Welcome to Thoughtful Architect — a blog about building systems that last.

Thoughtful Architect

Don’t Build Your Own Auth: Use Keycloak Instead

Cover Image for Don’t Build Your Own Auth: Use Keycloak Instead
Konstantinos
Konstantinos

Let me say it plainly: you don’t need to write your own auth service — especially not in 2025.

Still tempted? I get it. The idea of crafting a bespoke login flow, password reset, and custom role management interface sounds like a neat side quest. But unless you’re building an identity company, this is technical debt disguised as technical ambition.

IAM: It’s Bigger Than You Think

Authentication and authorization (IAM) is one of those deceptively deep domains. What starts as a login form quickly becomes a hydra of:

  • Token management
  • Password flows
  • Social logins
  • MFA
  • Role-based access control
  • Permissions inheritance
  • OAuth2, OpenID Connect, SAML, SCIM...

And don’t forget you’ll need to make it secure, auditable, scalable, and testable across environments.

So — why build it all from scratch?

Enter: Keycloak

Keycloak is the unsung hero of open-source IAM. It gives you:

  • 🔐 Full OAuth2 / OIDC / SAML compliance
  • 🛠️ Extensibility via custom themes, login flows, SPI extensions
  • 🚀 Multi-realm support out of the box
  • 🧱 Role- and group-based access control
  • 🧪 Support for local testing and on-premise deployments

Want to deploy it on your dev laptop? Done. Need it to run behind a corporate VPN in Kubernetes? Easy.

Unlike Auth0 or Okta, Keycloak is not SaaS-bound. You get complete control, and yes — you can run it offline, script against it, or integrate it tightly into your environment.

SaaS IAM: Great Until It Isn’t

Now, I’ll admit: tools like Auth0, Okta, and AWS IAM are fantastic — especially for greenfield apps that are cloud-native, always-online, and happy to accept vendor lock-in.

But what if:

  • You’re building for regulated industries
  • You need to run everything on-prem
  • You want full source-level debugging and customization

That’s where SaaS hits the wall — and Keycloak steps in.

Build with Brains, Not Bravado

As software architects, we love understanding how things work. But that doesn’t mean we should build every cog in the machine ourselves.

Your time is better spent:

  • Designing system boundaries
  • Improving observability
  • Simplifying flows

Not debugging a broken refresh token handler.

So if your team is debating whether to roll your own login microservice — pause. Look at what Keycloak gives you. And maybe — just maybe — leave the IAM wheel un-reinvented.

Why Keycloak Wins

  • ✅ Use Keycloak when you want power and control.
  • 🧪 It supports local testing and on-prem setups.
  • 🌐 SaaS IAMs (Auth0, Okta, AWS IAM) are great, but don’t fit every use case.
  • 🔥 Your dev time is better spent elsewhere.

Let’s stop building boxes around boxes just to manage user roles.

Stay thoughtful.

— Konstantinos

No spam. Just real-world software architecture insights.

If this post helped you, consider buying me a coffee to support more thoughtful writing like this. Thank you!

No spam. Just thoughtful software architecture content.

If you enjoy the blog, you can also buy me a coffee