ADR-002: Zitadel for SSO
Status
Accepted
Context
RavenmaskOS services need unified authentication and authorization:
- Single sign-on across all web services
- OAuth2/OIDC support for third-party integrations
- User management and identity federation
- Fine-grained access control
We evaluated: Keycloak, Authelia, Authentik, and Zitadel.
Decision
We chose Zitadel as the identity provider and SSO solution.
Zitadel provides:
- Full OIDC/OAuth2 implementation
- Built-in user management console
- Identity federation (Google, GitHub, etc.)
- Actions (serverless functions for auth flows)
- Multi-tenancy support
- Self-contained with embedded database option
Consequences
Positive
- Modern, clean UI for administration
- Well-documented API and SDKs
- Lightweight compared to Keycloak
- Active development and responsive maintainers
- Good Docker/container support
Negative
- Newer project, smaller community than Keycloak
- Some enterprise features require paid tier
- Limited plugin ecosystem compared to Keycloak
Alternatives Considered
Keycloak
Industry standard but heavyweight. Complex configuration and resource intensive.
Authelia
Lightweight but limited. No built-in IdP management, primarily a proxy.
Authentik
Good alternative but less mature OAuth2 implementation at evaluation time.