Keycloak
Open-source identity and access management server speaking OIDC, OAuth 2.0, and SAML for apps and services.
- Category: Identity & Policy
- CNCF maturity: Incubating
- Language: Java (
maven.compiler.release17) - License: Apache-2.0
- Repository: keycloak/keycloak
- Documented at commit:
e733440(2026-06-24, near tag26.6.3)
What it is
Keycloak is a standalone identity provider (IdP). Applications delegate login, single sign-on, and token issuance to it instead of building their own. It speaks OpenID Connect, OAuth 2.0, and SAML 2.0, so a web app, a mobile client, or a backend service can authenticate users and obtain tokens through standard protocols.
Beyond issuing tokens, Keycloak manages the users themselves. It can store accounts in its own database, federate them from LDAP, Active Directory, or Kerberos, or broker identity from external IdPs and social logins. It also ships fine-grained Authorization Services based on User-Managed Access (UMA) 2.0 for projects that need policy-driven access decisions in one place.
The runtime is a Quarkus application. The same server runs the login flows, the admin REST API, the React-based Admin and Account consoles, and an optional Kubernetes Operator for cluster deployment.
When to use it
- You need a full IdP with user storage, SSO, and token issuance, not just a token endpoint.
- You must integrate with enterprise directories (LDAP, Active Directory, Kerberos) or broker external and social IdPs.
- You want one server for OIDC, OAuth 2.0, and SAML rather than separate components per protocol.
- You need centralized, policy-driven authorization (UMA 2.0 Authorization Services).
It is heavier than you want when you only need a lightweight OAuth2/OIDC token server with no built-in user management; a dedicated token server is a closer fit there.
In this deep-dive
- History: origin, milestones, and why it exists.
- Architecture: components and how requests flow.
- Adoption & Ecosystem: who runs it and what surrounds it.
- Internals: the code paths that matter, read from source.
- Getting Started: install and a first working setup.
Sources
- keycloak/keycloak (GitHub)
- Keycloak (CNCF project page)
- Keycloak joins CNCF as an incubating project
- Migrating to Quarkus distribution
- Keycloak 17 is out, Quarkus is now the default (n-k.de)
- Getting started with Keycloak on Docker
- Keycloak releases
- ADOPTERS.md (in-repo)
- Keycloak (Wikipedia)
- Best Keycloak Alternatives & Competitors 2025 (Oso)
- State of Open-Source Identity 2025 (House of FOSS)