top of page

Keycloak vs. Cognito

Updated: Nov 4, 2020

From the Perspective of Cloud-Agnostic Deployment

Cloud Agnostic Deployment is an application that runs seamlessly across different cloud platforms. Many companies rely on cloud computing for flexibility and compatibility regardless of the environment, as it often provides a series of cost-effective solutions.

Cloud facilities manage processing power and storage with their software distributed by third-party providers. That said, the access management providers that we’ll be focusing on are Keycloak and AWS Cognito.

Why Cloud Agnostic Development is the Standard

Cloud Agnostic Development quickly became a necessity after its inception as it provides added flexibility in the use of public cloud facilities. Workloads and applications running within any public cloud can be switched across different providers. Companies can tweak their usage depending on their current performance and cost-efficiency.

Another reason is that companies want to minimize risks for vendor lock-in. Vendor lock-in refers to the possible disadvantages of being reliant on a particular vendor. This limits them from exploring other options in a price increase and changes in the initial offerings. The worst-case scenario can affect their overall operations when their single cloud encounters technical issues.

Well-known companies from both public and private sectors implement cloud services to support their online operations. Netflix, Airbnb, Spotify, PBS, and more are among the 81% of cloud-powered enterprises today. This enables them to focus on their services and let most technicalities be taken care of by a constantly upgrading infrastructure. Not only can they save money from acquiring physical infrastructures and an additional workforce, but they also conserve expenses and time. For this reason, small businesses and startups can likely benefit from the cloud the most. It allows them to access world-class platforms for storage, computing, management, and more with little to no up-front capital involved.

Defining Keycloak

Keycloak is an open-source identity platform that manages applications and services. Many companies took notice of Keycloak for fulfilling their user management tool needs. These include system security, social logins, mobile app support, and cloud-agnostic integration. It differs from its competitors through its user-authentication feature. Users only need to log in once, which is also the same for signing-out. Nonetheless, applications can be accessed with ease because it doesn’t require login forms to authenticate and store users.

Features of Keycloak

After covering the essence of what Keycloak is and uses of the system, here are its defining characteristics:

Identity Access Management (IAM)

IAM is the framework integrated with Keycloak to authenticate its users. This tracks the user’s identity, including access privileges, identity federation, networks, and other resources upon request.

Moreover, IAM decides who can access the information of users and modify them through descriptive information management. This feature keeps security tight for both the company and the users, ensuring a safe and seamless account interaction.

Single Sign-On (SSO)

SSO allows users to seamlessly manage multiple software systems without compromising security through third-party sites for access. Accordingly, this enables users to enter their credentials just once to access multiple applications. This minimizes the time spent on re-entering user information. As a result, customer service queries regarding password issues can also be reduced. It is important to note that SSO is only available for sites that have a uniform DNS parent domain.

Kerberos Broker

The integration of Kerberos authenticates through the web browser for desktop version logins. Accordingly, this indicates that Kerberos tickets are unavailable during non-web sessions like mobile. Keycloak supports credential delegation, which means that Kerberos tickets are reused and forwarded across other services. For instance, you can securely utilize Kerberos on both LDAP and IMAP servers simultaneously.

Defining Amazon Cognito

Amazon Cognito is part of Amazon Web Services (AWS) that manages user-authentication, authorization, and management across devices. This allows application developers to accelerate application development instead of dealing with an elaborate back-end infrastructure. Cognito gathers all the attributes of user-profiles into directories to configure more of AWS resources. It also supports multi-factor authentication as well as the encryption of data-at-rest to ensure user protection.

Features of Amazon Cognito

Just like Keycloak, Amazon Cognito also has a set of defining characteristics that separates it from other cloud-security providers.

User Pools

All the users’ credentials are gathered into Amazon Cognito User Pools. Simply put, this provides sign-up and sign-in options. This provides increased security to the user directory for both mobile and web applications. User pools utilize multi-factor authentication as a standard security feature. MFA involves account takeover protection and phone or email verification. Another defining characteristic of Amazon Cognito is they accept public identity providers. This means users have the option to login through Facebook, Twitter, Instagram, and such.

Identity Pools

Identity Pools allows companies to grant access to their users and access other AWS services, like Amazon S3 and DynamoDB. This can also be accessed by both anonymous guest users and authenticated users.

Customizable UI

Amazon Cognito earned its competitive edge with its built-in UI that allows you to modify and design all you want. You can also integrate Android, iOS, and JavaScript SDKs to your apps’ login and sign-up pages.

