Identity and access management buyers have to separate mature authentication, authorization, SSO, policy, password, and access-proxy projects from smaller projects with weaker shipping signals. This June 2026 section uses the supplied ToolVitals ranking data, including ToolVitals score, health score, shipping score, GitHub stars, status, openness_label, and license_label.
The ranking includes open/source-visible tools only and orders them by ToolVitals score first, with GitHub stars used as the secondary popularity signal when scores tie. The list uses the provided openness_label and license_label as-is, so tools marked OSI-approved OSS are described that way without extending that label beyond the data.
Rankings
| Rank | Tool | Openness | License | Health | Shipping | GitHub Stars | Score | Status |
|---|---|---|---|---|---|---|---|---|
| 1 | Authentik | OSI-approved OSS | MIT | 98 | 100 | 21897 | 99 | 🟢 Excellent |
| 2 | Thunder | OSI-approved OSS | Apache-2.0 | 95 | 100 | 236 | 97 | 🟢 Excellent |
| 3 | Keycloak | OSI-approved OSS | Apache-2.0 | 91 | 100 | 34834 | 96 | 🟢 Excellent |
| 4 | Casdoor | OSI-approved OSS | Apache-2.0 | 91 | 100 | 13758 | 96 | 🟢 Excellent |
| 5 | Logto | OSI-approved OSS | MPL-2.0 | 94 | 89 | 12142 | 94 | 🟢 Excellent |
| 6 | Frontier | OSI-approved OSS | Apache-2.0 | 89 | 98 | 333 | 93 | 🟢 Excellent |
| 7 | Pomerium | OSI-approved OSS | Apache-2.0 | 88 | 93 | 4836 | 92 | 🟢 Excellent |
| 8 | Jans | OSI-approved OSS | Apache-2.0 | 88 | 95 | 632 | 92 | 🟢 Excellent |
| 9 | FerrisKey | OSI-approved OSS | Apache-2.0 | 84 | 94 | 633 | 91 | 🟢 Excellent |
| 10 | Steward | OSI-approved OSS | MIT | 83 | 95 | 81 | 91 | 🟢 Excellent |
| 11 | Zitadel | OSI-approved OSS | AGPL-3.0 | 98 | 72 | 13993 | 90 | 🟢 Excellent |
| 12 | Kanidm | OSI-approved OSS | MPL-2.0 | 88 | 84 | 5036 | 90 | 🟢 Excellent |
| 13 | Cerbos | OSI-approved OSS | Apache-2.0 | 86 | 87 | 4447 | 90 | 🟢 Excellent |
| 14 | VoidAuth | OSI-approved OSS | AGPL-3.0 | 87 | 95 | 2153 | 90 | 🟢 Excellent |
| 15 | Authelia | OSI-approved OSS | Apache-2.0 | 87 | 87 | 28020 | 89 | 🟢 Excellent |
| 16 | Pocket ID | OSI-approved OSS | BSD-2-Clause | 91 | 84 | 8081 | 89 | 🟢 Excellent |
| 17 | AthenZ | OSI-approved OSS | Apache-2.0 | 86 | 84 | 990 | 89 | 🟢 Excellent |
| 18 | Weft ID | OSI-approved OSS | MIT | 79 | 95 | 11 | 89 | 🟢 Excellent |
| 19 | Passbolt | OSI-approved OSS | AGPL-3.0 | 87 | 75 | 5966 | 87 | 🟢 Excellent |
| 20 | Authgear | OSI-approved OSS | Apache-2.0 | 84 | 81 | 1828 | 87 | 🟢 Excellent |
| 21 | PearPass | OSI-approved OSS | Apache-2.0 | 83 | 87 | 472 | 87 | 🟢 Excellent |
| 22 | Seamless Auth | OSI-approved OSS | AGPL-3.0 | 77 | 82 | 2 | 84 | 🟢 Excellent |
| 23 | Authorizer | OSI-approved OSS | Apache-2.0 | 78 | 71 | 1965 | 81 | 🟢 Excellent |
| 24 | Ory Kratos | OSI-approved OSS | Apache-2.0 | 80 | 65 | 13687 | 80 | 🟢 Excellent |
