Help us choose between Keycloak and Auth0

Do you have experience with single sign-on implementations? We need some advice. We can also offer some freelance work to the right person with hands-on experience of SSO implementation to help development. We are working on a project that will help grassroots organizations collaborate on running and maintaining buildings, creative communities and parks. It’s a mostly open source set of tools split up into three web apps.

We have two web apps (both with GraphQL APIs and React/Apollo frontends). Both of these apps are built to be multi-tenant, with each tenant having its own set of users and a separate domain. We now want to build a Single Sign-on solution that allows users to log in to both of these apps with the same account. We also want to build a dashboard that allows organization admins to administrate user roles and permissions for their organization.

We are currently comparing two possible solutions. One is to use Auth0, and the other is to run Keycloak. Furthermore, we are open to other options.

Some requirements:

• In the first two years, we are expecting at most a couple of hundred organizations, with an average of 50 users each. However, the solutions should be able to scale to thousands of organizations.
• It is important that the SSO server has ready-made connections to social identity providers like Google.
• It is important that there are well-documented cases of using the SSO solution with Swedish BankID authentication (BankID)
• We want the ways of authentication (username and password, social, BankId) to be set by us individually for each tenant depending on the use case. Some will only want passwords as usernames while others will want social authentication with Google or official identity with BankID.
• We need to be able to have our custom interface for the SSO page
• Preferably, we want to be able to use different SSO page designs for each tenant.
• These applications are open-source, so the ease of setup for community developers is a factor.

Factors to consider:

• We do not want to be locked in by Auth0, but we also don’t want to become bogged down in early development by having to implement everything ourselves.
• Users will be dormant for most of the year, logging in often for 3 months and logging in quite rarely for the rest of the year.
• Price is a factor, and we want to compare the subscription cost of Auth0 to the estimated cost of setting up, configuring, and running Keycloak and developing any required integrations. Since Auth0 also needs some configuration, this should be taken into account.
• Generally speaking, we would accept the 0.25 USD fee incurred per user for Auth0 if the work and effort saved by using Auth0 are considerable. This also means that if we can instead use the same amount to pay our team, that would be preferable.

Some illustrations on our architecture. Note that the dashboard has dashed lines and arrows. That’s because we might not need to build it ourselves if there is a way to give org admins restricted access to Keycloak to set roles.

image887×833 105 KB

image1142×838 111 KB

@daniel, @matthias, @felix.wolfsteller, @gdpelican - up any of your alleys?

I don’t have experience with any of these two, so I can’t offer any detailed advice esp. when it comes to compatibility with the Swedish banking system.

But seeing that only Keycloak is open source, that would be a major criterion for me when building an open system. Why tie yourself to a closed, commercialized system that might not be around in five years, or have changed its protocol twice, or be twice as expensive etc…

Also maybe an option: OpenID Connect.

You might ask @rasos for consultation, with fairkom they run extensive and successfull SSO, bridging multiple (open source) services. Afair they use keycloak and I would strongly suggest putting your primary authentication source and identity provider in your own hands control.

Thank you @felix.wolfsteller for linking us here. At fairkom we had a research project on SSO in 2017 with the goal to launch fairlogin. It should work as a unique ID for our open source service portfolio on fairapps.net and also for other climate change / environmental initiatives. After several tests with various IDM systems we have chosen keycloak and do not regret. Meanwhile we have also deployed keycloak for other customers or wrote extensions e.g. for handling JWT tokens for Jitsi Meet or custom interfaces. Roles allow to fine-tune permissions for each application. One keycloak instance can handle several realms, which you can interconnect. You could also federate with other keycloaks or oAuth2 providers such as Google, Twitter or facebook. A bit more tricky is the self-management of groups with IDMs, for which we are just launching a project with Rocket.Chat. PM me so that we could schedule a call on how we could support you.

What a great connection @felix.wolfsteller, thanks! @rasos - let’s talk. You’ve got a PM.

Pinging @gustav and @JacobKarlsson - developers on the project.

I am happy to be included in the talk as probably passive listener, I am sure that I could learn something of the talk. If you agree, PM me once you have a date scheduled.

Just a note for reference on this point. I found a repository on GitHub and have emailed the creator about his experience with BankID and Keycloak.

@liam, you might also be interested in this conversation.

I’m currently doing research and will post my findings here for posterity. In summary; Keycloak fulfills most of the requirements we have, with the possible exception of scaling to thousands of tenants.

This might potentially be an issue with Keycloak. It’s a commonly unanswered question how well Keycloak scales. Hundreds of realms seems to be okay, but there is little data on how it deals with thousands of realms.

It’s unclear if Keycloak can handle thousands of realms. We might need to rethink this. Perhaps the standard use-case for a small organization using only Dreams (which is what most of them will use) is to just create an event and not an org? That way, the free tier of Plato would keep everyone on the same realm while the paid plan would have us either create new realms for orgs and customize them according to their needs, or connect Plato to an existing IDP that the org is already running.

This works with Keycloak.. Currently, Keycloak supports social login with Google, Facebook, Twitter, GitHub, LinkedIn, Microsoft, and Stack Overflow.

An integration exists, and I have contacted the author who says that it works well, even though they still don’t run it in production. He has offered to help us if we have any questions.

Yes, this seems to be possible. From the official documentation:

1. User is not authenticated and requests a protected resource in a client application.
2. The client applications redirects the user to Keycloak to authenticate.
3. At this point the user is presented with the login page where there is a list of identity providers configured in a realm.
   …

Yes, see docs chapter on themes. Themes can be applied for:

A theme can provide one or more types to customize different aspects of Keycloak. The types available are:

• Account - Account management
• Admin - Admin console
• Email - Emails
• Login - Login forms
• Welcome - Welcome page

Furthermore, themes are applied on a per-tenant basis:

All theme types, except welcome, are configured through the Admin Console . To change the theme used for a realm open the Admin Console , select your realm from the drop-down box in the top left corner. Under Realm Settings click Themes .

More relevant resources for us:

Ping @gustav

More relevant info:

A potential solution to the tenancy problem. We could do this when users don’t need their own domain, connection to custom login options etc. For more “white label” solutions we could create realms instead.

This means we can’t use groups as proxies for events, but I guess we could use roles for that purpose instead.

Of course, it’s possible that this doesn’t solve anything and that it’s just as unstable to have 500+ groups as it is to have 500+ realms.

Hugi,

Yeah, I checked out the link to keycloak, which seems promising. I guess you recalled that I had done some related work with Burning Man and OAuth2?
But with Auth0 I recall it being very easy to use, and never did anything fancy.
I do like the idea of running the server yourself. I’m wanting to cut ties to facebook, in general, and google for privacy reasons, etc.
It looks like Rasos has a lot of applicable experience.
But if you think I could be of help, I definitely have time on my hands. LOL!

Liam

Sorry for going offtopic, but your project sounds really interesting—do you have a website or maybe a blog entry about it? I guess it is tailored to Swedish projects, but I’m sure it can be inspiring to see which apps or processes you target.

(I work for a cooperative in the commons sector — or in common good oriented real estate development / gemeinwohlorientierte Immobilienentwicklung, as we like calling it —and we’re also thinking about the implementation of open source online collaboration tools.)

We only have a Swedish website for now,, but we will have information in English shortly. We should be ready to take on new collaborators soon. Some of our tools are available in beta. For example, this group is using it to plan initiatives for a piece of communally owned land they are planning to buy.