Sovereign Identity
CodeB Identity vs Okta, Auth0, Entra ID, Keycloak
An honest, no-marketing-spin feature matrix. We tell you where we win, where we tie, and where the competition is still ahead. Every row is a verifiable RFC reference or a public docs link — no flag-planting.
CodeB isn't “Okta vs Auth0” or “Teams vs Zoom” — it's all three at once. Conference, telephony AND identity in one product, on your own IIS. The matrix below compares us against the identity layer; the conference + telephony layers (WebRTC meetings, SIP bridge, Voice AI receptionist, outbound AI campaigns) run in the same installation. Customers pick CodeB because they don't want to stitch three vendors together to get one workflow — see comparison vs Zoom/Teams for the meetings angle.
The 1-sentence summary. If you want a sovereign, self-hosted Identity Provider that runs on an IIS server you already own, ships with WebRTC meetings + SIP phone + Voice AI in the same product, and is the only IdP in this list that already accepts EU Digital Identity Wallet (EUDI) sign-in — pick CodeB. If you need SAML, SCIM provisioning, broad social login, or a hosted SaaS where someone else handles uptime — the others are more mature on those axes today. We will not pretend otherwise.
Feature matrix
Verified 2026-06-11 against vendor public documentation. Empty cells are not implementations of any feature — they mean the row doesn’t apply.
| Feature | CodeB Identity | Okta | Auth0 | Entra ID | Keycloak |
|---|---|---|---|---|---|
| Deployment & sovereignty | |||||
| Self-hosted on your IIS box No Java, no Docker, no container orchestration required. | Yes | NoSaaS only | NoSaaS only (Auth0 Private Cloud is hosted by Okta) | NoMicrosoft cloud only | Self-hostJVM / WildFly |
| Sovereign data — user records never leave your premises | Yes | No | No | No | Yes |
| EU Cyber Resilience Act (Reg 2024/2847) compatible On-prem deployment removes vendor-managed-data complications. | Yes | Depends | Depends | Depends | Yes |
| Standards compliance | |||||
| OpenID Connect (Core 1.0) Authorization Code + PKCE, RS256 ID token. | Yes | Yes | Yes | Yes | Yes |
| RP-Initiated Logout 1.0 | Yes | Yes | Yes | Yes | Yes |
| RFC 7662 token introspection | Yes | Yes | Yes | Yes | Yes |
| RFC 7009 token revocation | Yes | Yes | Yes | Yes | Yes |
| RFC 7523 JWT-bearer grant | Yes | Yes | Yes | Yes | Yes |
| RFC 6749 OAuth 2.0 frameworkAuthorization Code + PKCE; refresh tokens; client_credentials for confidential apps. | Yes | Yes | Yes | Yes | Yes |
| RFC 7636 PKCE (S256)Required on every public client. Codes carry the hashed verifier. | Yes | Yes | Yes | Yes | Yes |
RFC 8414 Authorization Server Metadata/.well-known/openid-configuration + /.well-known/jwks.json. | Yes | Yes | Yes | Yes | Yes |
RFC 8176 amr values in tokensWe emit amr: ["pwd"] / ["hwk","user"] / ["user"] per factor; RPs can require step-up. | Yes | Yes | Yes | Yes | Yes |
RFC 9068 JWT Profile for OAuth 2.0 Access TokensAccess tokens are RS256-signed JWTs with iss, sub, aud, scope, client_id. | Yes | Yes | Yes | Yes | Yes |
RFC 9101 JAR — JWT-Secured Authorization RequestUsed on the EU Wallet Verifier vp-request endpoint: ES256-signed JAR with x5c chain. | Yes | Yes | Yes | Yes | Yes |
| Sign-in methods | |||||
| Username + password (HA1, never sees plaintext) | Yes | Yes | Yes | Yes | Yes |
| Passkeys / FIDO2 / WebAuthn | YesPer-tenant RP ID, COSE public key, counter-regression check, attestation=none. | Yes | Yes | Yes | Yes |
| Magic-link sign-in (passwordless email) | YesShipped 2026-06-11. 15-min TTL, single-use JTI, no-enumeration envelope. | Yes | Yes | Yes | Yes |
EU Digital Identity Wallet (EUDI) sign-in OID4VP 1.0, HAIP 1.0, SD-JWT VC, both x509_hash + x509_san_dns Client Identifier Prefixes. |
Yes | NoNot yet generally available | NoNot yet generally available | PreviewEU Wallet preview programme | Plug-inCommunity plug-ins; no first-party |
| Self-service password reset | YesNo-enumeration envelope, single-use JTI, browser-side HA1. | Yes | Yes | Yes | Yes |
Authenticator app (TOTP, RFC 6238) 6-digit, 30-second window, ±1 step tolerance. Per-tenant encrypted secret, single-use recovery codes, audit-logged. Email fallback for users who lose their device. Admin one-click reset in /register.html for the lost-everything case (audit-logged with both admin and target). Per-session brute-force lockout: 5 wrong codes kills the session. Enrolment in /account.html. |
