Keycloak and Ory represent two fundamentally different philosophies in open-source identity. Keycloak is a batteries-included monolith — deploy one service, get everything. Ory is a modular microservices ecosystem — deploy only what you need, build your own UI. This comparison covers architecture, features, authorization, deployment, and when each approach wins.
At a Glance
| Keycloak | Ory | |
|---|---|---|
| Architecture | Monolith (Java/Quarkus) | Microservices (Go) |
| License | Apache 2.0 | Apache 2.0 |
| GitHub Stars | ~25,000 (1 repo) | ~39,000 (4 repos combined) |
| Built-in UI | Yes (admin + login pages) | No (headless, API-first) |
| SAML Support | Yes (native) | Enterprise only (Ory Polis) |
| LDAP Federation | Yes | No |
| Authorization | UMA 2.0 + policies | Zanzibar ReBAC (Keto) |
| Multi-tenancy | Realms (production-ready) | Enterprise/Ory Network only |
| Managed SaaS | No official offering | Yes (Ory Network) |
| Min Resources | ~512 MB RAM (JVM) | ~128 MB RAM per service |
Architecture
Keycloak: The Monolith
Keycloak is a single Java application that handles everything: OIDC, SAML, user management, admin console, themes, session management, and authorization services. One deployment, one process, one configuration.
Advantages: Simple deployment, integrated admin console, everything works out of the box.
Trade-off: You deploy everything even if you only need OAuth2. Higher memory baseline (~512 MB minimum for the JVM).
Ory: The Microservices Ecosystem
Ory separates concerns into independent Go services. Each handles one responsibility and can be deployed, scaled, and upgraded independently.
Advantages: Use only what you need, lightweight (~128 MB per service), full UI control, Zanzibar authorization.
Trade-off: Must wire together multiple services, must build your own UI, steeper initial setup.
Feature Comparison
Authentication & Protocols
| Feature | Keycloak | Ory |
|---|---|---|
| OAuth 2.0 / OIDC | Yes (OpenID Certified) | Yes (Hydra, OpenID Certified) |
| SAML 2.0 IdP | Yes (native) | Enterprise only (Polis) |
| SAML 2.0 SP | Yes (identity brokering) | Kratos B2B SSO (enterprise) |
| LDAP/AD Federation | Yes | No |
| Kerberos / SPNEGO | Yes | No |
| Social Login | Yes (20+ providers) | Yes (Kratos, 20+ providers) |
| Device Authorization (RFC 8628) | Yes | Yes (Hydra v25.4.0+) |
| Proxy Authentication | No (need external) | Yes (Oathkeeper) |
The protocol gap is significant. If you need SAML or LDAP, Keycloak is the clear choice — Ory’s open-source offering has no SAML IdP and no LDAP federation.
MFA & Passwordless
| Method | Keycloak | Ory Kratos |
|---|---|---|
| TOTP | Yes | Yes |
| WebAuthn / FIDO2 | Yes | Yes |
| Passkeys | Partial | Yes |
| SMS OTP | Via extension | Yes (v25.4.0+) |
| Magic Links | No | Yes |
| Recovery Codes | Yes | Yes (Lookup Secrets) |
Ory Kratos has native passwordless support (magic links, SMS OTP, passkeys) while Keycloak requires extensions for some of these methods.
Authorization
This is where the architectures diverge most.
Keycloak Authorization Services:
- Built into the Keycloak server
- UMA 2.0 compliant
- Policy types: role-based, user-based, group-based, time-based, JavaScript, aggregated
- Permissions attached to OAuth2 tokens (RPT tokens)
- Evaluated server-side at the Keycloak endpoint
Ory Keto (Zanzibar):
- Separate dedicated service
- Google Zanzibar relationship model
- Relation tuples:
namespace:object#relation@subject - Ory Permission Language (OPL) — TypeScript subset for defining models
- Check, expand, and list APIs
- Sub-10ms p95 latency claims
When Keto wins: Complex permission models (nested organizations, document-level sharing, multi-level inheritance). The Zanzibar model scales to billions of relation tuples.
When Keycloak wins: Token-integrated authorization. Permissions are embedded in OAuth2 tokens, so downstream services don’t need to call a separate authorization service. Simpler for standard RBAC/ABAC patterns.
User Management
| Feature | Keycloak | Ory Kratos |
|---|---|---|
| Admin Console | Full GUI | CLI + API (no GUI in OSS) |
| Self-service Flows | Themed pages (FreeMarker) | Headless JSON API |
| Identity Schema | Fixed (extendable via attributes) | JSON Schema (fully custom) |
| Account Linking | Yes | Yes |
| User Import/Export | Realm export JSON | API-based |
| Brute Force Protection | Yes | Yes |
Keycloak gives you a working user management system immediately. Ory gives you building blocks to create exactly the system you want — but you must build it.
Deployment
Keycloak
# Single command to production
docker run -d \
-e KC_DB=postgres \
-e KC_DB_URL=jdbc:postgresql://db:5432/keycloak \
-e KC_HOSTNAME=https://auth.example.com \
quay.io/keycloak/keycloak:26.1 start
One container, one database. For production hardening, see our Keycloak Docker Compose Production Guide.
