Keycloak vs Vault

Overview

Vault

Stacks816

Followers802

Votes71

GitHub Stars33.4K

Forks4.5K

Keycloak

Stacks781

Followers1.3K

Votes102

Keycloak vs Vault: What are the differences?

Keycloak and Vault are both powerful tools used for authentication and authorization in software applications. Let's explore the key differences between the two.

Security Focus: Keycloak, developed by Red Hat, primarily focuses on providing secure access to applications through single sign-on (SSO) and identity management. On the other hand, Vault, developed by HashiCorp, is primarily focused on providing secure storage and retrieval of sensitive data such as secrets, passwords, and encryption keys.
Token-based Authentication: Keycloak uses JSON Web Tokens (JWT) as its primary authentication mechanism. It allows applications to verify and validate the tokens to grant access to protected resources. In contrast, Vault supports various authentication methods like token-based, username/password, and LDAP among others, making it more flexible for different authentication scenarios.
Secrets Management: One of the key features of Vault is its ability to manage secrets securely. It provides a centralized system for storing and accessing secrets, with support for automatic generation and revocation of secrets. While Keycloak does have some support for storing and managing client secrets, it is not as feature-rich or specialized in secrets management as Vault.
High Availability and Scalability: Keycloak supports clustering and can be set up in a highly available and scalable manner. It uses a distributed cache to improve performance and allow horizontal scaling. Vault also supports high availability and scalability but requires extra configuration and setup for clustering. It uses storage backends like Consul or integrated storage to enable clustering.
Ease of Use and Integration: Keycloak provides a user-friendly administration console and various integration options with popular identity providers like LDAP, Active Directory, and SAML. It also has built-in support for social login using providers like Google, Facebook, and Twitter. Vault, on the other hand, has a more command-line driven interface and may require some learning curve to get started. Integration with external systems may require additional plugins or custom development.
Extensibility and Customization: Keycloak offers a wide range of customization options, allowing developers to tailor the authentication and authorization processes to their specific needs. It supports custom user federation, role-based access control, and custom authentication flows. Vault, on the other hand, is more focused on providing a secure and reliable secret management solution and does not offer as many extensibility options as Keycloak.

In summary, Keycloak is primarily focused on authentication, single sign-on, and identity management with a strong emphasis on user-friendly features and wide integration options. Vault, on the other hand, is primarily focused on secure storage and management of secrets and has more advanced capabilities in that area.

Share your Stack

Help developers discover the tools you use. Get visibility for your team's tech choices and contribute to the community's knowledge.

View Docs

CLI (Node.js)

Manual

Advice on Vault, Keycloak

sindhujasrivastava

Jan 16, 2020

Needs advice

I am working on building a platform in my company that will provide a single sign on to all of the internal products to the customer. To do that we need to build an Authorisation server to comply with the OIDC protocol. Earlier we had built the Auth server using the Spring Security OAuth project but since in Spring Security 5.x it is no longer supported we are planning to get over with it as well. Below are the 2 options that I was considering to replace the Spring Auth Server.

Keycloak
Okta
Auth0 Please advise which one to use.

258k views258k

Comments

Detailed Comparison

Vault	Keycloak
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.	It is an Open Source Identity and Access Management For Modern Applications and Services. It adds authentication to applications and secure services with minimum fuss. No need to deal with storing users or authenticating users. It's all available out of the box.
Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.;Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.;Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.;Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.;Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.	-
Statistics
GitHub Stars 33.4K	GitHub Stars -
GitHub Forks 4.5K	GitHub Forks -
Stacks 816	Stacks 781
Followers 802	Followers 1.3K
Votes 71	Votes 102
Pros & Cons
Pros 17 Secure 13 Variety of Secret Backends 11 Very easy to set up and use 8 Dynamic secret generation 5 AuditLog	Pros 33 It's a open source solution 24 Supports multiple identity provider 17 OpenID and SAML support 12 Easy customisation 10 JSON web token Cons 7 Okta 6 Poor client side documentation 5 Lack of Code examples for client side

What are some alternatives to Vault, Keycloak?

Auth0

A set of unified APIs and tools that instantly enables Single Sign On and user management to all your applications.

Stormpath

Stormpath is an authentication and user management service that helps development teams quickly and securely build web and mobile applications and services.

Devise

Devise is a flexible authentication solution for Rails based on Warden

Firebase Authentication

It provides backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users to your app. It supports authentication using passwords, phone numbers, popular federated identity providers like Google,

Amazon Cognito

You can create unique identities for your users through a number of public login providers (Amazon, Facebook, and Google) and also support unauthenticated guests. You can save app data locally on users’ devices allowing your applications to work even when the devices are offline.

WorkOS

Start selling to enterprise customers with just a few lines of code.

Doppler

Doppler’s developer-first security platform empowers teams to seamlessly manage, orchestrate, and govern secrets at scale.

OAuth.io

OAuth is a protocol that aimed to provide a single secure recipe to manage authorizations. It is now used by almost every web application. However, 30+ different implementations coexist. OAuth.io fixes this massive problem by acting as a universal adapter, thanks to a robust API. With OAuth.io integrating OAuth takes minutes instead of hours or days.

OmniAuth

OmniAuth is a Ruby authentication framework aimed to abstract away the difficulties of working with various types of authentication providers. It is meant to be hooked up to just about any system, from social networks to enterprise systems to simple username and password authentication.

IBM SKLM

It centralizes, simplifies and automates the encryption key management process to help minimize risk and reduce operational costs of encryption key management. It offers secure, robust key storage, key serving and key lifecycle management for IBM and non-IBM storage solutions using the OASIS Key Management Interoperability Protocol (KMIP).

Related Comparisons

Keycloak vs Vault: What are the differences?

Keycloak and Vault are both powerful tools used for authentication and authorization in software applications. Let's explore the key differences between the two.

Security Focus: Keycloak, developed by Red Hat, primarily focuses on providing secure access to applications through single sign-on (SSO) and identity management. On the other hand, Vault, developed by HashiCorp, is primarily focused on providing secure storage and retrieval of sensitive data such as secrets, passwords, and encryption keys.
Token-based Authentication: Keycloak uses JSON Web Tokens (JWT) as its primary authentication mechanism. It allows applications to verify and validate the tokens to grant access to protected resources. In contrast, Vault supports various authentication methods like token-based, username/password, and LDAP among others, making it more flexible for different authentication scenarios.
Secrets Management: One of the key features of Vault is its ability to manage secrets securely. It provides a centralized system for storing and accessing secrets, with support for automatic generation and revocation of secrets. While Keycloak does have some support for storing and managing client secrets, it is not as feature-rich or specialized in secrets management as Vault.
High Availability and Scalability: Keycloak supports clustering and can be set up in a highly available and scalable manner. It uses a distributed cache to improve performance and allow horizontal scaling. Vault also supports high availability and scalability but requires extra configuration and setup for clustering. It uses storage backends like Consul or integrated storage to enable clustering.
Ease of Use and Integration: Keycloak provides a user-friendly administration console and various integration options with popular identity providers like LDAP, Active Directory, and SAML. It also has built-in support for social login using providers like Google, Facebook, and Twitter. Vault, on the other hand, has a more command-line driven interface and may require some learning curve to get started. Integration with external systems may require additional plugins or custom development.
Extensibility and Customization: Keycloak offers a wide range of customization options, allowing developers to tailor the authentication and authorization processes to their specific needs. It supports custom user federation, role-based access control, and custom authentication flows. Vault, on the other hand, is more focused on providing a secure and reliable secret management solution and does not offer as many extensibility options as Keycloak.

Keycloak vs Vault

Overview