Octodet Keycloak
Administer Keycloak by managing users, realms, roles, and other resources through an LLM interface.
Octodet Keycloak MCP Server
A powerful Model Context Protocol server for Keycloak administration, providing a comprehensive set of tools to manage users, realms, roles, and other Keycloak resources through LLM interfaces.
Features
- User Management: Create, delete, and list users across realms
- Realm Administration: Comprehensive realm management capabilities
- Secure Integration: Authentication with admin credentials
- Easy Configuration: Simple setup with environment variables
- LLM Integration: Seamless use with Claude, ChatGPT, and other MCP-compatible AI assistants
Installation
Via NPM (Recommended)
The server is available as an NPM package:
# Direct usage with npx
npx -y @octodet/keycloak-mcp
# Or global installation
npm install -g @octodet/keycloak-mcp
Configuration
Environment Variables
| Variable | Description | Default |
|---|---|---|
| KEYCLOAK_URL | Keycloak server URL | http://localhost:8080 |
| KEYCLOAK_ADMIN | Admin username | admin |
| KEYCLOAK_ADMIN_PASSWORD | Admin password | admin |
| KEYCLOAK_REALM | Default realm | master |
MCP Client Configuration
VS Code
Add this to your settings.json:
{
"mcp.servers": {
"keycloak": {
"command": "npx",
"args": ["-y", "@octodet/keycloak-mcp"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
Claude Desktop
Configure in your Claude Desktop configuration file:
{
"mcpServers": {
"keycloak": {
"command": "npx",
"args": ["-y", "@octodet/keycloak-mcp"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
For Local Development
{
"mcpServers": {
"keycloak": {
"command": "node",
"args": ["path/to/build/index.js"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
Available Tools
The server provides a comprehensive set of MCP tools for Keycloak administration. Each tool is designed to perform specific administrative tasks across realms, users, and roles.
📋 Tool Overview
| Tool | Category | Description |
|---|---|---|
create-user | User Management | Create a new user in a specified realm |
delete-user | User Management | Delete an existing user from a realm |
list-users | User Management | List all users in a specified realm |
list-realms | Realm Management | List all available realms |
list-roles | Role Management | List all roles for a specific client |
update-user-roles | Role Management | Add or remove client roles for a user |
👥 User Management
create-user
Creates a new user in a specified realm with comprehensive user attributes and optional credentials.
Required Parameters:
realm(string): Target realm nameusername(string): Unique username for the new useremail(string): Valid email addressfirstName(string): User's first namelastName(string): User's last name
Optional Parameters:
enabled(boolean): Enable/disable user account (default:true)emailVerified(boolean): Mark email as verifiedcredentials(array): Array of credential objects for setting passwords
Credential Object Structure:
type(string): Credential type (e.g., "password")value(string): The credential valuetemporary(boolean): Whether password must be changed on first login
Example Usage:
{
"realm": "my-app-realm",
"username": "john.doe",
"email": "john.doe@company.com",
"firstName": "John",
"lastName": "Doe",
"enabled": true,
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "TempPassword123!",
"temporary": true
}
]
}
Response: Returns the created user ID and confirmation message.
delete-user
Permanently removes a user from the specified realm. This action cannot be undone.
Required Parameters:
realm(string): Target realm nameuserId(string): Unique identifier of the user to delete
Example Usage:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c"
}
Response: Confirmation message of successful deletion.
⚠️ Warning: This operation is irreversible. Ensure you have the correct user ID before execution.
list-users
Retrieves a list of all users in the specified realm with their basic information.
Required Parameters:
realm(string): Target realm name
Example Usage:
{
"realm": "my-app-realm"
}
Response: Returns a formatted list showing usernames and user IDs for all users in the realm.
🏛️ Realm Management
list-realms
Retrieves all available realms in the Keycloak instance.
Parameters: None required
Example Usage:
{}
Response: Returns a list of all realm names available in the Keycloak installation.
Use Cases:
- Discovering available realms
- Validating realm names before other operations
- Administrative overview of the Keycloak setup
🔐 Role Management
list-roles
Lists all roles defined for a specific client within a realm. Useful for understanding available permissions and roles before assignment.
