Octodet/keycloak-mcp
If you are the rightful owner of keycloak-mcp and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
The Octodet Keycloak MCP Server is a robust tool designed for efficient Keycloak administration, leveraging Model Context Protocol to manage users, realms, and roles through LLM interfaces.
create-user
Create a new user in a specified realm.
delete-user
Delete an existing user from a realm.
list-users
List all users in a specified realm.
list-realms
List all available realms.
list-roles
List all roles for a specific client.
update-user-roles
Add or remove client roles for a user.
Octodet Keycloak MCP Server
A powerful Model Context Protocol server for Keycloak administration, providing a comprehensive set of tools to manage users, realms, roles, and other Keycloak resources through LLM interfaces.
Features
- User Management: Create, delete, and list users across realms
- Realm Administration: Comprehensive realm management capabilities
- Secure Integration: Authentication with admin credentials
- Easy Configuration: Simple setup with environment variables
- LLM Integration: Seamless use with Claude, ChatGPT, and other MCP-compatible AI assistants
Installation
Via NPM (Recommended)
The server is available as an NPM package:
# Direct usage with npx
npx -y @octodet/keycloak-mcp
# Or global installation
npm install -g @octodet/keycloak-mcp
Configuration
Environment Variables
| Variable | Description | Default |
|---|---|---|
| KEYCLOAK_URL | Keycloak server URL | http://localhost:8080 |
| KEYCLOAK_ADMIN | Admin username | admin |
| KEYCLOAK_ADMIN_PASSWORD | Admin password | admin |
| KEYCLOAK_REALM | Default realm | master |
MCP Client Configuration
VS Code
Add this to your settings.json:
{
"mcp.servers": {
"keycloak": {
"command": "npx",
"args": ["-y", "@octodet/keycloak-mcp"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
Claude Desktop
Configure in your Claude Desktop configuration file:
{
"mcpServers": {
"keycloak": {
"command": "npx",
"args": ["-y", "@octodet/keycloak-mcp"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
For Local Development
{
"mcpServers": {
"keycloak": {
"command": "node",
"args": ["path/to/build/index.js"],
"env": {
"KEYCLOAK_URL": "http://localhost:8080",
"KEYCLOAK_ADMIN": "admin",
"KEYCLOAK_ADMIN_PASSWORD": "admin"
}
}
}
}
Available Tools
The server provides a comprehensive set of MCP tools for Keycloak administration. Each tool is designed to perform specific administrative tasks across realms, users, and roles.
📋 Tool Overview
| Tool | Category | Description |
|---|---|---|
create-user | User Management | Create a new user in a specified realm |
delete-user | User Management | Delete an existing user from a realm |
list-users | User Management | List all users in a specified realm |
list-realms | Realm Management | List all available realms |
list-roles | Role Management | List all roles for a specific client |
update-user-roles | Role Management | Add or remove client roles for a user |
👥 User Management
create-user
Creates a new user in a specified realm with comprehensive user attributes and optional credentials.
Required Parameters:
realm(string): Target realm nameusername(string): Unique username for the new useremail(string): Valid email addressfirstName(string): User's first namelastName(string): User's last name
Optional Parameters:
enabled(boolean): Enable/disable user account (default:true)emailVerified(boolean): Mark email as verifiedcredentials(array): Array of credential objects for setting passwords
Credential Object Structure:
type(string): Credential type (e.g., "password")value(string): The credential valuetemporary(boolean): Whether password must be changed on first login
Example Usage:
{
"realm": "my-app-realm",
"username": "john.doe",
"email": "john.doe@company.com",
"firstName": "John",
"lastName": "Doe",
"enabled": true,
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "TempPassword123!",
"temporary": true
}
]
}
Response: Returns the created user ID and confirmation message.
delete-user
Permanently removes a user from the specified realm. This action cannot be undone.
Required Parameters:
realm(string): Target realm nameuserId(string): Unique identifier of the user to delete
Example Usage:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c"
}
Response: Confirmation message of successful deletion.
