Keycloak MCP Server
An MCP server for Keycloak administration, offering over 30 tools to manage users, realms, clients, roles, and more from AI assistants.
Keycloak Model Context Protocol Server
A comprehensive Model Context Protocol (MCP) server for Keycloak administration, providing 80+ tools to manage users, realms, clients, roles, groups, sessions, events, organizations, protocol mappers, user attributes, client scopes, and identity providers directly from AI assistants like Claude Desktop or Cursor AI.
๐ Features
๐ค User Management
- โ Create, update, and delete users
- โ List, search, and get user details
- โ Reset user passwords
- โ Logout user sessions
- โ Manage user roles and groups
- โ NEW: User attributes management (critical for organization data)
๐๏ธ Realm Management
- โ List, create, update, and delete realms
- โ Get detailed realm settings and configurations
- โ Manage realm-level security policies
๐ง Client Management
- โ Register, update, and delete clients/applications
- โ List all clients in realms
- โ Configure client settings and redirect URIs
- โ NEW: Protocol mappers management (critical for JWT claims)
๐ญ Role Management
- โ Create, update, and delete roles (realm and client-level)
- โ Assign and remove roles from users and groups
- โ List all roles and user role assignments
- โ NEW: Composite roles and role hierarchies
- โ NEW: Advanced role operations by ID
- โ NEW: Find users with specific roles
๐ฅ Group Management
- โ Create, update, and delete user groups
- โ Add and remove users from groups
- โ Manage hierarchical group structures
- โ NEW: Group attributes management
- โ NEW: Child groups and subgroup management
- โ NEW: Group member listing and management
๐ข Organization Management โญ NEW
- โ Create, update, and delete organizations
- โ Add and remove organization members
- โ List organizations and members
- โ Organization attributes management
๐ Identity Provider Management โญ NEW
- โ Create, update, and delete identity providers (SSO)
- โ Identity provider mapper management
- โ SAML and OIDC provider configuration
- โ External user attribute mapping
๐ฏ Client Scopes Management โญ NEW
- โ Create, update, and delete client scopes
- โ Protocol mappers for client scopes
- โ Token scope management
๐ Session & Event Management
- โ List active user sessions
- โ Monitor authentication and admin events
- โ Clear event logs and manage session lifecycles
๐ก๏ธ Advanced Features
- โ Bulletproof authentication with fresh client instances
- โ Comprehensive error handling with detailed logging
- โ Cross-platform support (Windows, macOS, Linux)
- โ Production-ready with TypeScript and robust architecture
- โ Organization JWT Claims - Solve organization visibility in tokens
- โ 80+ Tools - Complete Keycloak administration coverage
๐ Prerequisites
- Node.js 18 or higher
- Running Keycloak instance (local or remote)
- Keycloak admin credentials with appropriate permissions
- AI Assistant that supports MCP (Claude Desktop, Cursor AI, etc.)
๐ฆ Installation
Global Installation (Recommended)
npm install -g keycloak-mcp-server
Using NPX (No Installation Required)
npx keycloak-mcp-server
Local Project Installation
npm install keycloak-mcp-server
Local Development
git clone https://github.com/M0-AR/keycloak-mcp-server.git
cd keycloak-mcp-server
npm install
npm run build
โ๏ธ Configuration
For Cursor AI
Add to your Cursor MCP configuration file (~/.cursor/mcp.json):
Option 1: Using NPX (Recommended)
{
"mcpServers": {
"keycloak": {
"command": "npx",
"args": ["keycloak-mcp-server"],
"env": {
"KEYCLOAK_URL": "https://your-keycloak-instance.com",
"KEYCLOAK_ADMIN": "your-admin-username",
"KEYCLOAK_ADMIN_PASSWORD": "your-admin-password"
}
}
}
}
Option 2: If Installed Globally
{
"mcpServers": {
"keycloak": {
"command": "keycloak-mcp-server",
"env": {
"KEYCLOAK_URL": "https://your-keycloak-instance.com",
"KEYCLOAK_ADMIN": "your-admin-username",
"KEYCLOAK_ADMIN_PASSWORD": "your-admin-password"
}
}
}
}
For Claude Desktop
Add to your Claude Desktop configuration:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"keycloak": {
"command": "npx",
"args": ["keycloak-mcp-server"],
"env": {
"KEYCLOAK_URL": "https://your-keycloak-instance.com",
"KEYCLOAK_ADMIN": "your-admin-username",
"KEYCLOAK_ADMIN_PASSWORD": "your-admin-password"
}
}
}
}
๐ Environment Variables
| Variable | Description | Default | Required |
|---|---|---|---|
KEYCLOAK_URL | The base URL of your Keycloak instance | http://localhost:8080 | โ |
KEYCLOAK_ADMIN | Admin username | admin | โ |
KEYCLOAK_ADMIN_PASSWORD | Admin password | admin | โ |
๏ฟฝ๏ฟฝ๏ธ Available Tools (80+ Tools)
๐ค User Management Tools
create-user
Creates a new user in a specified realm.
