3. Keycloak as Identity and Access Management Solution

Status

Accepted

Date

2026-03-25

Context

The project requires a solution for authentication and authorization. As an open-source project, the IAM solution must be self-hostable, must not create a dependency on US-based cloud providers, and must not incur ongoing license costs. All other services in the project are also operated self-hosted.

Decision

We use Keycloak as the central IAM solution.

Rationale

  • Open source and free

  • Self-hosting guarantees full data sovereignty without dependency on US-based cloud providers

  • Fits the self-hosting strategy of all other services in the project

  • Large community, extensive documentation, and standards-based protocols (OIDC, SAML)

  • The Organizations feature allows users to belong to multiple organizations

Considered Alternatives

Auth0

Managed identity platform.

  • Pros

    • Low operational overhead

    • Fast integration

  • Cons

    • US-based provider - data protection requirements difficult to satisfy

    • No self-hosting option

    • Costs scale with user count

Azure AD / Entra ID

Microsoft’s cloud-based identity solution.

  • Pros

    • Deep integration with the Microsoft ecosystem

    • Managed service with high availability

  • Cons

    • US-based provider - same data protection issues as Auth0

    • No self-hosting option

    • License costs; not compatible with the project’s open-source approach

Custom Solution

Custom-built authentication and authorization layer.

  • Pros

    • Maximum control over feature scope and architecture

  • Cons

    • Enormous development and maintenance effort

    • High security risk due to lack of IAM expertise

    • No community support

Consequences

  • Full operational responsibility for Keycloak: updates, security patches, backups - hardening and timely application of security patches are mandatory

  • Realm configuration is version-controlled as a JSON export and delivered via the custom Docker image

  • Integration via OIDC: frontend uses a public client; backend validates JWT Bearer tokens

  • User and role management is handled centrally in Keycloak