Labsco
Octodet logo

Octodet Keycloak

โ˜… 3

from Octodet

Administer Keycloak by managing users, realms, roles, and other resources through an LLM interface.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredAdvanced setup

Octodet Keycloak MCP Server

A powerful Model Context Protocol server for Keycloak administration, providing a comprehensive set of tools to manage users, realms, roles, and other Keycloak resources through LLM interfaces.

Advanced Keycloak server MCP server

Features

  • User Management: Create, delete, and list users across realms
  • Realm Administration: Comprehensive realm management capabilities
  • Secure Integration: Authentication with admin credentials
  • Easy Configuration: Simple setup with environment variables
  • LLM Integration: Seamless use with Claude, ChatGPT, and other MCP-compatible AI assistants

Available Tools

The server provides a comprehensive set of MCP tools for Keycloak administration. Each tool is designed to perform specific administrative tasks across realms, users, and roles.

๐Ÿ“‹ Tool Overview

ToolCategoryDescription
create-userUser ManagementCreate a new user in a specified realm
delete-userUser ManagementDelete an existing user from a realm
list-usersUser ManagementList all users in a specified realm
list-realmsRealm ManagementList all available realms
list-rolesRole ManagementList all roles for a specific client
update-user-rolesRole ManagementAdd or remove client roles for a user

๐Ÿ‘ฅ User Management

create-user

Creates a new user in a specified realm with comprehensive user attributes and optional credentials.

Required Parameters:

  • realm (string): Target realm name
  • username (string): Unique username for the new user
  • email (string): Valid email address
  • firstName (string): User's first name
  • lastName (string): User's last name

Optional Parameters:

  • enabled (boolean): Enable/disable user account (default: true)
  • emailVerified (boolean): Mark email as verified
  • credentials (array): Array of credential objects for setting passwords

Credential Object Structure:

  • type (string): Credential type (e.g., "password")
  • value (string): The credential value
  • temporary (boolean): Whether password must be changed on first login

Example Usage:

{
  "realm": "my-app-realm",
  "username": "john.doe",
  "email": "john.doe@company.com",
  "firstName": "John",
  "lastName": "Doe",
  "enabled": true,
  "emailVerified": true,
  "credentials": [
    {
      "type": "password",
      "value": "TempPassword123!",
      "temporary": true
    }
  ]
}

Response: Returns the created user ID and confirmation message.


delete-user

Permanently removes a user from the specified realm. This action cannot be undone.

Required Parameters:

  • realm (string): Target realm name
  • userId (string): Unique identifier of the user to delete

Example Usage:

{
  "realm": "my-app-realm",
  "userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c"
}

Response: Confirmation message of successful deletion.

โš ๏ธ Warning: This operation is irreversible. Ensure you have the correct user ID before execution.


list-users

Retrieves a list of all users in the specified realm with their basic information.

Required Parameters:

  • realm (string): Target realm name

Example Usage:

{
  "realm": "my-app-realm"
}

Response: Returns a formatted list showing usernames and user IDs for all users in the realm.


๐Ÿ›๏ธ Realm Management

list-realms

Retrieves all available realms in the Keycloak instance.

Parameters: None required

Example Usage:

{}

Response: Returns a list of all realm names available in the Keycloak installation.

Use Cases:

  • Discovering available realms
  • Validating realm names before other operations
  • Administrative overview of the Keycloak setup

๐Ÿ” Role Management

list-roles

Lists all roles defined for a specific client within a realm. Useful for understanding available permissions and roles before assignment.

Required Parameters:

  • realm (string): Target realm name
  • clientId (string): Client ID or UUID of the target client

Example Usage:

{
  "realm": "my-app-realm",
  "clientId": "my-application"
}

Alternative with Client UUID:

{
  "realm": "my-app-realm",
  "clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

Response: Returns a formatted list of all role names available for the specified client.

๐Ÿ’ก Tip: You can use either the client's human-readable ID or its UUID identifier.


update-user-roles

Manages client role assignments for a user. Allows both adding and removing roles in a single operation.

Required Parameters:

  • realm (string): Target realm name
  • userId (string): User's unique identifier
  • clientId (string): Client ID or UUID

Optional Parameters:

  • rolesToAdd (array): List of role names to assign to the user
  • rolesToRemove (array): List of role names to remove from the user

Example Usage - Adding Roles:

{
  "realm": "my-app-realm",
  "userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
  "clientId": "my-application",
  "rolesToAdd": ["admin", "user-manager", "report-viewer"]
}

Example Usage - Removing Roles:

{
  "realm": "my-app-realm",
  "userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
  "clientId": "my-application",
  "rolesToRemove": ["temporary-access", "beta-tester"]
}

Example Usage - Combined Operation:

{
  "realm": "my-app-realm",
  "userId": "8f5c21e3-7c9d-4b5a-9f3e-8d4f6a2e7b1c",
  "clientId": "my-application",
  "rolesToAdd": ["senior-user"],
  "rolesToRemove": ["junior-user", "trainee"]
}

Response: Detailed summary of roles added, removed, and any errors encountered.

๐Ÿ” Notes:

  • At least one of rolesToAdd or rolesToRemove must be provided
  • Non-existent roles are skipped with warnings
  • The operation is atomic per role list (all or none for each operation type)

๐Ÿš€ Usage Tips

  1. User IDs vs Usernames: Most operations require user IDs (UUIDs), not usernames. Use list-users to find the correct user ID.

  2. Client Identification: The clientId parameter accepts both human-readable client IDs and UUID identifiers.

  3. Realm Validation: Always verify realm names using list-realms before performing operations.

  4. Role Discovery: Use list-roles to discover available roles before attempting role assignments.

  5. Error Handling: All tools provide detailed error messages for troubleshooting authentication, permission, or parameter issues.

Development

Setting Up Your Development Environment

# Clone the repository
git clone <repository-url>

# Install dependencies
npm install

# Start the development server with watch mode
npm run watch

Adding New Tools

To add a new tool to the server:

  1. Define the tool schema in src/index.ts using Zod
  2. Add the tool definition to the ListToolsRequestSchema handler
  3. Implement the tool handler in the CallToolRequestSchema switch statement
  4. Update this README to document the new tool

Testing

Using MCP Inspector

The MCP Inspector is a great tool for testing your MCP server:

npx -y @modelcontextprotocol/inspector npx -y @octodet/keycloak-mcp

Integration Testing

For testing with a local Keycloak instance:

# Start Keycloak with Docker
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:latest start-dev

# In another terminal, run the MCP server
npm run build
node build/index.js

Author

Octodet - Building intelligent tools for developers