The Problem with Keycloak
Authentik: The Modern Alternative
Authentik vs. Keycloak: Direct Comparison
When Keycloak still makes sense
The Best Option: Managed Authentik with authhost.de
Conclusion
Sources

The Problem with Keycloak

Keycloak is powerful. No question. The open-source IAM system developed by Red Hat has existed for over 13 years, has more than 32,000 GitHub stars [19] and is used worldwide in enterprise environments. It supports OAuth 2.0, OpenID Connect, SAML 2.0, LDAP Federation, Identity Brokering and fine-grained authorization.

But Keycloak has a fundamental problem: it was built for large enterprises – and it behaves that way.

Resource hunger that hurts

Keycloak is based on Java and the Quarkus framework. The base RAM usage alone is around 1,250 MB per pod – without load, just for realm caches and sessions [1]. The official recommendation for production container deployments: at least 2 GB RAM limit [2]. In practice, you need more like 3–4 GB once you have a few realms, clients and active sessions.

There's also a known issue: Keycloak tends toward increasing memory consumption over time [4]. JVM tuning with parameters like MaxRAMPercentage, MaxHeapFreeRatio and choosing the right garbage collector is part of daily operations. If you're not familiar with Java internals, you have a problem.

Complexity that slows teams down

The path from docker run to a production-ready Keycloak instance is long. Hostname configuration, TLS setup, reverse proxy integration, database optimization, Infinispan cache tuning – all of this requires deep expertise. The admin console is regularly described as unintuitive [6]. Customizing login pages requires working with complex theme templates, not a modern UI editor.

A TCO analysis by Sirius Open Source puts the operational costs for self-hosting Keycloak over three years at around €142,000 – with a weekly maintenance effort of over three hours [5]. The "free" open-source tool is anything but cheap in practice.

Upgrade pain as a permanent state

Major version upgrades with Keycloak regularly involve breaking changes. The migration from WildFly to Quarkus (from version 17) was a significant disruption [7]. Custom themes, SPI extensions and cache configurations often need to be adapted during version jumps. Downtimes during upgrades are not uncommon – because internal cache libraries between versions don't get along [8].

For a mid-sized IT team of three to five people who are also managing the rest of the infrastructure on the side, this is not a sustainable operating model.

Authentik: The Modern Alternative

Authentik is an open-source Identity Provider that launched in 2020 and explicitly positions itself as a simpler, more modern alternative to Keycloak. The project now has over 20,000 GitHub stars [19] and is actively developed – with a clear focus on developer experience and self-hosting.

Same protocols, less complexity

Authentik supports all relevant standards: OAuth 2.0, OpenID Connect, SAML 2.0, LDAP, RADIUS and SCIM. For the vast majority of SMB use cases – SSO for internal applications, MFA for employees, centralized user management – Authentik offers the same feature set as Keycloak.

The crucial difference: you don't need Java expertise to run it. Authentik is written in Python (Django) and Go and designed from the ground up for container deployments.

Flow-based authentication: Flexible without code

The heart of Authentik is the flow system [11]. Instead of rigid configuration screens, you define authentication workflows from individual "stages" – identification, password, MFA, consent – and control them dynamically via policies [12].

A standard login flow consists of three stages: the user identifies themselves (username/email), enters their password, and is logged in. Building on that, you can define context-dependent rules:

Access from the company network? → Skip 2FA.
Login from an unknown IP? → Require hardware key.
New employee? → Automatically assign to the right group.
Suspicious login reputation? → Show CAPTCHA.

You configure all of this through the admin UI – no code, no YAML files, no Java SPIs.

Lightweight in operation

Authentik server and worker each run at around 375 MB RAM at idle [9]. The complete stack – server, worker, PostgreSQL – runs on 2–3 GB RAM. Since version 2025.10, Redis has been completely dropped as a dependency: caching, tasks and WebSocket connections now run directly via PostgreSQL [13].

For comparison: where Keycloak alone requires 2–4 GB RAM, you can run the entire Authentik stack in the same range.

Integrates into your existing stack

Authentik offers ready-made integration guides for tools that SMBs actually use:

Proxmox VE: SSO login via OpenID Connect – configurable via CLI or web UI [16]
OPNsense: Connection as LDAP server via the Authentik LDAP outpost [17]
Docker / Coolify: Native Docker Compose installation, fits into any container stack [10]
Traefik / Nginx: Forward auth via the proxy outpost – even for applications that don't support SSO natively
Grafana, Nextcloud, Gitea, n8n: OIDC integration in minutes

Open source with a clear commitment

Authentik is licensed under AGPL-3.0. The company behind the project (Authentik Security) has committed to never moving features from the open-source version to the enterprise version [15]. The trend goes in the other direction: Remote Access Control (RDP, SSH, VNC via browser) was moved from Enterprise to Open Source in 2025 [14].

