Alternatives to Keycloak: strengths and weaknesses

Keycloak is an application for implementing a single point of authentication and authorization. This single sign-on technology is also called Single Sign-On (or SSO for short) in the IT world. Similar services are called “Identity and Access Management” (IAM).

Keycloak was written in Java, and it saw the light of day in 2014.

With the help of Keycloak, users can obtain rights for various applications, while going through the authentication process only once. This makes it easier for developers because they don’t have to spend a lot of time writing code.

Keycloak has the following features and functions:

• Token issuance.
• Social network authorization.
• Single Sign-On.
• Two-factor authentication.
• Its unique interface for user registration and authentication.
• Ability to integrate with directory services.
• Automatic authentication using Kerberos tickets.

Keycloak has a client-server infrastructure. A ready-made package that is installed on the OS (with support for Windows and Linux) or a docker application is used as a server. The client of Keycloak is an adapter, namely a block code that is used by the developer to integrate his own application with the server.

• It has an extended API, which allows you to use it for your purposes and needs.
• High processing speed: Keycloak can handle a load of up to 1 million users simultaneously.
• It has a federation: you can enter into agreements on exchanging users with many systems (for example, with Active Directory).
• High level of protection of confidential information and data.
•  It is free.

1. There is a risk that if you click “the wrong way”, everything will break. For example, you can accidentally delete some unifying role, and you will have to build everything from scratch.
2. There is a need for a test zone for experiments. You have to use additional resources.
3. There is no complete documentation for the API, as a result of which you will have to do extra work: read a lot of code and sort through similar plugins.

Now let’s look at alternatives to Keycloak.

Everyone, even the strongest services, has competitors, and Keycloak is no exception. Meet Okta’s opponent and antagonist!

It is already an “old man” in the world of IT – it was released in the distant 2009. It is a cloud software that provides security and authentication protection for users in applications. The cost of using Okta is $ 2 per user per month.

What is special about Okta?

• Wide integration with more than 6,000 applications.
• Supports multi-factor authentication, thereby increasing the level of security.
• Simple and intuitive interface for Okta users.
• Single Sign-On functionality: makes life easier for users, as it significantly simplifies their access to several applications, reducing the need to use multiple passwords.
• API access control: securely extends the API.

Who should use Okta?

1. If you have already encountered cybersecurity threats before.
2. If you work in the healthcare and financial sectors and your goal is to protect customer data.
3. If you want a more flexible and convenient login process.

Here are some of Okta’s strengths:

• Security: you don’t have to worry about your personal data being shared with third parties or being hacked.
• Ease of use: users approve of the user-friendly interface and lack of clutter.
• Scalability.
• Comprehensive lifecycle management.

Like all alternatives to Keycloak, Okta has its weaknesses:

• Firstly, Okta is not suitable for small companies and organizations, as it will be quite expensive for them. Okta is good for large corporations and is more focused on them.
• If we are talking about prices, then we cannot help but pay attention to the fact that Okta is a paid software, unlike the same Keycloak.
• Customization options may be limited for some advanced features (eg limited focus on CIAM compared to Ping Identity).

Users themselves note their advantages and disadvantages of using Okta. Here are the main ones.

Advantages:

• Simple two-factor authentication using the Okta mobile app.
• Convenient navigation and ease of use for novice users.
• Development: an update for fingerprint login has been added.
• Initialization of offers.
• Secure passwords.

But here is what Okta users are unhappy with:

• Frequent password resets and the need to enter a password several times a day.
• Delayed push notifications.
• Sometimes slow login.
• Navigation through the AP and the ability to delete old ones without admin.
• Customization of the main page of the application.

Another open-source alternative to Keycloak is Auth0. This user-friendly software has been around since 2013. Auth0 is paid, but it also has a free plan.

Its key features:

• It can accept any connection configuration (e.g. ADFS, LDAP) with just a few lines of coding.
• Includes centralized user account provisioning management and advanced analytics.
• Uses standard protocols (LDAP, OpenID Connect).

The main advantages of Auth0:

• Easy to work with integrations.
• Widespread use of Javascript.
• Easy to configure a set of tools that is focused on DevOps.
• Excellent customer support.
• Fewer passwords.

There are some drawbacks:

• No dashboards.
• Paid plans are quite expensive.
• A bit of a complicated role management process.

And finally, among the free alternatives to Keycloak, IdentityServer 4 can be highlighted.

This provider supports OpenID Connect and OAuth 2.0 protocols, as well as external Identity providers. We can connect authorization using Google, Facebook, Microsoft, Twitter, Instagram, etc.

The advantages of this Identity provider are:

1. Flexible configuration and the ability to add custom validators. Since we create the application ourselves and install Nuget packages there, we can override, for example, token validation ourselves, if we decide that another additional check is needed.
2. Ability to create a UI. We can create a user interface for user registration pages, login pages, user profiles, etc. There is an implementation from the creators of the provider, but it is not suitable for every case. That’s why IdentityServer 4 is now shipped without a user interface so that we don’t have to redesign it but make our own.
3. Flow support. It works with all kinds of flows (Auth Code, Device Flow, etc.).
4. Detailed documentation. This solution has very good documentation. You can quickly figure out all the functionality and connect it. We should thank the large community for such documentation.
5. Free for commercial use. I don’t think there’s any need to comment on this point. The advantage is clear here.
6. Suitable for CloudBase and On-Premise solutions. The only thing worth adding to this point is that we need to take care of how to deploy it in the cloud.

Unfortunately, there are also obvious disadvantages:

• Entry threshold. You need to be a fairly advanced user who is very well-versed in authorization and authentication and understands how it all works.
• There is no admin panel – you’ll have to create it yourself. Plus, it will take a lot of work to generate authorization from scratch and manage all access conveniently.