Octodet Keycloak
Administer Keycloak by managing users, realms, roles, and other resources through an LLM interface.
Octodet Keycloak MCP Server
A powerful Model Context Protocol server for Keycloak administration, providing a comprehensive set of tools to manage users, realms, roles, and other Keycloak resources through LLM interfaces.
Features
- User Management: Create, delete, and list users across realms
- Realm Administration: Comprehensive realm management capabilities
- Secure Integration: Authentication with admin credentials
- Easy Configuration: Simple setup with environment variables
- LLM Integration: Seamless use with Claude, ChatGPT, and other MCP-compatible AI assistants
Installation
Via NPM (Recommended)
The server is available as an NPM package:
# Direct usage with npx
npx -y @octodet/keycloak-mcp
# Or global installation
npm install -g @octodet/keycloak-mcp
Configuration
Environment Variables
| Variable | Description | Default |
|---|---|---|
| KEYCLOAK_URL | Keycloak server URL | http://localhost:8080 |
| KEYCLOAK_ADMIN | Admin username | admin |
| KEYCLOAK_ADMIN_PASSWORD | Admin password | admin |
| KEYCLOAK_REALM | Default realm | master |
MCP Client Configuration
VS Code
Add this to your settings.json:
{
"mcp.servers": {
"keycloak": {
"command": "npx",
"args": ["-y", "@octodet/keycloak-mcp"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
Claude Desktop
Configure in your Claude Desktop configuration file:
{
"mcpServers": {
"keycloak": {
"command": "npx",
"args": ["-y", "@octodet/keycloak-mcp"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
For Local Development
{
"mcpServers": {
"keycloak": {
"command": "node",
"args": ["path/to/build/index.js"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
Available Tools
The server provides a comprehensive set of MCP tools for Keycloak administration. Each tool is designed to perform specific administrative tasks across realms, users, and roles.
📋 Tool Overview
| Tool | Category | Description |
|---|---|---|
create-user | User Management | Create a new user in a specified realm |
delete-user | User Management | Delete an existing user from a realm |
list-users | User Management | List all users in a specified realm |
list-realms | Realm Management | List all available realms |
list-roles | Role Management | List all roles for a specific client |
update-user-roles | Role Management | Add or remove client roles for a user |
👥 User Management
create-user
Creates a new user in a specified realm with comprehensive user attributes and optional credentials.
Required Parameters:
realm(string): Target realm nameusername(string): Unique username for the new useremail(string): Valid email addressfirstName(string): User's first namelastName(string): User's last name
Optional Parameters:
enabled(boolean): Enable/disable user account (default:true)emailVerified(boolean): Mark email as verifiedcredentials(array): Array of credential objects for setting passwords
Credential Object Structure:
type(string): Credential type (e.g., "password")value(string): The credential valuetemporary(boolean): Whether password must be changed on first login
Example Usage:
{
"realm": "my-app-realm",
"username": "john.doe",
"email": "john.doe@company.com",
"firstName": "John",
"lastName": "Doe",
"enabled": true,
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "TempPassword123!",
"temporary": true
}
]
}
Response: Returns the created user ID and confirmation message.
delete-user
Permanently removes a user from the specified realm. This action cannot be undone.
Required Parameters:
realm(string): Target realm nameuserId(string): Unique identifier of the user to delete
Example Usage:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c"
}
Response: Confirmation message of successful deletion.
⚠️ Warning: This operation is irreversible. Ensure you have the correct user ID before execution.
list-users
Retrieves a list of all users in the specified realm with their basic information.
Required Parameters:
realm(string): Target realm name
Example Usage:
{
"realm": "my-app-realm"
}
Response: Returns a formatted list showing usernames and user IDs for all users in the realm.
🏛️ Realm Management
list-realms
Retrieves all available realms in the Keycloak instance.
Parameters: None required
Example Usage:
{}
Response: Returns a list of all realm names available in the Keycloak installation.
Use Cases:
- Discovering available realms
- Validating realm names before other operations
- Administrative overview of the Keycloak setup
🔐 Role Management
list-roles
Lists all roles defined for a specific client within a realm. Useful for understanding available permissions and roles before assignment.
