Authentik vs Keycloak: where identity providers stop short

TL;DR: Authentik and Keycloak both centralize login, SSO, and MFA, but they differ in operating model, legacy integration, and how much complexity teams accept before adding a separate authorization layer, according to Cerbos. The real decision is not which IdP has more features, but where authentication ends and fine-grained access control must begin.

NHIMG editorial — based on content published by Cerbos: Authentik vs Keycloak, with where Cerbos fits for fine-grained authorization

Questions worth separating out

Q: How should teams decide between Authentik and Keycloak for self-hosted identity?

A: Start with the operating model, not the feature list.

Q: When does an identity provider stop being enough for access control?

A: An identity provider stops being enough when permissions must vary by resource, context, workload, or request path.

Q: What do teams get wrong about IdP-native roles and policies?

A: They often assume roles and built-in policies can scale to every authorization use case.

Practitioner guidance

• Separate authentication from authorization Keep the IdP responsible for identity proofing, token issuance, and login flows, then place fine-grained policy decisions in a dedicated authorization layer so permissions stay auditable and portable across services.
• Inventory legacy integration pressure before choosing an IdP Map which applications need proxy wrapping, which directories need federation, and which access paths still depend on older protocols so the integration model does not surprise the operating team later.
• Treat flow design as infrastructure design If you adopt a flexible IdP with custom flows or scripting, put change control, testing, rollback planning, and documentation around those flows exactly as you would for application code.

What's in the full article

Cerbos' full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step Authentik deployment trade-offs for proxy mode, custom flows, and remote access support.
• Keycloak federation and clustering considerations for enterprise and legacy identity estates.
• Authorization patterns that separate IdP-issued identity claims from resource-level policy decisions.
• Operational guidance on when to keep roles in the IdP and when to move them into a dedicated policy layer.

👉 Read Cerbos' full comparison of Authentik vs Keycloak and authorization fit →

Authentik vs Keycloak: where identity providers stop short?

Explore further

View Full Forum →  |  NHI Foundation Course →