| 25 | Kotauth | OSI-approved OSS | MIT | 79 | 64 | 51 | 80 | 🟢 Excellent |
| 26 | OPAL | OSI-approved OSS | Apache-2.0 | 84 | 57 | 5459 | 78 | 🟢 Good |
| 27 | authenticator-tauri | OSI-approved OSS | MIT | 72 | 61 | 1 | 74 | 🟢 Good |
| 28 | Hanko | OSI-approved OSS | AGPL-3.0 | 80 | 43 | 8946 | 73 | 🟢 Good |
| 29 | PowerAuth | OSI-approved OSS | Apache-2.0 | 71 | 53 | 61 | 73 | 🟢 Good |
| 30 | Open Authenticator | OSI-approved OSS | GPL-3.0 | 62 | 55 | 86 | 67 | 🟢 Good |
| 31 | Authula | OSI-approved OSS | Apache-2.0 | 46 | 51 | 215 | 58 | 🟡 Fair |
| 32 | MaxKey | OSI-approved OSS | Apache-2.0 | 64 | 25 | 1898 | 57 | 🟡 Fair |
| 33 | HVT | OSI-approved OSS | AGPL-3.0 | 46 | 27 | 3 | 52 | 🟡 Fair |
| 34 | ghost-auth | OSI-approved OSS | GPL-3.0 | 44 | 20 | 2 | 47 | 🟡 Fair |
| 35 | Buwana | OSI-approved OSS | GPL-3.0 | 38 | 17 | 3 | 43 | 🟡 Fair |
| 36 | EAuth | OSI-approved OSS | Apache-2.0 | 38 | 7 | 2 | 40 | 🟡 Fair |
| 37 | Oso | OSI-approved OSS | Apache-2.0 | 39 | 0 | 3494 | 39 | 🔴 Needs Attention |
| 38 | WAIS Core | OSI-approved OSS | MIT | 38 | 7 | 1 | 39 | 🔴 Needs Attention |
| 39 | nexeres | OSI-approved OSS | Apache-2.0 | 38 | 7 | 1 | 39 | 🔴 Needs Attention |
| 40 | Tesseral | OSI-approved OSS | MIT | 36 | 0 | 1133 | 36 | 🔴 Needs Attention |
| 41 | SSOReady | OSI-approved OSS | MIT | 31 | 0 | 1530 | 32 | 🔴 Needs Attention |
| 42 | Warrant | OSI-approved OSS | Apache-2.0 | 27 | 0 | 1335 | 31 | 🔴 Needs Attention |
| 43 | Padloc | OSI-approved OSS | AGPL-3.0 | 27 | 0 | 2920 | 30 | 🔴 Needs Attention |
| 44 | authman-app | OSI-approved OSS | GPL-3.0 | 26 | 0 | 61 | 28 | 🔴 Needs Attention |
| 45 | JAP | OSI-approved OSS | LGPL-3.0 | 6 | 0 | 168 | 21 | 🔴 Needs Attention |
Top 3 Highlights
Authentik ranks first with a ToolVitals score of 99, built from a 98 health score and a 100 shipping score. It is labeled OSI-approved OSS with an MIT license_label, has 21,897 GitHub stars, and is marked 🟢 Excellent, making it the strongest overall entry in this data set.
Thunder ranks second with a ToolVitals score of 97, a 95 health score, and a 100 shipping score. It has far fewer GitHub stars than several lower-ranked projects at 236, but the ranking approach puts ToolVitals score first, so its strong health and shipping signals place it ahead of larger projects. Its openness_label is OSI-approved OSS and its license_label is Apache-2.0.
Keycloak ranks third with a ToolVitals score of 96, a 91 health score, and a 100 shipping score. It has the largest GitHub star count in the top five at 34,834 stars, but it sits behind Authentik and Thunder because their ToolVitals scores are higher. Its openness_label is OSI-approved OSS and its license_label is Apache-2.0.
Want to see the full details, pricing, and trend data for every tool in Identity & Access Management? Browse all Identity & Access Management Tools →