I used to use oauth2-proxy with PocketID, but migrated to caddy-security for stuff that doesn't directly support OIDC as part of a general move to Caddy. It's nice not needing the sidecar container, though the docs for caddy-security are a bit confusing and I still find Caddy's whole approach to plugins a bit... odd. It does give you quite a lot of flexibility once you figure it out, and I think it was worthwhile after the initial learning period.
Yeah that's hard to scale when you have lots of services. For now, I am running multiple instances of oauth2-proxy instances and assigning user groups in pocket-id. How do you deal with apps not having native OIDC support?
Adding another +1 to Pocket ID. I looked at a couple of the ones you mentioned but they looked too heavy and complex for what I wanted. Pocket ID does one thing and does it well.
Kanidm made some weird decision that ruled it out in one of big organisation I try to deploy it. Separate Radius password. For telco that’s half its use cases, and there is separate random password. Whole Network engineering department was like WTF ? You can’t have single password which is one of important reasons to have SSOA.
Authelia? Authentik? Keycloak? (These are the three I see a lot about.) Something else?