform (Firebase Authentication)​

All of these are focused on CIAM and not on workforce. All are well integrated mainly with their own cloud resources. The control of all of them is through their respective cloud consoles.

  • They are managed services by their respective cloud providers (Microsoft, AWS, Google). You don't manage the infrastructure, scalability, security patches of the identity service itself.
  • Main Focus on CIAM and were designed primarily to manage the identity of customers/end users of your web and mobile applications.
  • Cost Model generally based on the number of Monthly Active Users (MAUs) and sometimes on the use of premium functionalities (like advanced MFA).
  • They integrate natively and deeply with other services within their respective cloud ecosystems (Azure, AWS, Google Cloud/Firebase). Keycloak: Can be hosted on any cloud, but integration with specific cloud services is not as "native" and ready as in the cloud's own services.

In several cases companies prefer to focus workforce with OKTA and use CIAM from their respective clouds. The problem comes when we have more than one cloud and CIAM has to handle everything.

When choosing a competitor, consider:

  • Cost: Open source (infrastructure and maintenance cost) vs. SaaS (subscription cost).
  • Self-hosting vs. Cloud: Do you want/can you manage infrastructure?
  • Scalability: Your current and future needs.
  • Learning curve and complexity: How fast do you need to implement?
  • Specific features: Support for SAML, OpenID Connect, federation, social login, MFA, granular authorization policies, etc.
  • Community and Support: Availability of documentation, forums, paid support.
  • Integrations: With your legacy systems or other services.

Keycloak remains an excellent choice, especially if you need an open-source, self-hosted, feature-rich solution. But the market offers interesting alternatives depending on your priorities!

Keycloak is a true Swiss Army knife, as it covers both CIAM and workforce IAM in a single mature solution. Studying Keycloak, even without implementing it, brings valuable know-how β€” including to evaluate whether it's worth paying for SaaS solutions.