Create a user in "master" realm: username "john.doe", email "john@example.com", first name "John", last name "Doe"
update-user
Updates user information (email, names, enabled status).
Update user "user-id-123" in "master" realm to change email to "newemail@example.com"
delete-user
Deletes a user from a realm.
Delete user with ID "user-id-123" from "master" realm
list-users
Lists all users in a realm.
List all users in the "master" realm
search-users
Search users with filters (username, email, firstName, lastName).
Search for users with email containing "wateen.io" in "master" realm, limit 10 results
get-user
Get detailed information about a specific user.
Get details for user ID "user-id-123" in "master" realm
reset-user-password
Reset a user's password.
Reset password for user "user-id-123" in "master" realm to "newPassword123", make it temporary
logout-user
Logout all sessions for a specific user.
Logout all sessions for user "user-id-123" in "master" realm
set-user-attributes โญ NEW
Set user attributes (critical for organization data storage).
Set organization attribute for user "user-id-123" in "master" realm: {"organization": ["wateen-corp"]}
get-user-attributes โญ NEW
Get user attributes including unmanaged attributes.
Get all attributes for user "user-id-123" in "master" realm
๐๏ธ Realm Management Tools
list-realms
Lists all available realms.
Show me all available realms in Keycloak
create-realm
Creates a new realm with configurable settings.
Create a new realm called "company" with display name "Company Realm", enabled
update-realm
Updates realm settings and configurations.
Update realm "company" to change display name to "Updated Company"
delete-realm
Deletes an existing realm.
Delete the realm "test-realm"
get-realm-settings
Retrieves detailed settings of a realm.
Get detailed settings for the "master" realm
๐ง Client Management Tools
create-client
Registers a new client/application in a realm.
Create client "my-app" in "master" realm with redirect URIs ["http://localhost:3000/*"]
update-client
Updates client settings (redirect URIs, protocol mappers, etc.).
Update client "my-app" in "master" realm to add new redirect URI "https://app.example.com/*"
delete-client
Removes a client from a realm.
Delete client "old-app" from "master" realm
list-clients
Lists all clients in a realm.
List all clients in the "master" realm
create-protocol-mapper โญ NEW
Create protocol mappers for clients (critical for JWT organization claims).
Create organization group mapper for client "my-app" in "master" realm to include "organization" claim in JWT
update-protocol-mapper โญ NEW
Update existing protocol mappers.
Update protocol mapper "mapper-id-123" for client "my-app" in "master" realm
delete-protocol-mapper โญ NEW
Delete protocol mappers from clients.
Delete protocol mapper "mapper-id-123" from client "my-app" in "master" realm
list-protocol-mappers โญ NEW
List all protocol mappers for a client.
List all protocol mappers for client "my-app" in "master" realm
๐ฏ Client Scopes Management Tools โญ NEW
create-client-scope
Create a new client scope for managing token scopes.
Create client scope "organization-scope" in "master" realm for organization claims
update-client-scope
Update existing client scope.
Update client scope "scope-id-123" in "master" realm to change description
delete-client-scope
Delete a client scope.
Delete client scope "scope-id-123" from "master" realm
list-client-scopes
List all client scopes in a realm.
List all client scopes in the "master" realm
get-client-scope
Get details of a specific client scope.
Get details for client scope "scope-id-123" in "master" realm
create-client-scope-protocol-mapper โญ NEW
Create protocol mappers for client scopes.
Create organization mapper for client scope "organization-scope" in "master" realm
update-client-scope-protocol-mapper โญ NEW
Update protocol mappers in client scopes.
Update protocol mapper "mapper-id-123" in client scope "scope-id-456" in "master" realm
delete-client-scope-protocol-mapper โญ NEW
Delete protocol mappers from client scopes.
Delete protocol mapper "mapper-id-123" from client scope "scope-id-456" in "master" realm
list-client-scope-protocol-mappers โญ NEW
List protocol mappers for a client scope.
List all protocol mappers for client scope "scope-id-123" in "master" realm
๐ข Organization Management Tools โญ NEW
create-organization
Create a new organization.
Create organization "wateen-corp" with description "Wateen Corporation" in "master" realm
update-organization
Update existing organization.
Update organization "org-id-123" in "master" realm to change name to "Updated Corp"
delete-organization
Delete an organization.
