3. Keycloak as Identity and Access Management Solution
Status
Accepted
Date
2026-03-25
Context
The project requires a solution for authentication and authorization. As an open-source project, the IAM solution must be self-hostable, must not create a dependency on US-based cloud providers, and must not incur ongoing license costs. All other services in the project are also operated self-hosted.
Decision
We use Keycloak as the central IAM solution.
Rationale
-
Open source and free
-
Self-hosting guarantees full data sovereignty without dependency on US-based cloud providers
-
Fits the self-hosting strategy of all other services in the project
-
Large community, extensive documentation, and standards-based protocols (OIDC, SAML)
-
The Organizations feature allows users to belong to multiple organizations
Considered Alternatives
Auth0
Managed identity platform.
-
Pros
-
Low operational overhead
-
Fast integration
-
-
Cons
-
US-based provider - data protection requirements difficult to satisfy
-
No self-hosting option
-
Costs scale with user count
-
Azure AD / Entra ID
Microsoft’s cloud-based identity solution.
-
Pros
-
Deep integration with the Microsoft ecosystem
-
Managed service with high availability
-
-
Cons
-
US-based provider - same data protection issues as Auth0
-
No self-hosting option
-
License costs; not compatible with the project’s open-source approach
-
Custom Solution
Custom-built authentication and authorization layer.
-
Pros
-
Maximum control over feature scope and architecture
-
-
Cons
-
Enormous development and maintenance effort
-
High security risk due to lack of IAM expertise
-
No community support
-
Consequences
-
Full operational responsibility for Keycloak: updates, security patches, backups - hardening and timely application of security patches are mandatory
-
Realm configuration is version-controlled as a JSON export and delivered via the custom Docker image
-
Integration via OIDC: frontend uses a public client; backend validates JWT Bearer tokens
-
User and role management is handled centrally in Keycloak