Web Dev Tools
Categories

OIDC / Identity Providers

Self-hostable identity servers for SSO, OIDC, SAML, multi-tenancy.

These run as a separate service (typically Docker) and your apps integrate with them as OIDC clients. Pick one when you have multiple apps that need shared SSO, or you're selling to enterprises that demand SAML.

  • Logto — modern, TypeScript-first, easy admin UI, OIDC + organizations + RBAC + MFA. The most popular "just need SSO for my apps" pick.
  • Keycloak — Red Hat's mature identity server. Largest deployments, most features, somewhat dated UI; the go-to for serious enterprise.
  • Authentik — newer, Python/Go, modern UI, OIDC + SAML + LDAP + RBAC. Strong self-hosted home-lab and SMB community.
  • ZITADEL — Go-based, multi-tenant by design, audit log first-class.
  • Ory (Kratos / Hydra / Keto / Oathkeeper) — composable identity primitives; powerful but more setup.
  • FusionAuth — single-binary, free for self-host, paid for the SaaS.
  • PocketID — minimal OIDC server for passkeys-only auth.

What this layer is for

Use a dedicated identity server when:

  • You have 3+ apps that should share login.
  • You sell B2B and customers ask "do you support SAML?"
  • You want centralized password reset, MFA enforcement, audit logs.

If you just have one app and a small team, an in-app library (Better Auth, Auth.js, Clerk) is simpler.

Pick this if…

  • Want it modern, easy, and small-team-sized: Logto.
  • Enterprise SSO / massive feature set: Keycloak.
  • Self-hosted with great UI for SMB: Authentik.
  • Multi-tenant SaaS where every customer is its own org: ZITADEL.
  • You want primitives, not a product: Ory.

Previous

Authorization (RBAC / ABAC / ReBAC)

Next

Job Queues & Background Jobs

On this page