Keycloak MCP Server
A complete Model Context Protocol (MCP) server for Keycloak 26.x
Keycloak MCP Server
A comprehensive Model Context Protocol (MCP) server that exposes the Keycloak Admin REST API as typed MCP tools. 299 tools covering all API categories.
Features
- Complete API coverage: All 299 Keycloak Admin REST API endpoints
- Dual transport: stdio (Claude Code) and SSE (GitHub Copilot, other MCP clients)
- Auto-authentication: Supports both password and client credentials flows with automatic token refresh
- Zero configuration tools: Each tool is self-describing with full input schemas
API Categories
| Category | Tools |
|---|---|
| Attack Detection | 3 |
| Authentication Management | 38 |
| Client Certificates | 6 |
| Client Initial Access | 3 |
| Client Registration Policy | 1 |
| Client Role Mappings | 10 |
| Client Scopes | 10 |
| Clients | 33 |
| Components | 6 |
| Groups | 11 |
| Identity Providers | 15 |
| Keys | 2 |
| Organizations | 13 |
| Protocol Mappers | 14 |
| Realms Admin | 37 |
| Roles | 28 |
| Roles by ID | 10 |
| Scope Mappings | 29 |
| Users | 30 |
| Total | 299 |
Demo
(Add a GIF or screenshot here demonstrating 3 real prompts and their executed tools!)
Installation
Option 1: Run directly with uvx (Recommended)
You can run the server directly without manual installation using astral's uv:
uvx keycloak-mcp-server
(When using uvx, you can pass environment variables inline or keep them in your MCP config file.)
Option 2: Install via pip
If you prefer a global or virtual environment installation:
pip install git+https://github.com/paoloamato2/keycloak-mcp-server.git
Option 3: Install from source (For development)
git clone https://github.com/paoloamato2/keycloak-mcp-server.git
cd keycloak-mcp-server
uv pip install -e .
Configuration
Set environment variables (or create a .env file based on .env.example):
# Required
export KEYCLOAK_URL=http://localhost:8080
# Authentication - Option A: Password flow
export KEYCLOAK_ADMIN_USERNAME=admin
export KEYCLOAK_ADMIN_PASSWORD=admin
# Authentication - Option B: Client credentials flow
export KEYCLOAK_CLIENT_ID=my-client
export KEYCLOAK_CLIENT_SECRET=my-secret
# Optional
export KEYCLOAK_ADMIN_REALM=master # default: master
export KEYCLOAK_VERIFY_SSL=true # default: true
Usage
Claude Code (stdio)
Add to your Claude Code MCP configuration (~/.claude/claude_desktop_config.json or project-level):
{
"mcpServers": {
"keycloak": {
"command": "python",
"args": ["-m", "keycloak_mcp_server"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN_USERNAME": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
Or if installed with uv:
{
"mcpServers": {
"keycloak": {
"command": "uv",
"args": ["run", "--directory", "/path/to/keycloak-mcp-server", "python", "-m", "keycloak_mcp_server"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN_USERNAME": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
GitHub Copilot (SSE)
Start the server with SSE transport:
python -m keycloak_mcp_server --transport sse --port 8080
Then configure in your GitHub Copilot MCP settings (VS Code settings.json):
{
"github.copilot.chat.mcpServers": {
"keycloak": {
"type": "sse",
"url": "http://localhost:8080/sse"
}
}
}
Command Line
# stdio mode (default)
python -m keycloak_mcp_server
# SSE mode
python -m keycloak_mcp_server --transport sse --host 0.0.0.0 --port 8080
# Using the entry point
keycloak-mcp-server --transport sse --port 8080
Security & Production Recommendations
⚠️ SECURITY WARNING: This MCP Server registers all Keycloak Admin REST API endpoints (299 tools), including sensitive write operations (like creating/deleting users, resetting passwords, and managing realms). Do not use your master realm super-admin credentials in a production environment.
When attaching this MCP server to your AI Assistants, please strictly follow the Principle of Least Privilege:
-
Use Service Accounts (Client Credentials Flow): Avoid using the Password flow (
KEYCLOAK_ADMIN_USERNAME/KEYCLOAK_ADMIN_PASSWORD). Instead, create a dedicated Keycloak Client with Service Accounts Enabled, and use theKEYCLOAK_CLIENT_IDandKEYCLOAK_CLIENT_SECRET. -
Limit Target Realms: Do not attach the server to the
masterrealm unless specifically necessary. PointKEYCLOAK_ADMIN_REALMto the exact realm your AI assistant should manage. -
Grant Only Required Roles: Only assign the minimum necessary roles to your MCP Service Account.
- If your LLM only needs to read data: Assign only
view-users,view-clients, orview-realm. - If your LLM needs to manage users: Assign only
manage-users. - Never assign
adminorrealm-adminroles to the AI unless you are fully aware of the risks.
- If your LLM only needs to read data: Assign only
-
Always Verify SSL: Keep
KEYCLOAK_VERIFY_SSL=trueenabled in production to prevent Man-in-the-Middle (MITM) attacks. Setting it tofalseis only acceptable for local development.
Examples
Once connected, you can use natural language to interact with Keycloak:
- "List all realms" → calls
list_realms - "Create a user called john in the master realm" → calls
create_user - "Show me all clients in the production realm" → calls
list_clients - "What roles does user X have?" → calls
get_user_role_mappings - "Add the admin role to the developers group" → calls
add_group_realm_role_mappings
Project Structure
src/keycloak_mcp_server/
├── __init__.py # Package entry point
├── __main__.py # CLI entry point
├── config.py # Environment-based configuration
├── client.py # Async HTTP client with auto-auth
├── server.py # MCP server setup and tool registration
└── endpoints/ # Endpoint definitions by category
├── __init__.py # Base classes (EndpointDef, Param)
├── attack_detection.py
├── authentication.py
├── certificates.py
├── client_initial_access.py
├── client_registration_policy.py
├── client_role_mappings.py
├── client_scopes.py
├── clients.py
├── component.py
├── groups.py
├── identity_providers.py
├── key.py
├── organizations.py
├── protocol_mappers.py
├── realms.py
├── roles.py
├── roles_by_id.py
├── scope_mappings.py
└── users.py
License
MIT
Похожие серверы
Questrade MCP Server
An unofficial server to integrate with the Questrade API, providing access to trading accounts, market data, and portfolio information.
MCP Epic Free Games
Provides access to information about free games on the Epic Games Store.
Quiz MCP
MCP server for interactive quizzes
Lichess MCP
Interact with the Lichess chess platform using natural language.
Cred Protocol
On-chain credit scoring, financial reporting, and identity verification for Ethereum addresses. Get credit scores (300-1000), portfolio values, and identity attestations.
Fun Translations
Give your AI agent access to 150+ translators covering fictional languages, pop culture dialects, historical languages, technical encodings, and internet slang.
LLM Brand Monitor MCP Server
MCP server for LLM Brand Monitor — track how AI models mention your brand. Requires an API key (LBM_API_KEY) from llmbrandmonitor.com.
Cited By AI - CPS® Lite
Free AI citation readiness checker. Score any website 0-100 across 5 dimensions using the Citation Probability Score® (CPS®) framework. Checks structured data, meta tags, content quality, technical config, and AI signals.
Airplane.Live MCP Server
MCP server that connects to the Airplanes.live API to provide real-time flight and aircraft data for analysis or visualization.
Time Server
An MCP server that exposes datetime information to agentic systems and chat REPLs.