KeyCloak

Open-source identity and access management, honestly reviewed. No marketing fluff, just what you get when you self-host it.

TL;DR

• What it is: Open-source (Apache 2.0) identity and access management platform — single sign-on, OAuth 2.0, OpenID Connect, SAML 2.0, and user federation in one server [3].
• Who it’s for: Engineering teams and technical founders who need enterprise-grade authentication infrastructure across multiple apps, and who are tired of paying per-user or per-connection fees to Auth0 or Okta [5].
• Cost savings: Auth0 pricing recently jumped 300% (from $0.023 to $0.07 per MAU), and features like SAML, LDAP, and magic links require their Enterprise plan which can spiral past $100K/year for mid-size companies. Keycloak self-hosted is free regardless of user count [5].
• Key strength: The most complete open-source IAM available. 33,000+ GitHub stars, CNCF incubation project, backed by Red Hat. Supports every protocol you’ll encounter in the enterprise — OpenID Connect, OAuth 2.0, SAML 2.0, Kerberos — and federates against LDAP and Active Directory out of the box [1][3].
• Key weakness: This is not a tool you hand to a non-technical founder. It requires real operational knowledge to deploy correctly, and the admin interface has a learning curve that rivals the complexity of the system itself [1][2].

---

What is Keycloak

Keycloak is a standalone identity server. Your applications stop handling authentication entirely — they redirect users to Keycloak, which handles login, issues signed tokens, and sends users back. The application never sees passwords, never manages sessions, and never needs its own user database [3].

The project is maintained by Red Hat, which sells it as Red Hat SSO (now part of Red Hat Build of Keycloak). The open-source version lives at github.com/keycloak/keycloak with 33,405 stars and is a CNCF incubation project, which means it has governance, security audits, and isn’t going anywhere [1][README].

The core abstraction is the realm — a namespace that contains everything: users, roles, clients (the apps that connect to Keycloak), identity providers, federation configuration, and theme customizations [2]. A single Keycloak instance can host multiple realms, each completely isolated. This is how you’d run, say, a B2B SaaS where each customer gets their own identity namespace.

What Keycloak is not: it’s not a turnkey SaaS you sign up for and forget. It’s a server you run, configure, and maintain. The README puts it plainly: “Add authentication to applications and secure services with minimum effort. No need to deal with storing users or authenticating users.” The “minimum effort” applies after the initial setup, which is decidedly not minimal.

---

Why people choose it over Auth0, Okta, and the managed alternatives

The reviews converge on two reasons: cost at scale and control over data.

The Auth0 pricing trap. Phase Two’s analysis [5] is the most explicit on this. Auth0 starts friendly — a free tier, a reasonable starter plan — and then the bill explodes as soon as you need enterprise features. SAML connectors, LDAP/AD integration, magic links, custom domains, the ability for enterprise customers to manage their own users through Okta’s identity cloud: each of these instantly triggers a plan upgrade. Per-MAU pricing at $0.07/user means a 10,000-user app costs $700/month on top of the plan fee. And the 300% price increase they executed recently made this calculation dramatically worse for existing customers mid-contract.

Keycloak’s cost model is fundamentally different: the software is free, and the cost is a fixed infrastructure expense that doesn’t scale with user count. A 1,000-user app and a 500,000-user app both pay the same software license fee: zero [5].

Vendor lock-in and data residency. Auth0 is a cloud-only service by default. If your compliance requirements mandate data residency (GDPR, HIPAA, SOC 2 with specific requirements), running user identity data through Auth0’s infrastructure is a conversation you have to have with lawyers. Keycloak running in your own infrastructure eliminates that conversation entirely [1][5].

Red Hat’s backing as a trust signal. Unlike many open-source projects that might go dormant or pivot, Keycloak is the upstream for a Red Hat commercial product. Red Hat has financial incentive to keep it excellent, and the CNCF governance structure provides a formal check on that. Arko Basu, writing after 13 years of software engineering experience, describes it as “the crown jewel of open source identity management” specifically because of this combination of institutional backing and genuine open-source licensing [1].

The comparison to Okta. The merged profile lists Okta as the SaaS competitor at $6/user/month. For a 500-user company, that’s $3,000/month — $36,000/year — for authentication infrastructure. A properly configured Keycloak on a mid-tier cloud VM runs under $50/month for the same workload. The trade-off is real: Okta ships as managed software with no operational overhead. Keycloak ships as software you operate. Whether that trade-off is worth $35,000/year is a business decision, not a technical one.

