Worth mentioning Casbin as well (https://github.com/casbin/casbin) - it's been around for a while and takes a slightly different approach. Instead of being purely Zanzibar-inspired, it uses a PERM (Policy, Effect, Request, Matchers) metamodel that lets you implement RBAC, ABAC, or ReBAC depending on what fits your use case.
Keycloak was good but has too much legacy for 10+ years. Casdoor is pretty new and has become a good replacement for Keycloak for me with more functionalities.
Casdoor is a promising open-source IAM solution: https://casdoor.org/ , written in Go and React. All features like OIDC, OAuth 2.0, SAML, CAS, LDAP, WebAuthn and 2FA are all supported. SaaS management is also supported like pricing, subscription etc.
1. Support high-concurrency and use less memory (Go v.s. Java)
2. More modern SPA-style web UI (with React and Ant Design), more CDN friendly
3. full-fledged RESTful API
4. Support a lot of provider types: OAuth, SMS, Email, CAPTCHA
5. More powerful authorization (powered by Casbin), Casbin is a popular authorization solution with a lot of integrations for DBs and applications: https://casbin.org/
SaaS hosting is also provided at: https://casdoor.com/ for anyone who don't want to self-host
From their system info page: https://door.casdoor.com/sysinfo, it only consumes about 10MB memory and with no less features (more features actually) than Keycloak
The fact is a "true" fact, I'm not saying something which is wrong. This is all I care about. I don't need to know why. I'm not an expert on programming languages or look into compiler source code either. If you think the "fact" is not true, plz just give your opinions and evidences.
I's a fact that I also don't know why, maybe not mainly because of GC. Java's high concurrency is not impossible but just requires more efforts to tune the performance
Casdoor is another promising open-source IAM solution: https://casdoor.org/ , written in Go and React. All features like OIDC, OAuth 2.0, SAML, CAS, LDAP, WebAuthn and 2FA are all supported.
Compared to Keycloak, Casdoor has:
1. Support high-concurrency and use less memory (Go v.s. Java)
2. More modern SPA-style web UI (with React and Ant Design), more CDN friendly
3. full-fledged RESTful API
4. Support a lot of provider types: OAuth, SMS, Email, CAPTCHA
5. More powerful authorization (powered by Casbin), Casbin is a popular authorization solution with a lot of integrations for DBs and applications: https://casbin.org/
SaaS hosting is also provided at: https://casdoor.com/ for anyone who don't want to self-host