Need advice about which tool to choose?Ask the StackShare community!


+ 1

+ 1
Add tool

Dex vs Keycloak: What are the differences?


In this article, we will compare Dex and Keycloak, two popular identity and access management (IAM) solutions. We will explore the key differences between Dex and Keycloak and provide specific details about each difference.

  1. Authenticators Supported: One key difference between Dex and Keycloak is the range of authenticators supported. Dex primarily supports username/password, OAuth2 client credentials, and LDAP authenticators. On the other hand, Keycloak supports a wider range of authenticators including username/password, social login (Google, Facebook, etc.), multi-factor authentication (SMS, OTP), and more.

  2. Federation: Dex and Keycloak also differ in their federation capabilities. Dex supports federation through connectors, which allows integration with various upstream identity providers like GitHub, Google, and Active Directory. Keycloak, on the other hand, provides built-in federation capabilities where it can act as an identity provider (IdP) for multiple service providers (SPs) using protocols like SAML, OAuth2, and OpenID Connect.

  3. Scalability and High Availability: Dex and Keycloak have different approaches to scalability and high availability. Dex is designed to be lightweight and can be run as a single instance or in a small cluster. However, for larger deployments, external load balancers and databases are required to achieve scalability and high availability. Keycloak, on the other hand, has built-in clustering and a distributed cache system, making it easier to scale and achieve high availability out of the box.

  4. Customization and Extensibility: When it comes to customization and extensibility, Keycloak offers more flexibility compared to Dex. Keycloak provides a comprehensive administration console and a wide range of configuration options to customize the authentication flow, user registration, and other aspects of the IAM system. In addition, Keycloak supports the development of custom extensions, themes, and plugins to tailor the system to specific requirements. Dex, while providing some customization options, has a more limited set of features in terms of extensibility.

  5. Integration with Ecosystem: Dex and Keycloak have different levels of integration with other components and ecosystems. Keycloak, being part of the Red Hat ecosystem, seamlessly integrates with other Red Hat products like OpenShift, Red Hat Single Sign-On (RHSSO), and Red Hat Fuse. It also provides native support for Java and Spring Boot applications. Dex, on the other hand, does not have the same level of ecosystem integration and may require additional configuration or development efforts for specific integrations outside its core functionality.

  6. Support and Community: Support and community play a crucial role when evaluating IAM solutions. Keycloak benefits from a large and active community, being an open-source project with backing from Red Hat. It has extensive documentation, forums, and a strong ecosystem of developers contributing to its development and support. Dex, while also having an active community, may have a smaller user base and comparatively fewer resources available for support and troubleshooting.


In summary, Dex and Keycloak differ in terms of authenticators supported, federation capabilities, scalability and high availability, customization and extensibility, integration with the ecosystem, and the level of support and community. These differences should be considered when choosing an IAM solution that best suits your specific requirements.

Advice on Dex and Keycloak
Needs advice
Spring SecuritySpring Security

I am working on building a platform in my company that will provide a single sign on to all of the internal products to the customer. To do that we need to build an Authorisation server to comply with the OIDC protocol. Earlier we had built the Auth server using the Spring Security OAuth project but since in Spring Security 5.x it is no longer supported we are planning to get over with it as well. Below are the 2 options that I was considering to replace the Spring Auth Server. 1. Keycloak 2. Okta 3. Auth0 Please advise which one to use.

See more
Replies (3)
Luca Ferrari
Solution Architect at Red Hat, Inc. · | 5 upvotes · 210K views

It isn't clear if beside the AuthZ requirement you had others, but given the scenario you described my suggestion would for you to go with Keycloak. First of all because you have already an onpremise IdP and with Keycloak you could maintain that setup (if privacy is a concern). Another important point is configuration and customization: I would assume with Spring OAuth you might have had some custom logic around authentication, this can be easily reconfigured in Keycloak by leveraging SPI ( Finally AuthZ as a functionality is well developed, based on standard protocols and extensible on Keycloak (

See more
Sandor Racz

We have good experience using Keycloak for SSO with OIDC with our Spring Boot based applications. It's free, easy to install and configure, extensible - so I recommend it.

See more

You can also use Keycloak as an Identity Broker, which enables you to handle authentication on many different identity providers of your customers. With this setup, you are able to perform authorization tasks centralized.

See more
Get Advice from developers at your company using StackShare Enterprise. Sign up for StackShare Enterprise.
Learn More
Pros of Dex
Pros of Keycloak
    Be the first to leave a pro
    • 33
      It's a open source solution
    • 24
      Supports multiple identity provider
    • 17
      OpenID and SAML support
    • 12
      Easy customisation
    • 10
      JSON web token
    • 6
      Maintained by devs at Redhat

    Sign up to add or upvote prosMake informed product decisions

    Cons of Dex
    Cons of Keycloak
      Be the first to leave a con
      • 7
      • 6
        Poor client side documentation
      • 5
        Lack of Code examples for client side

      Sign up to add or upvote consMake informed product decisions

      What is Dex?

      Dex is a personal CRM that helps you build stronger relationships. Remember where you left off, keep in touch, and be more thoughtful -- all in one place.

      What is Keycloak?

      It is an Open Source Identity and Access Management For Modern Applications and Services. It adds authentication to applications and secure services with minimum fuss. No need to deal with storing users or authenticating users. It's all available out of the box.

      Need advice about which tool to choose?Ask the StackShare community!

      What companies use Dex?
      What companies use Keycloak?
      See which teams inside your own company are using Dex or Keycloak.
      Sign up for StackShare EnterpriseLearn More

      Sign up to get full access to all the companiesMake informed product decisions

      What tools integrate with Dex?
      What tools integrate with Keycloak?
        No integrations found

        Sign up to get full access to all the tool integrationsMake informed product decisions

        What are some alternatives to Dex and Keycloak?
        JavaScript is most known as the scripting language for Web pages, but used in many non-browser environments as well such as node.js or Apache CouchDB. It is a prototype-based, multi-paradigm scripting language that is dynamic,and supports object-oriented, imperative, and functional programming styles.
        Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.
        GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Over three million people use GitHub to build amazing things together.
        Python is a general purpose programming language created by Guido Van Rossum. Python is most praised for its elegant syntax and readable code, if you are just beginning your programming career python suits you best.
        jQuery is a cross-platform JavaScript library designed to simplify the client-side scripting of HTML.
        See all alternatives