Key Differences

Choosing between these two cloud vendors boils down to the customers’ needs and the potential workloads they run. Some developers prefer Amazon Cognito because it allows you to manage app data for your users across devices securely. They support logins through public providers and save data locally to work offline. On the other hand, Keycloak’s open-source identity allows single user authentication with no fuss. Developers don’t need to deal with storing and authentication, for it’s all out of the box.

Here are more of the critical differences between Keycloak and Amazon Cognito.

Basic Competency and Functionality

The critical competency of Amazon Cognito lies in the depth of its services backed by Amazon itself. Implementing Amazon Cognito allows you to access over 175 services involving database, analytics, networking, etc.

As mentioned, many customers prefer Keycloak for its single login feature. Keycloak provides both service provider and identity provider log-in through SAML.


The pricing of Amazon Cognito is based on Monthly Annual User (MAU). For instance, the first 100,000 MAUs cost $0.0055 each. The succeeding 900,000 is priced at $0.0046 and 10,000,000 cost $0.0025 per MAU.

Keycloak is perfect for small business owners because it is open-sourced. This paves the way for businesses to control their costs and focus on essential resources.


Along with critical strengths, both platforms have their disadvantages. So, here are the cons of Keycloak and Amazon Cognito.

Amazon Cognito

Limitations OF Amazon EC2

As mentioned above, Amazon Cognito opens its customers to numerous services, including Amazon EC2. There are also default limits to these resources that you should familiarize yourself with, which vary depending on location. This indicates that customers can only launch limited images, volumes, and snapshots. If you wish to increase the limit, you must contact Amazon to discuss further steps.

Amazon Technical Support Fee

Immediate technical support comes with subscription-based charges depending on your package of choice.

Limitations to Security

Security is one of the defining strengths of Amazon Cognito. Despite this, Amazon provided limitations to some of its security features. Customers can only get a maximum of 500 Security Group permissions from EC2 Classic per instance and 100 Security Group permissions from EC2-VPC per VPC.


Doesn’t support external database integration

Unlike other clouds, Keycloak doesn’t authenticate via an external database. Other clouds involve external computing resources for authentication, which Keycloak fails to do. However, unless the external cloud resources can connect to the private cloud using a VPN, everything should be fine.

No Alternate Login Methods

Keycloak does not offer login backup methods such as a Soft Token, One-Time Password over the phone, or email and security questions. These are essential when users encounter problems logging in to avoid deploying additional agents to deal with disputes.

No Third-Party MFA Providers

Keycloak doesn't have features that integrate third-party multi-factor authentication providers (MFA) like Google Authenticator, Authy, etc. MFAs are integral to immediately neutralize potential risks that arise from compromised passwords and personal data breaches. This extra layer of web security should be supplemented to protect your users further.

To summarize, here are the Pros and Cons of Keycloak and Amazon Cognito:


KeycloakAmazon CognitoOpen-source, FreeIntegration with third-party Identity ProvidersSingle Sign-OnIntegration with third-party MFA providersKerberos AuthenticationIt provides full MFA security on the computer, even in Offline mode.Identity Access ManagementAccess to Amazon services


KeycloakAmazon CognitoDoesn’t support external database integrationLimitations OF Amazon EC2No Alternate Login MethodsAmazon Technical Support FeeNo Third-Party MFA ProvidersLimitations to Security


Essentially, Keycloak and Amazon Cognito both provide an additional layer of security that helps you manage the access of your systems and software. While they both serve similar functionalities, they are optimized around very different use cases. Amazon Cognito makes an excellent choice for anyone looking to increase the security of their cloud platforms under Amazon AWS. It also provides a simple set up that integrates seamlessly into other Amazon cloud computing offerings.

Keycloak on the other hand makes an excellent choice for businesses looking to improve their identity and access management. It provides access management for all of your applications and services with a streamlined workflow through their Single Sign-On feature. As an open-source application, it provides customizability at a low cost making Keycloak an excellent choice for startups and enterprises alike.

14,916 views2 comments

Recent Posts

See All

2 hozzászólás

Keycloak supports 2FA with Google Authenticator and FreeOTP. Also, it's possible to develop your own SPI for email or whatsoever and customize your authentication flow.


Some points on this article are incorrect.

1. AWS Congnito hosted UI is not customizable other than some minor css changes. See here:

2. Keycloak allows configuring any database that supports JDBC which is quite a comprehensive list:

Keycloak also supports implementing custom Storage SPI if you have an existing database with user records that you'd like to use behind Keycloak. See here:

bottom of page