Keycloak
Keycloak IAM - OIDC, SAML, social login, user federation - backed by a managed Postgres, stateless and production-mode.
One-click deploy, from $25/mo on a Miget plan.
Keycloak is the heavyweight champion of open-source identity: full OIDC and SAML, social logins, user federation (LDAP/AD), fine-grained authorization, admin console, and two decades of enterprise hardening via Red Hat. It is what you deploy when per-MAU pricing on Auth0 or Clerk stops being funny.
This template runs Keycloak in production mode (start, not start-dev) backed by a managed Postgres that Miget provisions and wires automatically - host, port, credentials all injected. TLS terminates at the platform ingress with forwarded headers trusted, so issuer URLs come out as your https domain, which is exactly what OIDC clients require.
All state lives in Postgres; the Keycloak pod itself is stateless and restarts clean. Two variables (bootstrap admin username/password) and you have an identity provider.
Upstream project: Keycloak
#what you get
- OIDC, OAuth2, and SAML 2.0 - works with every framework’s auth library
- Social login (Google, GitHub, …) and identity brokering
- User federation: LDAP and Active Directory
- Admin console with realms, clients, roles, and flows
- Production mode behind TLS ingress; correct https issuer URLs
- Managed Postgres auto-provisioned and auto-wired - stateless Keycloak pod
#topology
| Service | Role | Public |
|---|---|---|
| keycloak | identity server, production mode (:5000) | yes |
| db | Postgres - managed service on Miget, container locally | no |
#miget sizing
// this stack needs
3 GiB RAM · 5 GB disk · 2 services
Keycloak is RAM-hungry (JVM + Quarkus): 2 GiB is the realistic floor. The managed Postgres adds 1 GiB. CPU matters at login bursts - password hashing is deliberate work.
Hobby - recommended fit
$25/mo
2 vCPU · 4 GiB · 80 GiB disk
Headroom for your own apps: 8 GiB at $49/mo
Professional - production
$43/mo
2 vCPU · 4 GiB · 25 GiB disk
Dedicated resources, production SLOs - plan details
One Miget plan is a fixed pool of compute - the whole stack (managed databases included) deploys inside it, and anything left over runs your other apps. No per-service or per-seat math.
#vs. the managed service
What the hosted equivalents charge, against the flat Miget plan this stack fits on. Prices as of June 2026, sources linked.
| Service | Plan | Monthly | What you get |
|---|---|---|---|
| Keycloak on Miget ★ | 4 GiB plan | $25 | this whole stack, flat - no usage meters, and room left for your own apps |
| Auth0 | Essentials (B2C) | ~$70 | at 1,000 MAU (from $35 at 500 MAU) - scales with users |
| Clerk | Pro | ~$25 | base + $0.02 per monthly retained user past 50k; SSO connections $75 each |
| FusionAuth | Starter (cloud) | ~$162 | cheapest managed FusionAuth, billed annually |
Identity SaaS prices per user; Keycloak prices per gigabyte. Past hobby scale the curves diverge fast.
#vs. other PaaS
Estimated monthly cost of running this exact stack (3 GiB RAM, 5 GB disk, 2 containers) elsewhere, from published June 2026 rates.
| Platform | Est. monthly | Notes |
|---|---|---|
| Miget ★ | $25 flat | compose stacks first-class: one deploy, dedicated vCPU, managed Postgres/Valkey, volumes and TLS all included in the plan |
| Heroku | ~$150 | no volumes; nothing between 1 GB ($50) and 2.5 GB ($250) dynos - 2 GB containers cost far more than shown |
| DO App Platform | ~$41 | no persistent volumes - stateful containers need managed DBs/Spaces (base $5 Spaces included here) |
| Render | ~$39 | per-service instances (0.5 GB $7, 2 GB $25) - every container is its own paid service |
| Railway | ~$31 | usage-based ($10/GB RAM-mo); vCPU billed separately at $20/vCPU-mo on top |
| Fly.io | ~$18 | cheapest sticker price - but burstable shared CPUs (1/16 core; dedicated vCPUs cost ~2-3×), no compose deploys (one app per container, manual wiring), managed DBs billed extra |
Estimates assume RAM fully allocated at published on-demand rates - and sticker price isn't the whole comparison: the cheaper rows buy burstable shared CPUs, per-service wiring instead of a compose deploy, and managed databases billed separately. Heroku and DO App Platform have no persistent volumes at all - stateful stacks like this one need workarounds there.
#deploy it
On Miget
- Create a Compose Stack in app.miget.com pointing at the templates repository
- Set the stack path to
keycloak -
Set the required variable:
KC_ADMIN_USERNAME / KC_ADMIN_PASSWORD, bootstrap admin, applied on first start against an empty database
- Deploy. Miget layers
compose.miget.yaml(RAM, privacy, volumes, managed services) automatically
Locally first?
Every template is portable, vanilla Docker Compose - the Miget overrides are ignored locally:
git clone https://github.com/deployable-sh/stacks
cd miget-compose-templates/keycloak
docker compose up -dSame files, same behavior. The template README covers connection strings and scaling notes.
#faq
How does self-hosted Keycloak compare to Auth0 pricing?
Auth0’s paid plans price per monthly active user and climb steeply past the entry tiers. Keycloak on this template is $25/month (4 GiB hobby plan) or $43/month Professional, flat, for unlimited users, realms, and clients. The trade is operating it yourself - which this template reduces to a deploy.
Is this production-mode Keycloak or a dev toy?
Production mode: kc start with a real Postgres, proxy headers configured for the platform’s TLS ingress, and correct https issuer URLs. start-dev appears nowhere in this template.
Where is Keycloak’s state stored?
Entirely in the managed Postgres (realms, users, clients, sessions config). The Keycloak pod is stateless - redeploys and restarts are uneventful, and the database gets the platform’s managed-service treatment.
Can I use Keycloak for SSO across my apps?
Yes - that is its core job. Create one realm, register each app as an OIDC client, and every standard auth library (NextAuth, Spring Security, Django, Rails) points at your realm’s well-known endpoint.
Ship Keycloak today
One compose stack, 3 GiB of RAM, from $25/month flat, and it runs on your laptop with the same files.