I’m on Keycloak + lldap for user provisioning and services that don’t support OIDC or SAML. I have yet to find a OAuth or SAML feature it doesn’t have. It does have a steep learning curve tho, so Authentik is maybe a better solution to get started with.

I personally hit a wall with Authentik when I was trying to get different signature key algorithms for different services (some services have different supported set of key algorithms than others) and custom plugins for custom JWT fields and user attributes.

I believe Authentik has something for extensions as well, but Keycloak is just Java, which has a much better development and deployment experience than throwing a .py or .js file in some directory and hoping it works.