authentik vs Keycloak
Pick authentik if you want a modern, self-hoster-friendly IdP with a visual flow builder and broad protocol support without a JVM to babysit. Pick Keycloak if you need the deepest SAML/LDAP standards coverage and enterprise-proven maturity, and you can feed it a JVM.
Side by side
authentik and Keycloak are the two names that come up when a self-hosted stack outgrows app-by-app passwords and needs one place to handle login, MFA, and SSO across everything. Both speak the same core protocols and both are genuinely free to run. The choice between them is less about "which one works" and more about which flavor of complexity you would rather own: a newer, friendlier platform built for exactly this audience, or the identity server enterprises have trusted for a decade.
A modern IdP vs. the enterprise standard
authentik is the newer entrant — a Python, Go, and TypeScript stack with a visual, flow-based login builder that lets you assemble authentication steps (password, MFA, consent, enrollment) like a flowchart instead of editing XML. It ships a proxy provider for apps that cannot speak OIDC or SAML natively, and it was built from day one with self-hosters and small teams in mind.
Keycloak is the incumbent. Built on Java and Quarkus and backed by Red Hat, it has been running production SSO for banks, governments, and large enterprises for well over a decade, and it carries a CNCF incubation status that few identity projects can claim. It is the reference implementation against which a lot of the OSS identity ecosystem measures itself.
Footprint and resources
The two do not size up the way their reputations suggest. authentik's realistic floor sits at 2 GB of RAM, rated a 3 out of 5 to deploy — reflecting its multi-service shape: a server process, a background worker, PostgreSQL, and Redis, all wired together by the official Compose file. Keycloak's quoted minimum is lower, 1 GB, but it rates a tougher 4 out of 5 to deploy — that gap is the tell. Keycloak's dev-mode quickstart (a single container, embedded database) really is that light, but getting it production-ready — an external database, sane heap sizing, clustering — is where the JVM asks more of you than authentik's docker-compose-and-go setup does. Keycloak wins on paper minimum RAM; authentik wins on how much of that RAM turns into a working deployment without extra tuning.
Protocols and standards
Both cover the protocol basics: OIDC, OAuth2, and SAML, plus LDAP for directory-backed logins. This is where Keycloak's decade of production hardening shows. Its SAML implementation is particularly mature — the kind of thing that matters when you are integrating a legacy enterprise app that speaks nothing else — and its LDAP/Active Directory federation is widely regarded as the most complete in the open-source identity world. Support for newer OAuth2/OIDC profiles like PAR and DPoP exists but is still filling in.
authentik supports the same protocol set — OIDC, SAML, LDAP — and wraps it in a noticeably cleaner configuration surface, but it has not accumulated the same breadth of edge-case coverage. For straightforward OIDC/SAML SSO across self-hosted apps, that gap rarely matters. For federating against an existing enterprise directory or a protocol edge case a legacy vendor insists on, Keycloak's depth is the safer bet.
UX and setup
This is authentik's clearest advantage. The flow-based builder turns authentication logic — "require MFA for admins," "show a custom enrollment page," "chain an external IdP before password entry" — into something you configure visually rather than something you code. The admin UI is modern, and a first OIDC integration is a genuinely quick exercise.
Keycloak's admin console is comprehensive but denser: realms, clients, scopes, and mappers are all powerful primitives, but a developer configuring it for the first time should plan a couple of hours to get a basic OIDC client working correctly, and the model rewards — or requires — reading the docs before wiring in your first app.
Maturity and ecosystem
Keycloak's production history is hard to match: it has run identity for enterprises, governments, and financial institutions for years, has a large global contributor base, and Red Hat's backing gives it an unusually strong "still around in five years" signal. authentik is younger and has less production mileage at the largest scales, but it has grown quickly and already covers what most self-hosted, small-to-mid-size deployments need.
Licensing and open-core
Both cores are permissively licensed — authentik under MIT, Keycloak under Apache-2.0 — so neither locks you into a vendor's terms for the code you actually run. The difference is business model, not license text. authentik follows an open-core structure: the free edition covers SSO, MFA, LDAP, SAML, OIDC, flows, and the proxy provider — everything most self-hosters need — while an Enterprise tier layers on remote access (RDP/SSH/VNC was open-sourced in a recent release, a sign the boundary moves in the community's favor over time), AI-based risk detection, and support SLAs. Keycloak has no equivalent tier: the whole feature set lives in the Apache-2.0 project, and Red Hat's commercial offering is support, not gated functionality.
Which should you self-host?
Pick authentik if…
- You want a modern admin experience and a visual flow builder instead of hand-editing realm configuration.
- Your app portfolio includes things that cannot speak OIDC or SAML — the built-in proxy provider covers them.
- You are comfortable with a multi-container stack in exchange for an easier day-to-day operating experience, and a 3 / 5 setup is your ceiling.
Pick Keycloak if…
- You need the deepest SAML support or LDAP/Active Directory federation available in open source.
- Your estate is large, multi-tenant, or otherwise wants Keycloak's realm model, and you can feed it a properly sized JVM.
- Enterprise-grade production history and Red Hat backing matter more to you than setup speed.
Running either on a VPS
Both run comfortably on a single modest server, but budget RAM around what each actually needs to run well rather than the bare minimum: authentik for its full Compose stack (server, worker, Postgres, Redis), Keycloak for a production-shaped setup with an external database rather than its dev-mode quickstart. Back up the database in both cases — it holds every user, credential, and flow you have configured — and expect Keycloak's JVM to reward a bit more tuning attention as your realm grows. The step-by-step setups are linked below, and any of the VPS options here has room for either stack.
Other comparisons with these apps
The polished, Ollama-native default vs. the multi-provider power tool.
SQL-native and ecosystem-rich vs. all-in-one and easier to stand up.
Mature and broad vs. lean and built for clusters.