Need advice about which tool to choose?Ask the StackShare community!


+ 1

+ 1
Add tool

Keycloak vs Vault: What are the differences?

Keycloak and Vault are both powerful tools used for authentication and authorization in software applications. Let's explore the key differences between the two.

  1. Security Focus: Keycloak, developed by Red Hat, primarily focuses on providing secure access to applications through single sign-on (SSO) and identity management. On the other hand, Vault, developed by HashiCorp, is primarily focused on providing secure storage and retrieval of sensitive data such as secrets, passwords, and encryption keys.

  2. Token-based Authentication: Keycloak uses JSON Web Tokens (JWT) as its primary authentication mechanism. It allows applications to verify and validate the tokens to grant access to protected resources. In contrast, Vault supports various authentication methods like token-based, username/password, and LDAP among others, making it more flexible for different authentication scenarios.

  3. Secrets Management: One of the key features of Vault is its ability to manage secrets securely. It provides a centralized system for storing and accessing secrets, with support for automatic generation and revocation of secrets. While Keycloak does have some support for storing and managing client secrets, it is not as feature-rich or specialized in secrets management as Vault.

  4. High Availability and Scalability: Keycloak supports clustering and can be set up in a highly available and scalable manner. It uses a distributed cache to improve performance and allow horizontal scaling. Vault also supports high availability and scalability but requires extra configuration and setup for clustering. It uses storage backends like Consul or integrated storage to enable clustering.

  5. Ease of Use and Integration: Keycloak provides a user-friendly administration console and various integration options with popular identity providers like LDAP, Active Directory, and SAML. It also has built-in support for social login using providers like Google, Facebook, and Twitter. Vault, on the other hand, has a more command-line driven interface and may require some learning curve to get started. Integration with external systems may require additional plugins or custom development.

  6. Extensibility and Customization: Keycloak offers a wide range of customization options, allowing developers to tailor the authentication and authorization processes to their specific needs. It supports custom user federation, role-based access control, and custom authentication flows. Vault, on the other hand, is more focused on providing a secure and reliable secret management solution and does not offer as many extensibility options as Keycloak.

In summary, Keycloak is primarily focused on authentication, single sign-on, and identity management with a strong emphasis on user-friendly features and wide integration options. Vault, on the other hand, is primarily focused on secure storage and management of secrets and has more advanced capabilities in that area.

Advice on Keycloak and Vault
Needs advice
Spring SecuritySpring Security

I am working on building a platform in my company that will provide a single sign on to all of the internal products to the customer. To do that we need to build an Authorisation server to comply with the OIDC protocol. Earlier we had built the Auth server using the Spring Security OAuth project but since in Spring Security 5.x it is no longer supported we are planning to get over with it as well. Below are the 2 options that I was considering to replace the Spring Auth Server. 1. Keycloak 2. Okta 3. Auth0 Please advise which one to use.

See more
Replies (3)
Luca Ferrari
Solution Architect at Red Hat, Inc. · | 5 upvotes · 208K views

It isn't clear if beside the AuthZ requirement you had others, but given the scenario you described my suggestion would for you to go with Keycloak. First of all because you have already an onpremise IdP and with Keycloak you could maintain that setup (if privacy is a concern). Another important point is configuration and customization: I would assume with Spring OAuth you might have had some custom logic around authentication, this can be easily reconfigured in Keycloak by leveraging SPI ( Finally AuthZ as a functionality is well developed, based on standard protocols and extensible on Keycloak (

See more
Sandor Racz

We have good experience using Keycloak for SSO with OIDC with our Spring Boot based applications. It's free, easy to install and configure, extensible - so I recommend it.

See more

You can also use Keycloak as an Identity Broker, which enables you to handle authentication on many different identity providers of your customers. With this setup, you are able to perform authorization tasks centralized.

See more
Get Advice from developers at your company using StackShare Enterprise. Sign up for StackShare Enterprise.
Learn More
Pros of Keycloak
Pros of Vault
  • 33
    It's a open source solution
  • 24
    Supports multiple identity provider
  • 17
    OpenID and SAML support
  • 12
    Easy customisation
  • 10
    JSON web token
  • 6
    Maintained by devs at Redhat
  • 17
  • 13
    Variety of Secret Backends
  • 11
    Very easy to set up and use
  • 8
    Dynamic secret generation
  • 5
  • 3
    Privilege Access Management
  • 3
    Leasing and Renewal
  • 2
    Easy to integrate with
  • 2
    Open Source
  • 2
    Consol integration
  • 2
    Handles secret sprawl
  • 2
    Variety of Auth Backends
  • 1

Sign up to add or upvote prosMake informed product decisions

Cons of Keycloak
Cons of Vault
  • 7
  • 6
    Poor client side documentation
  • 5
    Lack of Code examples for client side
    Be the first to leave a con

    Sign up to add or upvote consMake informed product decisions

    - No public GitHub repository available -

    What is Keycloak?

    It is an Open Source Identity and Access Management For Modern Applications and Services. It adds authentication to applications and secure services with minimum fuss. No need to deal with storing users or authenticating users. It's all available out of the box.

    What is Vault?

    Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

    Need advice about which tool to choose?Ask the StackShare community!

    What companies use Keycloak?
    What companies use Vault?
    See which teams inside your own company are using Keycloak or Vault.
    Sign up for StackShare EnterpriseLearn More

    Sign up to get full access to all the companiesMake informed product decisions

    What tools integrate with Keycloak?
    What tools integrate with Vault?

    Sign up to get full access to all the tool integrationsMake informed product decisions

    Blog Posts

    What are some alternatives to Keycloak and Vault?
    A set of unified APIs and tools that instantly enables Single Sign On and user management to all your applications.
    Connect all your apps in days, not months, with instant access to thousands of pre-built integrations - even add apps to the network yourself. Integrations are easy to set up, constantly monitored, proactively repaired and handle authentication and provisioning.
    FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.
    Dex is a personal CRM that helps you build stronger relationships. Remember where you left off, keep in touch, and be more thoughtful -- all in one place.
    JavaScript is most known as the scripting language for Web pages, but used in many non-browser environments as well such as node.js or Apache CouchDB. It is a prototype-based, multi-paradigm scripting language that is dynamic,and supports object-oriented, imperative, and functional programming styles.
    See all alternatives