Keycloak

Keycloak

Open Source

Open source identity and access management for modern applications and services

Authentication

Scores

Popularity
4/5
Learning Curve
5/5
Flexibility
5/5
Performance
3/5
Portability
5/5

About

Keycloak is an open-source identity and access management (IAM) platform maintained as a CNCF Incubating project and sponsored primarily by Red Hat. It provides centralised authentication and authorisation for applications and services, acting as an identity provider (IdP) that applications delegate sign-in to rather than handling credentials themselves.

Keycloak is a standards-based platform: it implements OAuth 2.0, OpenID Connect (OIDC), and SAML 2.0, which means any application or service that speaks these protocols can integrate regardless of language or framework. Python, Java, PHP, Go, Ruby, Node.js, and .NET applications all connect through the same OIDC/SAML layer — making Keycloak one of the few auth solutions that genuinely works across every major backend ecosystem.

The platform is organised around realms — isolated namespaces for users, clients, and configuration — making it practical for multi-tenant deployments where different applications or organisations need separate identity spaces with their own branding, policies, and user bases.

User federation connects Keycloak to existing user directories: LDAP and Active Directory sync is built in, and a custom User Storage SPI (Service Provider Interface) allows connecting to any existing user database without migrating data. Identity brokering enables Keycloak to act as an intermediary between your application and external providers (Azure AD, Okta, Google, GitHub), handling protocol translation in both directions.

Keycloak runs as a self-hosted Java service built on Quarkus. Deployment is via Docker, Kubernetes (official Helm charts provided), or a bare-metal JVM. Red Hat ships a commercially supported variant, Red Hat Single Sign-On (RH-SSO), for enterprise customers who need SLA-backed support. The community edition is free with no user limits, no per-MAU pricing, and no feature gating.

Key Features

  • Single Sign-On (SSO) across multiple applications with one login
  • OAuth 2.0, OpenID Connect, and SAML 2.0 — all three protocols in one platform
  • User federation: LDAP and Active Directory sync built in
  • Identity brokering: connect to Azure AD, Okta, Google, GitHub, and other IdPs
  • Social login (Google, GitHub, Facebook, and more)
  • Multi-factor authentication (TOTP, WebAuthn/passkeys)
  • Realm-based multi-tenancy with per-realm branding, policies, and user bases
  • Fine-grained authorisation and Token Exchange (supported from v26.2)

Pros

  • Truly universal — any language or framework integrates via standard OIDC or SAML
  • No per-MAU pricing and no feature gating in the community edition
  • LDAP/AD federation built in — essential for enterprise and on-premise environments
  • CNCF Incubating project with Red Hat backing — long-term roadmap stability
  • 34.5K GitHub stars; validated in mission-critical government and financial deployments

Cons

  • Steep learning curve — realms, clients, flows, and mappers all require understanding before anything works
  • JVM-based: higher memory and startup overhead than library-based auth solutions
  • Significant operational burden: updates, backups, clustering, and security patches require ongoing ops effort
  • Documentation can feel scattered and incomplete for non-trivial configurations
  • Admin UI is functional but complex — not designed for rapid onboarding

Pricing

Open Source

Possible Stacks

Keycloak Self-Hosted

Infrastructure

The infrastructure stack for running Keycloak as your own identity provider. Keycloak persists realms, users, clients, and sessions in PostgreSQL; Docker packages the deployment for consistent operation across any VPS or bare-metal server.

Databases

Hosting

Authentication

DevOps

Sandbox

Spring Boot + Keycloak

Project

An enterprise Java API with centralised identity management. Spring Boot handles business logic and REST endpoints; Keycloak acts as the identity provider — managing SSO, RBAC, and token issuance for the application and any other services that share the same realm.

Programming

Databases

Hosting

Authentication

Sandbox

Learning Resources

No resources yet — check back soon.

Tags

Open SourceSelf-hostableDocker CompatibleWeb DevelopmentAuthenticationWeb

Details

Maintained
Yes