Keycloak
Open source identity and access management solution with single sign-on, social login, user federation, and fine-grained authorization for applications.
Keycloak is a comprehensive open source identity and access management solution that eliminates the complexity of handling user authentication and authorization in your applications. Instead of building custom login systems, developers can integrate Keycloak to handle all identity-related tasks with minimal effort.
Key features include:
- Single Sign-On (SSO) - Users authenticate once and access multiple applications without repeated logins
- Social Login Integration - Easy setup for authentication via Google, Facebook, GitHub, and other social providers
- Identity Brokering - Connect with existing OpenID Connect or SAML 2.0 identity providers
- User Federation - Built-in LDAP and Active Directory support, plus custom provider options
- Fine-grained Authorization - Role-based access control and advanced permission policies
- Standard Protocol Support - OpenID Connect, OAuth 2.0, and SAML 2.0 compliance
The platform provides both an admin console for centralized management of users, applications, and policies, and an account management console where users can update profiles, manage sessions, and configure two-factor authentication.
Keycloak is designed for scalability with clustering support, offers extensive customization through themes and code extensions, and maintains high performance while being lightweight. As a Cloud Native Computing Foundation incubation project, it's actively maintained and enterprise-ready.
Session idle and max lifespans and offline sessions can be adjusted to keep sessions alive for longer periods
Admins can view and revoke user and client sessions, sign out all sessions, and configure session lifespans in the admin console
The UI is internationalized. Administrators can enable multiple languages and users can choose their language at login or in the account/admin consoles
SCIM support is available only via a community extension and not built into Keycloak
Lifespans for access, refresh and ID tokens can be configured. Refresh tokens can have reuse limits
Each screen is backed by a theme. Administrators can override templates and stylesheets to customize login and registration pages
Keycloak does not include built‑in webhook event delivery. Community plugins available
No official integrations with third‑party business tools are provided. Integrations require custom code or community plugins
Authentication flows can include Google reCAPTCHA or reCAPTCHA Enterprise to filter bots during login and registration
Using client policies and conditional flows, Keycloak can implement step‑up authentication to require higher authentication levels based on requested ACR or resources
Keycloak lacks a built‑in security monitoring dashboard; events are logged but no dashboard is provided
The Organizations feature allows administrators to manage organizations and members, onboard users via invitations
Admins with the impersonation role can log in as a user from the Users list or user details to troubleshoot issues
The admin console lets administrators manage realms, users, clients, identity brokering and authorization policies centrally
Realms can be exported along with users. Administrators can choose strategies
Events are logged internally and can be exported via custom listeners
Managing separate environments (dev/staging/prod) is done via separate realms or servers
Keycloak has mailing lists, forums and other community channels for support
No built‑in monitoring dashboard. Metrics require community extensions such as the Metrics SPI