Required Parameters:
realm(string): Target realm nameclientId(string): Client ID or UUID of the target client
Example Usage:
{
"realm": "my-app-realm",
"clientId": "my-application"
}
Alternative with Client UUID:
{
"realm": "my-app-realm",
"clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
Response: Returns a formatted list of all role names available for the specified client.
💡 Tip: You can use either the client's human-readable ID or its UUID identifier.
update-user-roles
Manages client role assignments for a user. Allows both adding and removing roles in a single operation.
Required Parameters:
realm(string): Target realm nameuserId(string): User's unique identifierclientId(string): Client ID or UUID
Optional Parameters:
rolesToAdd(array): List of role names to assign to the userrolesToRemove(array): List of role names to remove from the user
Example Usage - Adding Roles:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
"clientId": "my-application",
"rolesToAdd": ["admin", "user-manager", "report-viewer"]
}
Example Usage - Removing Roles:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
"clientId": "my-application",
"rolesToRemove": ["temporary-access", "beta-tester"]
}
Example Usage - Combined Operation:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
"clientId": "my-application",
"rolesToAdd": ["senior-user"],
"rolesToRemove": ["junior-user", "trainee"]
}
Response: Detailed summary of roles added, removed, and any errors encountered.
🔍 Notes:
- At least one of
rolesToAddorrolesToRemovemust be provided - Non-existent roles are skipped with warnings
- The operation is atomic per role list (all or none for each operation type)
🚀 Usage Tips
-
User IDs vs Usernames: Most operations require user IDs (UUIDs), not usernames. Use
list-usersto find the correct user ID. -
Client Identification: The
clientIdparameter accepts both human-readable client IDs and UUID identifiers. -
Realm Validation: Always verify realm names using
list-realmsbefore performing operations. -
Role Discovery: Use
list-rolesto discover available roles before attempting role assignments. -
Error Handling: All tools provide detailed error messages for troubleshooting authentication, permission, or parameter issues.
Development
Setting Up Your Development Environment
# Clone the repository
git clone <repository-url>
# Install dependencies
npm install
# Start the development server with watch mode
npm run watch
Adding New Tools
To add a new tool to the server:
- Define the tool schema in
src/index.tsusing Zod - Add the tool definition to the
ListToolsRequestSchemahandler - Implement the tool handler in the
CallToolRequestSchemaswitch statement - Update this README to document the new tool
Testing
Using MCP Inspector
The MCP Inspector is a great tool for testing your MCP server:
npx -y @modelcontextprotocol/inspector npx -y @octodet/keycloak-mcp
Integration Testing
For testing with a local Keycloak instance:
# Start Keycloak with Docker
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:latest start-dev
# In another terminal, run the MCP server
npm run build
node build/index.js
Deployment
NPM Package
This project is published to NPM under @octodet/keycloak-mcp.
Automated Deployment
This project uses GitHub Actions for CI/CD to automatically test and publish to NPM when a new release is created.
Prerequisites
- Node.js 18 or higher
- Running Keycloak instance
License
This project is licensed under the MIT License - see the LICENSE file for details.
Author
Octodet - Building intelligent tools for developers
Related Servers
Remote MCP Server (Authless)
A remote MCP server deployable on Cloudflare Workers without authentication.
MCP Spotify AI Assistant
An AI assistant that controls Spotify features like playback, playlists, and search using the Model Context Protocol (MCP).
Coolify MCP Server
An MCP server for integrating with Coolify, the self-hostable alternative to Netlify and Vercel.
Globus
Manage research data and compute with Globus.
Crypto Price & Market Analysis
Provides real-time cryptocurrency price data, market analysis, and historical trends using the CoinCap API.
tilt-mcp
Tilt MCP is a Model Context Protocol server that integrates with Tilt to provide programmatic access to Tilt resources, logs, and management operations for Kubernetes development environments
CData SAP Ariba Source
An MCP server for SAP Ariba Source, powered by CData. Requires the external CData JDBC Driver for SAP Ariba Source.
Remote MCP Server on Cloudflare
A remote MCP server deployable on Cloudflare Workers with OAuth login support.
Remote MCP Server on Cloudflare
A remote MCP server for Cloudflare Workers with OAuth login support, using Cloudflare KV for data storage.
Google Security
Access Google's security products and services, including Chronicle, SOAR, Threat Intelligence (GTI), and Security Command Center (SCC).