Authentik vs. Keycloak: Direct Comparison

Criterion	Keycloak	Authentik
Protocols	OAuth2, OIDC, SAML, LDAP, Kerberos	OAuth2, OIDC, SAML, LDAP, RADIUS, SCIM
Technology	Java / Quarkus	Python (Django) + Go
RAM requirement (minimum)	~2 GB (Keycloak only)	~750 MB (server + worker)
RAM requirement (stack)	3–5 GB+	2–3 GB
Redis required	No (Infinispan)	No (since 2025.10)
Admin UI	Functional but complex	Modern, intuitive
Login flow customizing	Theme templates (FreeMarker/Java)	Visual flow editor
Upgrade effort	High (breaking changes, downtimes)	Moderate (Docker image update)
Active Directory	Deep integration (Federation, Kerberos)	LDAP sync, sufficient for most cases
Multi-tenancy	Realms (powerful but complex)	Application-based (simpler)
Enterprise support	Red Hat (paid)	Authentik Security (from €5/user/month)
License	Apache-2.0	AGPL-3.0
Proxmox integration	Possible but manual	Official guide
OPNsense integration	Possible via RADIUS/LDAP	Official guide (LDAP outpost)

When Keycloak still makes sense

Fairness matters: Keycloak isn't bad – it's just built for a different use case. Keycloak remains the right choice when:

You need multi-domain Active Directory Federation with Kerberos
You operate hundreds of realms for multi-tenant scenarios in enterprise environments
Your team has Java expertise and knows the JVM world
You need Red Hat enterprise support with SLA
Regulatory requirements (finance, healthcare) demand a system audited over many years

For most SMBs – with 20 to 500 employees, a handful of internal applications and the desire for SSO and MFA – Keycloak is simply overkill.

The Best Option: Managed Authentik with authhost.de

Running Authentik yourself is significantly easier than Keycloak – but it remains an IAM solution that needs ongoing maintenance. Security updates, database management, backups, monitoring, TLS certificates – all of this takes time.

authhost.de takes this burden off your shoulders. We operate your Authentik instance as a managed service on dedicated infrastructure in Germany:

Hosted in Germany: Your identity data stays in German data centers. GDPR-compliant, no ifs or buts.
Automatic updates: We keep your instance current – including security patches and major version upgrades, tested before they reach your system.
Daily backups: Automated backups with defined recovery times.
Monitoring & alerting: We monitor availability and performance around the clock.
DPA & TOMs included: Data Processing Agreement and technical-organizational measures for your compliance requirements.
Personal support: German-speaking support from a team that uses Authentik productively in their own stack.

From €34.90/month you get a fully managed Authentik instance with all Community Edition features – unlimited users, SSO, MFA, flows and more. The Business plan adds managed outposts (RAC, LDAP) and priority support.

You focus on your core business. We make sure your employees can log in securely and conveniently.

→ View plans & pricing | → Start free trial

Conclusion

Keycloak was long the only serious open-source option for Identity & Access Management. That has changed. Authentik offers a more modern, lighter-weight and better-maintainable alternative – with the same core protocols, a more intuitive admin interface and a fraction of the operational complexity.

For SMBs that need SSO, MFA and centralized user management without building a dedicated IAM team, Authentik is the more pragmatic choice. And with authhost.de, operations become a managed service – GDPR-compliant, from Germany, with personal support.

Start Managed Authentik now →

Sources

Keycloak Documentation – Memory & CPU Sizing: keycloak.org
Keycloak Documentation – Running in a Container: keycloak.org
Keycloak Performance Benchmarks (v26.4): keycloak.org
Keycloak GitHub – Memory Leak Issue #28671: github.com
Sirius Open Source – Problems with Keycloak: siriusopensource.com
Descope – The Top 6 Keycloak Alternatives: descope.com
Keycloak Documentation – Migration to Quarkus: keycloak.org
Cloud-IAM – Keycloak Upgrades (Breaking Changes): cloud-iam.com
Authentik GitHub – Idle RAM Usage Issue #17869: github.com
Authentik Documentation – Docker Compose Installation: docs.goauthentik.io
Authentik Documentation – Flows: docs.goauthentik.io
Authentik Blog – Flows, Stages, and Policies: goauthentik.io
Authentik Release 2025.10 – Redis dependency removed: goauthentik.io
Authentik Blog – Open Source RAC & Pricing Updates: goauthentik.io
Authentik Pricing: goauthentik.io
Authentik Integration – Proxmox VE: integrations.goauthentik.io
Authentik Integration – OPNsense: integrations.goauthentik.io
Authentik GitHub Repository: github.com
OpenAlternative – Authentik vs Keycloak (GitHub Stats): openalternative.co
exensio – Keycloak im Mittelstand: exensio.de

Keycloak Alternative for SMBs: Why Authentik Is the Better Choice