Delete organization "org-id-123" from "master" realm
list-organizations
List all organizations in a realm.
List all organizations in "master" realm with search "wateen", limit 10
get-organization
Get details of a specific organization.
Get details for organization "org-id-123" in "master" realm
add-organization-member
Add a user to an organization.
Add user "user-id-123" to organization "org-id-456" in "master" realm
remove-organization-member
Remove a user from an organization.
Remove user "user-id-123" from organization "org-id-456" in "master" realm
list-organization-members
List all members of an organization.
List all members of organization "org-id-123" in "master" realm, limit 20
๐ญ Role Management Tools
create-role
Creates roles at realm or client level.
Create a realm role "manager" with description "Manager role" in "master" realm
update-role
Modifies role attributes.
Update role "manager" in "master" realm to change description to "Updated manager role"
delete-role
Deletes roles.
Delete role "old-role" from "master" realm
list-roles
Lists all roles in a realm.
List all roles in the "master" realm
assign-role-to-user
Assigns a role to a user.
Assign role "manager" to user "user-id-123" in "master" realm
remove-role-from-user
Removes a role from a user.
Remove role "manager" from user "user-id-123" in "master" realm
get-user-roles
Gets all roles assigned to a user.
Get all roles for user "user-id-123" in "master" realm
create-composite-role โญ NEW
Create composite roles (role hierarchies).
Create composite role from "parent-role-id" with child roles ["child-role-1", "child-role-2"] in "master" realm
get-composite-roles โญ NEW
Get composite roles for a role.
Get composite roles for role "role-id-123" in "master" realm, limit 10
delete-composite-roles โญ NEW
Delete composite roles from a role.
Remove composite roles ["child-role-1", "child-role-2"] from role "parent-role-id" in "master" realm
get-role-by-id โญ NEW
Get role details by ID.
Get role details for role ID "role-id-123" in "master" realm
update-role-by-id โญ NEW
Update role by ID.
Update role "role-id-123" in "master" realm to change name to "new-role-name"
delete-role-by-id โญ NEW
Delete role by ID.
Delete role with ID "role-id-123" from "master" realm
find-users-with-role โญ NEW
Find users with a specific role.
Find all users with role "manager" in "master" realm, limit 20
assign-role-to-group โญ NEW
Assign a role to a group.
Assign role "developer" to group "group-id-123" in "master" realm
remove-role-from-group โญ NEW
Remove a role from a group.
Remove role "developer" from group "group-id-123" in "master" realm
get-group-roles โญ NEW
Get roles assigned to a group.
Get all roles for group "group-id-123" in "master" realm
list-available-group-roles โญ NEW
List available roles for a group.
List available roles for group "group-id-123" in "master" realm
list-composite-group-roles โญ NEW
List composite roles for a group.
List composite roles for group "group-id-123" in "master" realm
๐ฅ Group Management Tools
create-group
Creates user groups.
Create a group called "developers" in "master" realm
update-group
Updates group attributes.
Update group "group-id-123" in "master" realm to change name to "senior-developers"
delete-group
Deletes groups.
Delete group "group-id-123" from "master" realm
list-groups
Lists all groups in a realm.
List all groups in the "master" realm
manage-user-groups
Adds or removes users from groups.
Add user "user-id-123" to group "group-id-456" in "master" realm
set-group-attributes โญ NEW
Set group attributes (organization metadata).
Set organization attributes for group "group-id-123" in "master" realm: {"department": ["engineering"]}
get-group-attributes โญ NEW
Get group attributes.
Get all attributes for group "group-id-123" in "master" realm
create-child-group โญ NEW
Create a child group (subgroup).
Create child group "junior-devs" under parent group "group-id-123" in "master" realm
list-sub-groups โญ NEW
List subgroups of a parent group.
List subgroups of parent group "group-id-123" in "master" realm, limit 10
list-group-members โญ NEW
List members of a group.
List all members of group "group-id-123" in "master" realm, limit 20
๐ Identity Provider Management Tools โญ NEW
create-identity-provider
Create a new identity provider for SSO integration.
Create SAML identity provider "company-saml" in "master" realm with SSO URL and certificate
update-identity-provider
Update an existing identity provider.
Update identity provider "company-saml" in "master" realm to change display name
delete-identity-provider
Delete an identity provider.
Delete identity provider "old-saml" from "master" realm
list-identity-providers
List all identity providers in a realm.
List all identity providers in "master" realm
get-identity-provider
Get details of a specific identity provider.
Get details for identity provider "company-saml" in "master" realm
create-identity-provider-mapper
Create a mapper for identity provider (external user mapping).