Required Parameters:
realm(string): Target realm nameclientId(string): Client ID or UUID of the target client
Example Usage:
{
"realm": "my-app-realm",
"clientId": "my-application"
}
Alternative with Client UUID:
{
"realm": "my-app-realm",
"clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
Response: Returns a formatted list of all role names available for the specified client.
💡 Tip: You can use either the client's human-readable ID or its UUID identifier.
update-user-roles
Manages client role assignments for a user. Allows both adding and removing roles in a single operation.
Required Parameters:
realm(string): Target realm nameuserId(string): User's unique identifierclientId(string): Client ID or UUID
Optional Parameters:
rolesToAdd(array): List of role names to assign to the userrolesToRemove(array): List of role names to remove from the user
Example Usage - Adding Roles:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
"clientId": "my-application",
"rolesToAdd": ["admin", "user-manager", "report-viewer"]
}
Example Usage - Removing Roles:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
"clientId": "my-application",
"rolesToRemove": ["temporary-access", "beta-tester"]
}
Example Usage - Combined Operation:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
"clientId": "my-application",
"rolesToAdd": ["senior-user"],
"rolesToRemove": ["junior-user", "trainee"]
}
Response: Detailed summary of roles added, removed, and any errors encountered.
🔍 Notes:
- At least one of
rolesToAddorrolesToRemovemust be provided - Non-existent roles are skipped with warnings
- The operation is atomic per role list (all or none for each operation type)
🚀 Usage Tips
-
User IDs vs Usernames: Most operations require user IDs (UUIDs), not usernames. Use
list-usersto find the correct user ID. -
Client Identification: The
clientIdparameter accepts both human-readable client IDs and UUID identifiers. -
Realm Validation: Always verify realm names using
list-realmsbefore performing operations. -
Role Discovery: Use
list-rolesto discover available roles before attempting role assignments. -
Error Handling: All tools provide detailed error messages for troubleshooting authentication, permission, or parameter issues.
Development
Setting Up Your Development Environment
# Clone the repository
git clone <repository-url>
# Install dependencies
npm install
# Start the development server with watch mode
npm run watch
Adding New Tools
To add a new tool to the server:
- Define the tool schema in
src/index.tsusing Zod - Add the tool definition to the
ListToolsRequestSchemahandler - Implement the tool handler in the
CallToolRequestSchemaswitch statement - Update this README to document the new tool
Testing
Using MCP Inspector
The MCP Inspector is a great tool for testing your MCP server:
npx -y @modelcontextprotocol/inspector npx -y @octodet/keycloak-mcp
Integration Testing
For testing with a local Keycloak instance:
# Start Keycloak with Docker
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:latest start-dev
# In another terminal, run the MCP server
npm run build
node build/index.js
Deployment
NPM Package
This project is published to NPM under @octodet/keycloak-mcp.
Automated Deployment
This project uses GitHub Actions for CI/CD to automatically test and publish to NPM when a new release is created.
Prerequisites
- Node.js 18 or higher
- Running Keycloak instance
License
This project is licensed under the MIT License - see the LICENSE file for details.
Author
Octodet - Building intelligent tools for developers
Related Servers
MCP Server Sample
Provides weather information tools using the US National Weather Service API.
fal-ai/minimax/image-01
Advanced text-to-image generation model using the fal.ai API. Requires a FAL_KEY environment variable.
Cloud PC Management
Manage Azure Cloud PCs using the Microsoft Graph API.
Greenhouse MCP Server by CData
A read-only MCP server for querying live Greenhouse data using the CData JDBC driver.
Vulpes Spotify
Interact with Spotify to search for and play tracks using an AI assistant.
Kubernetes MCP
A read-only MCP server for retrieving information and diagnosing issues in Kubernetes clusters.
Netlify MCP Server
An MCP server providing comprehensive access to Netlify's features and services.
BICScan
Provides risk scoring and asset information for blockchain addresses, domains, and dApps using the BICScan API.
Google Admin MCP
A Model Context Protocol (MCP) server enabling interaction with Google Admin APIs.
KiotViet SDK
Access the KiotViet API, a popular sales and inventory management platform. Manage products, categories, customers, and orders with automatic authentication.