Worth mentioning Casbin as well (https://github.com/casbin/casbin) - it's been around for a while and takes a slightly different approach. Instead of being purely Zanzibar-inspired, it uses a PERM (Policy, Effect, Request, Matchers) metamodel that lets you implement RBAC, ABAC, or ReBAC depending on what fits your use case.
Keycloak was good but has too much legacy for 10+ years. Casdoor is pretty new and has become a good replacement for Keycloak for me with more functionalities.
Casdoor is a promising open-source IAM solution: https://casdoor.org/ , written in Go and React. All features like OIDC, OAuth 2.0, SAML, CAS, LDAP, WebAuthn and 2FA are all supported. SaaS management is also supported like pricing, subscription etc.
1. Support high-concurrency and use less memory (Go v.s. Java)
2. More modern SPA-style web UI (with React and Ant Design), more CDN friendly
3. full-fledged RESTful API
4. Support a lot of provider types: OAuth, SMS, Email, CAPTCHA
5. More powerful authorization (powered by Casbin), Casbin is a popular authorization solution with a lot of integrations for DBs and applications: https://casbin.org/
SaaS hosting is also provided at: https://casdoor.com/ for anyone who don't want to self-host