Create user attribute mapper for identity provider "company-saml" in "master" realm
update-identity-provider-mapper
Update an identity provider mapper.
Update mapper "mapper-id-123" for identity provider "company-saml" in "master" realm
๐ Session & Event Management Tools
list-sessions
Lists all active sessions in a realm.
List all active sessions in "master" realm
get-user-sessions
Lists active sessions for a specific user.
Get active sessions for user "user-id-123" in "master" realm
list-events
Retrieves authentication and admin events.
List last 10 events in "master" realm
clear-events
Clears event logs.
Clear all events in "master" realm
๐งช Testing & Development
Testing with MCP Inspector
npx @modelcontextprotocol/inspector npx keycloak-mcp-server
Visit http://localhost:6274 to test all 80+ tools interactively.
Local Development
npm run watch # Auto-rebuild on changes
npm run dev # Test server directly
Stress Testing
The server has been stress-tested with 80+ consecutive operations without authentication failures, demonstrating production-level reliability.
๐ง Architecture
Bulletproof Authentication System
- Fresh Client Instances: Creates new KcAdminClient for every request
- Retry Logic: Exponential backoff with 2 attempts maximum
- Connection Management: 15-second timeout with proper cleanup
- Error Handling: Comprehensive error messages for all scenarios
TypeScript Implementation
- Type Safety: Full TypeScript coverage with proper interfaces
- Error Handling: Detailed error messages and logging
- Modular Design: Clean separation of concerns
๐ Production Ready
This package has been extensively tested and validated:
- โ 80+ consecutive operations without authentication failures
- โ Cross-realm operations working seamlessly
- โ Parallel tool execution supported
- โ Complex search queries with multiple filters
- โ Error recovery and detailed logging
- โ TypeScript compilation with zero errors
- โ Complete Keycloak API coverage with organization management
๐ฏ JWT Organization Problem Solved
This package specifically addresses the common JWT organization problem:
- โ User Attributes: Store organization data in user attributes
- โ Protocol Mappers: Create mappers to include organization in JWT tokens
- โ Client Scopes: Manage token scopes for organization claims
- โ Organizations: Full organization lifecycle management
- โ Group Attributes: Store organization metadata in groups
Example workflow:
- Create organization using
create-organization - Set user organization attribute using
set-user-attributes - Create protocol mapper using
create-protocol-mapperto include organization in JWT - Add user to organization using
add-organization-member
๐ Security Best Practices
- Use environment variables for credentials
- Enable HTTPS for production Keycloak instances
- Use strong admin passwords
- Regularly rotate credentials
- Monitor admin events and sessions
๐ค Contributing
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Commit changes:
git commit -m 'Add amazing feature' - Push to branch:
git push origin feature/amazing-feature - Open a Pull Request
๐ License
MIT License - see LICENSE file for details.
๐ Support
- GitHub Issues: Create an issue
- Documentation: Check this README for comprehensive examples
- MCP Documentation: Model Context Protocol
๐ Related Projects
- Claude Desktop - AI assistant supporting MCP
- Cursor AI - AI-powered code editor with MCP support
- Model Context Protocol - Protocol specification
- Keycloak - Open source identity and access management
๐ Package Stats
- 80+ Tools: Complete Keycloak administration coverage
- Production Ready: Extensively tested and validated
- TypeScript: Full type safety and modern development experience
- Cross-Platform: Windows, macOS, and Linux support
- Zero Dependencies Issues: Robust dependency management
- Organization Management: Solve JWT organization visibility problems
- Advanced Features: Protocol mappers, client scopes, identity providers
Made with โค๏ธ for the Keycloak and AI community
Related Servers
Remote MCP Server Authless
An example of a remote MCP server deployed on Cloudflare Workers without authentication.
spm-mcp
iOS Swift Package Manager server written in Swift
Biel.ai MCP Server
Connect AI tools like Cursor and VS Code to your product documentation using the Biel.ai platform.
Unity MCP
An MCP server and plugin for connecting the Unity Editor and games to MCP clients like Claude Desktop.
Roo Activity Logger
Automatically logs AI coding assistant activities, such as command executions and code generation, into searchable JSON files.
Union - Unity MCP Server
An MCP server for managing and interacting with Unity projects.
Taeks MCP Server
An example MCP server designed for deployment on Cloudflare Workers, operating without authentication.
Deepseek Thinker
Provides Deepseek's reasoning capabilities to AI clients, supporting both the Deepseek API and local Ollama server modes.
UnrealMCP Plugin
An unofficial MCP server plugin for remote control of Unreal Engine using AI tools.
Jupyter MCP Server
Interact with Jupyter notebooks running in any JupyterLab environment, supporting real-time control and smart execution of notebook cells.