Identity Management: Just Use Keycloak™

Many projects start off with a basic requirement of having email + password based authenticated users, sign-in and sign-up flows, registration, forgot password, etc. Soon, you need to support browser as well as mobile app flows (using OAuth2). As the product matures, you realize you need Access Management – the ability to restrict access to certain areas of your app based on roles. Later, you need to deal with changing user roles or role permissions, issuing temporary user bans, user deletions, etc. After tasting success, you decide to rollout a bunch of related products and now you wish you had Single Sign-On (SSO).

From an infrastructure perspective, the user identity endpoints are a bit of a hotspot. Login, Forgot Password, Registration, are all public endpoints that are hugely interesting to people to trying to abuse or break into your system. Do you really want these to share resources with the rest of your app? (Sure, Cloudflare and similar solutions can mitigate that risk)

It's tempting to think your product doesn't require a fancypants Identity and Access Management solution; that you can roll your own backend that supports all your needs. We built one too, and it barely took a week – using oauthlib, Flask-Admin, Flask-Marshmallow, and a bunch of other sugary sweets – complete with cascading permissions and supporting complex overrides, with client and server-side permission checks. That was before we found Keycloak.

Hosted solutions like AWS Cognito exist, but are a bit too complex to manage especially if you are looking for a multi-cloud portable solution. That's just my personal opinion though.

Keycloak is the most comprehensive solution I've seen in the open-source world so far. If you're using Auth0 and looking for something open-source or self-hosted, this could fit your requirements. Keycloak is also docker and k8s friendly, so setting up a cluster with horizontal scaling can be easy. It's not exactly lightweight, scaling horizontally is the way to go.