⚠️ Warning: This operation is irreversible. Ensure you have the correct user ID before execution.
list-users
Retrieves a list of all users in the specified realm with their basic information.
Required Parameters:
realm(string): Target realm name
Example Usage:
{
"realm": "my-app-realm"
}
Response: Returns a formatted list showing usernames and user IDs for all users in the realm.
🏛️ Realm Management
list-realms
Retrieves all available realms in the Keycloak instance.
Parameters: None required
Example Usage:
{}
Response: Returns a list of all realm names available in the Keycloak installation.
Use Cases:
- Discovering available realms
- Validating realm names before other operations
- Administrative overview of the Keycloak setup
🔐 Role Management
list-roles
Lists all roles defined for a specific client within a realm. Useful for understanding available permissions and roles before assignment.
Required Parameters:
realm(string): Target realm nameclientId(string): Client ID or UUID of the target client
Example Usage:
{
"realm": "my-app-realm",
"clientId": "my-application"
}
Alternative with Client UUID:
{
"realm": "my-app-realm",
"clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
Response: Returns a formatted list of all role names available for the specified client.
💡 Tip: You can use either the client's human-readable ID or its UUID identifier.
update-user-roles
Manages client role assignments for a user. Allows both adding and removing roles in a single operation.
Required Parameters:
realm(string): Target realm nameuserId(string): User's unique identifierclientId(string): Client ID or UUID
Optional Parameters:
rolesToAdd(array): List of role names to assign to the userrolesToRemove(array): List of role names to remove from the user
Example Usage - Adding Roles:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
"clientId": "my-application",
"rolesToAdd": ["admin", "user-manager", "report-viewer"]
}
Example Usage - Removing Roles:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
"clientId": "my-application",
"rolesToRemove": ["temporary-access", "beta-tester"]
}
Example Usage - Combined Operation:
{
"realm": "my-app-realm",
"userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
"clientId": "my-application",
"rolesToAdd": ["senior-user"],
"rolesToRemove": ["junior-user", "trainee"]
}
Response: Detailed summary of roles added, removed, and any errors encountered.
🔍 Notes:
- At least one of
rolesToAddorrolesToRemovemust be provided - Non-existent roles are skipped with warnings
- The operation is atomic per role list (all or none for each operation type)
🚀 Usage Tips
-
User IDs vs Usernames: Most operations require user IDs (UUIDs), not usernames. Use
list-usersto find the correct user ID. -
Client Identification: The
clientIdparameter accepts both human-readable client IDs and UUID identifiers. -
Realm Validation: Always verify realm names using
list-realmsbefore performing operations. -
Role Discovery: Use
list-rolesto discover available roles before attempting role assignments. -
Error Handling: All tools provide detailed error messages for troubleshooting authentication, permission, or parameter issues.
Development
Setting Up Your Development Environment
# Clone the repository
git clone <repository-url>
# Install dependencies
npm install
# Start the development server with watch mode
npm run watch
Adding New Tools
To add a new tool to the server:
- Define the tool schema in
src/index.tsusing Zod - Add the tool definition to the
ListToolsRequestSchemahandler - Implement the tool handler in the
CallToolRequestSchemaswitch statement - Update this README to document the new tool
Testing
Using MCP Inspector
The MCP Inspector is a great tool for testing your MCP server:
npx -y @modelcontextprotocol/inspector npx -y @octodet/keycloak-mcp
Integration Testing
For testing with a local Keycloak instance:
# Start Keycloak with Docker
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:latest start-dev
# In another terminal, run the MCP server
npm run build
node build/index.js
Deployment
NPM Package
This project is published to NPM under @octodet/keycloak-mcp.
Automated Deployment
This project uses GitHub Actions for CI/CD to automatically test and publish to NPM when a new release is created.
Prerequisites
- Node.js 18 or higher
- Running Keycloak instance
License
This project is licensed under the MIT License - see the file for details.
Author
Octodet - Building intelligent tools for developers