---

Features

Core identity flows:

• Single Sign-On and Single Sign-Out across all connected applications [3]
• OpenID Connect, OAuth 2.0, and SAML 2.0 protocol support [3][website]
• Kerberos bridge for Windows-domain environments [3]
• Social login via Google, GitHub, Facebook, Twitter, and other networks — configured through the admin console, no code changes [website]
• Identity brokering to external OpenID Connect or SAML 2.0 providers [website]

User federation:

• Built-in LDAP and Active Directory sync [website][3]
• Custom federation providers for users stored in relational databases or other stores [website]
• User import or on-demand sync modes [3]

Authentication:

• Passkey support, password, X.509 certificate, and TOTP/HOTP via Google Authenticator or FreeOTP [3]
• Step-up authentication [3]
• Flexible authentication flows: self-registration, email verification, password recovery, forced password updates [3]
• Brute force detection (not enabled by default — must configure) [4]
• reCAPTCHA v2/v3 support for registration flows [4]
• Password blacklist and password policy enforcement [4]

Authorization:

• Role-based access control [3]
• Fine-grained authorization services for cases where RBAC isn’t granular enough [website]
• Token mappers for customizing what goes into JWTs [3]
• Not-before revocation policies [3]

Administration:

• Web-based admin console for managing users, roles, clients, sessions, and policies [website]
• User self-service account console (profile updates, password changes, 2FA setup, session management) [website]
• Full theme customization for login, registration, and account pages [3]
• CORS support built into client adapters [3]

Extensibility:

• Service Provider Interfaces (SPIs) for customizing authentication flows, user federation, protocol mappers, and more [3]
• Works with any language/platform that has an OpenID Connect or SAML 2.0 library — Abhishek Koserwal demonstrates this with Dart, which has no official Keycloak adapter [2][1]
• Kubernetes Operator available via Artifact Hub [README]

---

Pricing: SaaS vs self-hosted math

Auth0 (primary competitor):

• Free: limited MAU, limited features
• Essential: starts at $23/month, but MAU pricing applies
• Professional and Enterprise: features like SAML, AD/LDAP, magic links, enterprise connections — all require higher tiers
• Per-MAU pricing: recently raised to $0.07/MAU, a 300% increase [5]
• At 10,000 MAU on Enterprise: $700/month in MAU fees alone, before plan fees

Okta (merged profile’s listed competitor):

• Workforce Identity starting at $6/user/month
• At 500 employees: $3,000/month / $36,000/year [merged profile]

Keycloak self-hosted:

• License: $0 (Apache 2.0)
• Infrastructure: $20–80/month depending on scale (Keycloak is a JVM application — it needs memory)
• Recommended minimum: 2 vCPU, 2GB RAM for light loads; 4–8GB RAM for production [1]
• Managed Keycloak (via Phase Two or similar): pricing starts low and scales significantly less steeply than Auth0 [5]

Concrete savings math:

A B2B SaaS company with 5,000 enterprise users and the need for SAML connections to customer IdPs: on Auth0 Enterprise, this likely runs $2,000–5,000/month. Self-hosted Keycloak on a pair of cloud VMs (for HA) plus a managed PostgreSQL instance: $100–150/month. Annual savings: $23,000–$58,000. That figure pays for multiple engineers’ time to set it up and maintain it.

For a startup with 500 users who only need social login and email/password: Auth0’s free/essential tier might genuinely be cheaper after accounting for the engineering time to configure Keycloak. The math inverts at volume and at enterprise feature requirements.

---

Deployment reality check

Keycloak is a Java application. Historically it ran on JBoss WildFly; since version 17 it runs on Quarkus, which improved startup time and memory footprint substantially [2]. The current quickstart is Docker:

docker run quay.io/keycloak/keycloak start-dev

That gets you a running instance for development. Production is a different story.

What a real production deployment requires:

• A JVM-capable VM or container cluster. Keycloak is not lightweight — budget 1GB RAM minimum for a toy instance, 4GB+ for anything real [1]
• An external database (PostgreSQL recommended; the bundled H2 is explicitly not for production) [3]
• Infinispan or the built-in distributed cache properly configured if you’re running clustered [3]
• A reverse proxy (nginx, Traefik, or Caddy) for TLS termination and load balancing
• TLS configured correctly — Keycloak is strict about HTTPS in production mode, refusing to start in start (non-dev) mode without it
• SMTP configuration for email-based flows (registration verification, password reset)

What Arko Basu’s deployment looked like in practice [1]:

