[topspin]

I've used both the opensource WSO2 and Keycloak. That latter is better designed and suffers fewer glitches, which is important when dealing with the complexities of oidc/oauth2. It's not that WSO2 doesn't do what it says on the tin; it works. Keycloak just works so well it's almost fun.

One feature Keycloak lacks compared to WSO2 is SCIM (System for Cross-domain Identity Management). That actually matters to me. There is a third party Keycloak extension[1] that implements SCIM, but I can't speak to it.

[1] https://github.com/Captain-P-Goldfish/scim-for-keycloak