Need advice about which tool to choose?Ask the StackShare community!
Dex vs Keycloak: What are the differences?
Introduction
In this article, we will compare Dex and Keycloak, two popular identity and access management (IAM) solutions. We will explore the key differences between Dex and Keycloak and provide specific details about each difference.
Authenticators Supported: One key difference between Dex and Keycloak is the range of authenticators supported. Dex primarily supports username/password, OAuth2 client credentials, and LDAP authenticators. On the other hand, Keycloak supports a wider range of authenticators including username/password, social login (Google, Facebook, etc.), multi-factor authentication (SMS, OTP), and more.
Federation: Dex and Keycloak also differ in their federation capabilities. Dex supports federation through connectors, which allows integration with various upstream identity providers like GitHub, Google, and Active Directory. Keycloak, on the other hand, provides built-in federation capabilities where it can act as an identity provider (IdP) for multiple service providers (SPs) using protocols like SAML, OAuth2, and OpenID Connect.
Scalability and High Availability: Dex and Keycloak have different approaches to scalability and high availability. Dex is designed to be lightweight and can be run as a single instance or in a small cluster. However, for larger deployments, external load balancers and databases are required to achieve scalability and high availability. Keycloak, on the other hand, has built-in clustering and a distributed cache system, making it easier to scale and achieve high availability out of the box.
Customization and Extensibility: When it comes to customization and extensibility, Keycloak offers more flexibility compared to Dex. Keycloak provides a comprehensive administration console and a wide range of configuration options to customize the authentication flow, user registration, and other aspects of the IAM system. In addition, Keycloak supports the development of custom extensions, themes, and plugins to tailor the system to specific requirements. Dex, while providing some customization options, has a more limited set of features in terms of extensibility.
Integration with Ecosystem: Dex and Keycloak have different levels of integration with other components and ecosystems. Keycloak, being part of the Red Hat ecosystem, seamlessly integrates with other Red Hat products like OpenShift, Red Hat Single Sign-On (RHSSO), and Red Hat Fuse. It also provides native support for Java and Spring Boot applications. Dex, on the other hand, does not have the same level of ecosystem integration and may require additional configuration or development efforts for specific integrations outside its core functionality.
Support and Community: Support and community play a crucial role when evaluating IAM solutions. Keycloak benefits from a large and active community, being an open-source project with backing from Red Hat. It has extensive documentation, forums, and a strong ecosystem of developers contributing to its development and support. Dex, while also having an active community, may have a smaller user base and comparatively fewer resources available for support and troubleshooting.
Summary
In summary, Dex and Keycloak differ in terms of authenticators supported, federation capabilities, scalability and high availability, customization and extensibility, integration with the ecosystem, and the level of support and community. These differences should be considered when choosing an IAM solution that best suits your specific requirements.
I am working on building a platform in my company that will provide a single sign on to all of the internal products to the customer. To do that we need to build an Authorisation server to comply with the OIDC protocol. Earlier we had built the Auth server using the Spring Security OAuth project but since in Spring Security 5.x it is no longer supported we are planning to get over with it as well. Below are the 2 options that I was considering to replace the Spring Auth Server. 1. Keycloak 2. Okta 3. Auth0 Please advise which one to use.
It isn't clear if beside the AuthZ requirement you had others, but given the scenario you described my suggestion would for you to go with Keycloak. First of all because you have already an onpremise IdP and with Keycloak you could maintain that setup (if privacy is a concern). Another important point is configuration and customization: I would assume with Spring OAuth you might have had some custom logic around authentication, this can be easily reconfigured in Keycloak by leveraging SPI (https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi). Finally AuthZ as a functionality is well developed, based on standard protocols and extensible on Keycloak (https://www.keycloak.org/docs/latest/authorization_services/)
You can also use Keycloak as an Identity Broker, which enables you to handle authentication on many different identity providers of your customers. With this setup, you are able to perform authorization tasks centralized.
We have good experience using Keycloak for SSO with OIDC with our Spring Boot based applications. It's free, easy to install and configure, extensible - so I recommend it.
Pros of Dex
Pros of Keycloak
- It's a open source solution33
- Supports multiple identity provider24
- OpenID and SAML support17
- Easy customisation12
- JSON web token10
- Maintained by devs at Redhat6
Sign up to add or upvote prosMake informed product decisions
Cons of Dex
Cons of Keycloak
- Okta7
- Poor client side documentation6
- Lack of Code examples for client side5