• Kubernetes cluster (microk8s) with Ceph storage
• Cloudflare Zero Trust Tunnels to expose the admin console without a public load balancer
• Realm creation, email SMTP configuration, user setup, client configuration — all done through the admin console
• Total setup across a Kubernetes deployment: a full afternoon for an experienced engineer

What can go sideways:

• The admin console is powerful but dense. Concepts like realms, clients, client scopes, flows, and mappers are all distinct things with distinct configuration surfaces. A misconfigured token mapper silently produces wrong JWTs. A misconfigured flow silently breaks authentication for a subset of users.
• Brute force protection is off by default [4]. If you go to production without enabling it, you have a password-spraying vulnerability on your login endpoint. Phase Two’s security guide explicitly calls this out.
• The reCAPTCHA integration only works on the registration flow, not the login flow, as of current versions [4].
• Older articles about Keycloak limitations can be misleading — the Phase Two comparison [5] notes that many limitations cited in G2 reviews are 10+ major versions out of date. Keycloak has moved fast. Research that’s more than two years old should be treated with skepticism.
• Upgrades between major versions require a migration step. The upgrade path is documented but not trivial.

Realistic time estimates: an experienced backend engineer can have a working production Keycloak instance in 4–8 hours. Configuring it correctly for a complex multi-tenant SaaS application with multiple IdP connections, custom flows, and proper token scoping: days, not hours. For a non-technical founder with no Linux server experience: this is not the tool. Full stop.

---

Pros and Cons

Pros

• Apache 2.0 license. Genuinely free for any use, including commercial. No fair-code restrictions, no “sustainable use” carve-outs, no licensing conversations [README].
• Protocol completeness. OpenID Connect, OAuth 2.0, SAML 2.0, Kerberos — all in one server. No enterprise identity protocol it doesn’t speak [3].
• Red Hat / CNCF backing. This is not a one-person open-source project. It has institutional support, security audits, and a CNCF governance structure [1].
• User federation. First-class LDAP and Active Directory sync, plus custom provider SPIs for any other user store. This is the feature that makes enterprise deals close [website][3].
• Realm architecture. Multi-tenant by design. One Keycloak instance, many isolated identity namespaces. Ideal for B2B SaaS [2].
• Zero per-user cost. The bill doesn’t grow when your user base grows. One of the few technical decisions that gets cheaper over time [5].
• Social login without code changes. Adding Google or GitHub login is an admin console operation, not a development task [website].
• 33,000+ GitHub stars and active development — the project is healthy [README].

Cons

• Not for non-technical teams. Every step — deployment, initial configuration, realm setup, client registration, flow customization — requires understanding IAM concepts and server administration. The admin console does not hold your hand [1][2].
• JVM resource requirements. Keycloak needs real memory. A VPS that handles most self-hosted tools will struggle. Plan for 4GB RAM minimum for a production instance with any real load [1].
• Security features off by default. Brute force detection, rate limiting, and reCAPTCHA are not enabled by default. A default production deployment has weaker security than you might assume [4].
• Admin console complexity. Realms, clients, scopes, mappers, flows, providers — there are many independently configurable surfaces that interact in non-obvious ways. Misconfiguration is easy and sometimes silent.
• Upgrade friction. Major version upgrades require migration steps. This is documented but adds operational overhead over time.
• Limited documentation for non-standard languages. Official adapters exist for Java, Node.js, and a handful of others. For languages like Dart or Go, you’re using generic OIDC libraries and reverse-engineering the integration [1].
• No hosted option from the main project. The official Keycloak project is self-host only. Managed hosting (Phase Two, etc.) is a third-party market, not something the core project provides.

---

Who should use this / who shouldn’t

Use Keycloak if:

• You’re building a multi-tenant B2B SaaS and need isolated identity namespaces per customer.
• You need enterprise SSO (SAML to customer corporate IdPs like Okta or Azure AD) without paying Auth0 Enterprise rates.
• Your user count is growing past the point where per-MAU pricing becomes painful ($10K+/year on Auth0 or Okta).
• You have LDAP or Active Directory infrastructure that needs to be the source of truth for user identity.
• You have a technical team that can own the deployment and configuration.
• You have data residency requirements (GDPR, HIPAA, specific geographic requirements) that make cloud-only IAM services problematic.