Ory (Self-hosted)
Minimum viable setup requires at least Kratos + Hydra + your custom UI:
# docker-compose.yml (simplified)
services:
kratos:
image: oryd/kratos:v25.4.0
volumes:
- ./kratos.yml:/etc/config/kratos/kratos.yml
command: serve --config /etc/config/kratos/kratos.yml
hydra:
image: oryd/hydra:v25.4.0
environment:
DSN: postgres://user:pass@postgres:5432/hydra
command: serve all
postgres:
image: postgres:16-alpine
environment:
POSTGRES_DB: ory
your-ui:
build: ./ui
# Your custom login/registration frontend
Add Keto for authorization and Oathkeeper for API gateway — that’s 4+ services to manage.
Resource Comparison
| Keycloak | Ory (per service) | |
|---|---|---|
| Min RAM | ~512 MB | ~128 MB |
| Cold Start | ~10s (optimized) / ~30s (stock) | <1s |
| Binary Size | ~250 MB (JVM + libs) | ~30 MB (Go binary) |
| Containers | 1 | 2-4+ (Kratos, Hydra, Keto, Oathkeeper) |
Ory’s Go services are dramatically lighter individually, but you need multiple of them. Total resource usage depends on which components you deploy.
Licensing & Pricing
| Aspect | Keycloak | Ory |
|---|---|---|
| Core License | Apache 2.0 | Apache 2.0 |
| All features free? | Yes | No (SAML, multi-tenancy require paid tier) |
| Managed SaaS | No official service | Ory Network (from $770/year) |
| Enterprise Support | Red Hat (~$1,000/year/server) | Ory Enterprise License (custom) |
| Enterprise-only Features | None | Multi-tenancy, SAML (Polis), advanced analytics |
Both are Apache 2.0 at the core, but Keycloak has no gated features — everything including SAML, LDAP, multi-tenancy (Realms), and authorization services is free. Ory gates some enterprise capabilities behind paid tiers.
Community
| Metric | Keycloak | Ory Ecosystem |
|---|---|---|
| Combined GitHub Stars | ~25,000 | ~39,000 |
| Contributors | 1,000+ | ~731 (across repos) |
| Project Age | 12 years (2014) | ~8 years (Hydra 2017, Kratos 2019) |
| Governance | CNCF Incubating | Ory Corp (VC-backed) |
| Notable Users | Red Hat, Deutsche Bahn | OpenAI (Hydra) |
Keycloak has a larger single-community with more blog posts, Stack Overflow answers, and third-party extensions. Ory’s community is split across repos but growing fast, particularly in the cloud-native space.
When to Choose Keycloak
- Need SAML or LDAP: Enterprise environments with Active Directory, SAML-based SSO, or legacy identity providers
- Want a working system fast: Built-in admin console, login pages, and account management — deploy and configure, don’t build
- Standard RBAC/UMA authorization: Permissions integrated into OAuth2 tokens without a separate authorization service
- Multi-tenancy (free): Realms provide production-ready tenant isolation at no cost
- Java/Spring ecosystem: Native Spring Security integration, Quarkus OIDC adapter
- Budget-conscious teams: All features free, no enterprise tier required for any capability
When to Choose Ory
- API-first / headless architecture: Building custom UIs (React, Next.js, mobile) where you don’t want an IdP’s theme system
- Zanzibar-style authorization: Complex permission models (document sharing, nested organizations, relationship-based access)
- Cloud-native / Kubernetes: Lightweight Go services with 128 MB footprint, sub-second cold starts, stateless horizontal scaling
- Managed SaaS desired: Ory Network provides a fully managed identity service with global edge deployment
- Microservices teams: Each Ory component can be owned by a different team, deployed independently, versioned separately
- OIDC-only environments: If you don’t need SAML or LDAP, Ory’s focused OIDC implementation is cleaner
- Scale-sensitive workloads: Go services handle more concurrent requests per resource unit than JVM-based Keycloak
Migration Considerations
Keycloak to Ory
- Users: Export from Keycloak realm JSON, import via Kratos Admin API. Password hashes may require re-enrollment depending on the algorithm
- OIDC Clients: Recreate in Hydra via CLI or API. Client secrets must be re-generated
- SAML Clients: Cannot migrate to open-source Ory (no SAML). Requires Ory Polis (enterprise) or keeping Keycloak for SAML
- Authorization Policies: Keycloak UMA policies → Ory Keto relation tuples. Fundamentally different models — requires redesign
- Themes/UI: Keycloak FreeMarker themes → custom React/Next.js frontend calling Kratos API. Full rewrite required
Ory to Keycloak
- Users: Export via Kratos Admin API, import into Keycloak realm
- OAuth2 Clients: Recreate in Keycloak admin console
- Custom UI: Can be preserved as a custom Keycloak theme or kept as an external app using Keycloak’s OIDC endpoints
- Keto Permissions: Redesign as Keycloak Authorization Services policies
Conclusion
Keycloak and Ory solve the same problem with opposite philosophies. Keycloak says “here’s everything, configure it.” Ory says “here are the building blocks, assemble them.” Neither approach is universally better — the right choice depends on your team, your architecture, and your protocol requirements.
If you need SAML, LDAP, or a working system in an afternoon, Keycloak wins. If you’re building a custom-branded, cloud-native application with Zanzibar-style permissions and full UI control, Ory wins.
For other open-source IAM comparisons, see Keycloak vs Zitadel, Keycloak vs Authentik, and our Top 10 Open Source IAM Solutions.
