The CNCF Technical Oversight Committee (TOC) has voted to accept Keycloak as a CNCF incubating project. 

Keycloak is an Identity and Access Management (IAM) solution providing centralized authentication and authorization to applications and APIs. It provides a complete, ready-to-run IAM service in a single lightweight container image, making it easy to deploy and scale. Keycloak can be leveraged for single sign-on to both infrastructure and end-user-facing applications deployed to Kubernetes, and to secure API calls between services through tokens.

Keycloak was created by Bill Burke and Stian Thorgersen in 2014. The project has been used in production for more than eight years by organizations, including Accenture, CERN, Cisco, the Ohio Supercomputing Center, Hitachi, Okta, Quest, and many more. The project has seen incredible growth in interest, reaching over 150,000 monthly visitors to in November 2022 and recently passing 15,000 stars in its GitHub repository.

“Hitachi is heavily using Keycloak because it is a critical part of API security,” said Yuichi Nakamura, Director, Hitachi, Ltd. “We also have long been contributing features for API security to Keycloak and are willing to help the Keycloak project to graduate the CNCF incubation process.” 

Keycloak is well integrated into the cloud native ecosystem. It runs on Kubernetes and can be installed using Operators built with the Operator Framework. It also provides metrics to Prometheus and otherwise integrates with a standard Kubernetes stack. Many projects in the CNCF ecosystem directly integrate with Keycloak for identity and access or support OpenID Connect as an authentication mechanism, including Argo, Envoy, Jaeger, and Kubernetes.

“Keycloak is a widely used and evolving open source project that allows developers to delegate the security aspects of an application so they don’t need to worry about authentication mechanisms, or understand cryptography or how to store passwords safely,” said Chris Anisczyck, CTO, CNCF. “We’re excited to have another security focused project come under the CNCF and look forward to cultivating their community growth.”

Notable Milestones:

“The new Quarkus distribution in Keycloak provides a significantly improved configuration experience and reduced footprint in startup time, memory, and number of dependencies,” said Stian Thorgersen, co-founder and project lead of Keycloak, Red Hat Senior Principal Software Engineer. “We will continue to focus on usability, continuously making it easier to deploy and operate Keycloak deployments at scale in a cloud native way. Even though we are at the beginning of our journey, the last year has resulted in great improvements.”

Looking forward, the project maintainers plan to focus on usability, especially in the operational aspects, and providing real value to solve real issues, making it easier to integrate and leverage Keycloak as an IAM solution.

“We’re thrilled to join CNCF as we work to make Keycloak a more robust cloud native identity and access management solution,” said Takashi Norimatsu, Keycloak maintainer, Hitachi Senior Engineer. “With the support of the community, we’ll continue improving features like OAuth 2.0 and OpenID Connect will help users provide a higher level of API security.”

As a CNCF-hosted project, Keycloak is part of a neutral foundation aligned with its technical interests and the larger Linux Foundation, which provides governance, marketing support, and community outreach. The project joins 36 other incubating technologies, including Backstage, Cilium, Istio, Knative, OpenTelemetry, and more. For more information on maturity requirements for each level, please visit the CNCF Graduation Criteria.