Skip it if:

• You’re a solo non-technical founder who just needs users to log into your app. Use Auth0’s free tier, Supabase Auth, or Clerk — they get you there in 30 minutes with no server to manage.
• You need to ship authentication in a day. Keycloak configuration to production-ready takes days of careful work.
• Your infrastructure budget is limited to the very bottom of the VPS market. Keycloak’s memory requirements price it out of the $5/month tier.
• You have no one on your team who can own IAM configuration as a discipline.

Pick a managed Keycloak provider (Phase Two, etc.) if:

• You want Keycloak’s capabilities and cost model but can’t justify the operational overhead.
• You’re in the middle tier: past Auth0’s free tier but not yet worth fully self-hosting.

---

Alternatives worth considering

• Auth0 — the primary incumbent. Easiest setup, best documentation, largest ecosystem, but per-user pricing is aggressive and enterprise features require expensive tiers. The 300% MAU price increase is a real warning sign for anyone building on it long-term [5].
• Okta (Workforce Identity) — enterprise IAM with strong compliance certifications and managed infrastructure. $6/user/month; starts making less financial sense above ~200 users compared to self-hosted alternatives [merged profile].
• Authentik — newer open-source IAM project, Python-based (lighter than Keycloak’s JVM), cleaner admin UI, growing quickly. A serious alternative if you find Keycloak’s interface overwhelming. Less battle-tested at enterprise scale.
• Zitadel — Go-based, more modern API design than Keycloak, strong focus on B2B SaaS multi-tenancy. Worth evaluating if you’re starting fresh and don’t have an existing Keycloak investment.
• Supabase Auth — if you’re already in the Supabase ecosystem. Handles basic authentication well. Not a full IAM replacement — no SAML, limited federation, no fine-grained authorization services.
• Clerk — developer-focused managed auth with excellent DX and UI components. Good for consumer apps; expensive at scale; closed-source SaaS with the same vendor-lock-in risks as Auth0.
• Ory (Kratos + Hydra + Keto) — the UNIX-philosophy alternative to Keycloak: separate services for identity, OAuth, and authorization. More flexible in theory; significantly more complex to compose in practice.

For a technical team that needs enterprise SSO and LDAP federation at scale, the practical shortlist is Keycloak vs Zitadel. Keycloak wins on maturity, community size, and protocol coverage. Zitadel wins on developer experience and modern API design. If you’re already a Red Hat shop, the choice is obvious.

---

Bottom line

Keycloak is the right answer to a specific problem: you need enterprise-grade identity infrastructure — SSO across multiple apps, SAML to customer IdPs, LDAP federation, fine-grained authorization — and you don’t want a bill that scales with your user count or feature requirements. The Apache 2.0 license, Red Hat backing, CNCF governance, and 33,000 GitHub stars signal a project you can bet an architecture on. The savings math is real: a mid-size company paying $30–50K/year to Auth0 Enterprise or Okta can run equivalent infrastructure on Keycloak for $1,000/year in server costs.

What Keycloak is not is easy. It rewards engineers who invest time in understanding IAM concepts, and it punishes misconfiguration with security gaps that aren’t always obvious. Security features are off by default. The admin console has a learning curve measured in days, not hours. The JVM needs real memory.

For the right team, it’s the most cost-effective enterprise IAM available. For a non-technical founder looking for “users can log in,” it’s the wrong tool — use Clerk or Auth0’s free tier and revisit when you’re larger.

If Keycloak is the right call but the setup is the blocker, that deployment problem is exactly what upready.dev solves for clients.

---

Sources

1. Arko Basu — “Keycloak: The Crown Jewel of Open Source Identity Management” (June 10, 2024). https://medium.com/@arko.basu09/keycloak-the-crown-jewel-of-open-source-identity-management-156bb012dc15
2. Abhishek Koserwal, Red Hat Developer Blog — “Keycloak: Core concepts of open source identity and access management” (December 11, 2019). https://developers.redhat.com/blog/2019/12/11/keycloak-core-concepts-of-open-source-identity-and-access-management
3. Keycloak Official Documentation — Server Administration Guide (v26.6.1). https://www.keycloak.org/docs/latest/server_admin/index.html
4. Phase Two — “Security | Managed Keycloak Hosting and Enterprise Keycloak Support”. https://phasetwo.io/docs/security/
5. Phase Two — “Keycloak vs. Auth0, an Open-Source Alternative”. https://phasetwo.io/blog/keycloak-vs-auth0-open-source-alternative/

Primary sources:

• GitHub repository: https://github.com/keycloak/keycloak (33,405 stars, Apache 2.0 license)
• Official website: https://www.keycloak.org
• Documentation: https://www.keycloak.org/documentation