Yes | Yes | Yes | Yes | Yes |
Wallet-as-password-recovery RFC 7523 JWT-bearer grant with acr=eudi-wallet: sign in once with the wallet, the wallet IS the password-reset proof. No email loop. |
Yes | No | No | No | No |
Per-request Client Identifier Prefix selection x509_hash + x509_san_dns chooseable per-request via query param. Pinned defaults per relying party while wallets converge. |
Yes | No | No | No | No |
Three-method picker on one screen Password + passkey + EU Wallet equal-weight on /login.html. Magic-link email sign-in one click below. Relying parties deep-link with ?method=. No third login URL for end users to remember. |
Yes | No | No | No | No |
| Operations & ergonomics | |||||
Per-tenant signing keys, hot rotation (no service restart) private-key.xml → private-key-previous.xml; JWKS publishes both during overlap. |
Yes | Yes | Yes | Yes | Yes |
| Multi-tenant by domain (one IIS site per tenant, shared codebase) | Yes | YesHosted multi-tenant | YesHosted multi-tenant | YesHosted multi-tenant | YesRealms |
| Admin UI shipped with the product | Yes | Yes | Yes | Yes | Yes |
| Audit logs UI | YesPer-tenant browser UI — event / user / since filters, color-coded rows, tail-mode auto-refresh, CSV export. App_Data/<tenant>/logs/ remains the source of truth. |
Yes | Yes | Yes | Yes |
| Bundled with WebRTC meetings, SIP phone bridge, Voice AI, Outbound AI campaigns | YesSame product, same admin, same per-tenant config. | No | No | TeamsOnly via separate Microsoft 365 subscription | No |
| Single-process identity + comms One Windows process owns the OIDC IdP, the WebRTC signalling, the SIP bridge, the Voice AI -- no cross-process auth dance. | Yes | No | No | No | No |
| EU jurisdiction Made in Malta. GDPR, NIS2, DORA, EU Cyber Resilience Act (Reg 2024/2847), eIDAS 2.0 aligned natively. No transatlantic data-residency mitigations needed. | Yes | EU regionUS-headquartered; EU data residency available | EU regionUS-headquartered; EU data residency available | EU regionUS-headquartered; EU data residency available | YesRed Hat NL/EU presence; project itself jurisdiction-neutral |
| Pricing model (public list, 2026) | |||||
| Pricing posture | One-off licence + maintenanceNo per-MAU fee. See pricing. | Per-MAU SaaS | Per-MAU SaaS | Per-user, with premium tiers | Free (you operate it) |
Where CodeB Identity is genuinely ahead
EU Wallet, already live
OID4VP 1.0 + HAIP 1.0 Verifier serving real wallet flows on phone.codeb.io today. Both x509_hash and x509_san_dns Client Identifier Prefixes supported. SD-JWT VC parse + claim relay through OIDC id_token + UserInfo. Hosted IdPs are still in preview programmes.
IIS-native, no JVM
Drop-in on the Windows Server + IIS box you already pay for. No Docker, no Java, no Kubernetes. ASP.NET .ashx handlers compile on first request. The bridge is a single .NET service.
One product, three problems
OIDC IdP + WebRTC meetings + SIP phone bridge + Voice AI receptionist + outbound AI campaigns + TURN server, all in one install. No three-vendor integration project.
Sovereign by design
Tenant data lives in App_Data/<tenant>/ on disk you own. No telemetry pipeline phoning home. Compatible with EU CRA, NIS2 supply-chain expectations, and the basic GDPR principle of avoiding unnecessary processors.
Who should pick CodeB Identity?
- You already run IIS, want to add identity without standing up Java or containers.
- You need EU Wallet (EUDI) sign-in today, not on a hosted vendor’s preview waitlist.
- You also need meetings, SIP, or AI calls and would rather have one product than three subscriptions.
- Data sovereignty is a hard requirement (regulated sector, public sector, EU Cyber Resilience Act mindset).
- Per-MAU pricing on a hosted IdP doesn’t fit your budget at scale.
Who should pick the others?
- You need a huge catalogue of pre-built social and enterprise connectors.
- You explicitly want someone else to operate the IdP for you (CodeB is a self-hosted product).
- You’re deep in Microsoft 365 and want native Entra ID integration.
Want to try CodeB Identity?
No signup. The live IdP is on phone.codeb.io. Sign in with a passkey, EU Wallet, or password.
Sign in OIDC features Pricing Talk to usTrademarks — Okta is a registered mark of Okta, Inc. Auth0 is a registered mark of Okta, Inc. Microsoft Entra ID is a registered mark of Microsoft Corporation. Keycloak is a project of Red Hat, Inc. Mentioned here for descriptive purposes only.