Labsco
paoloamato2 logo

Keycloak MCP Server

โ˜… 2

from paoloamato2

A complete Model Context Protocol (MCP) server for Keycloak 26.x

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredAdvanced setup

Keycloak MCP Server

A comprehensive Model Context Protocol (MCP) server that exposes the Keycloak Admin REST API as typed MCP tools. 299 tools covering all API categories.


Features

  • Complete API coverage: All 299 Keycloak Admin REST API endpoints
  • Dual transport: stdio (Claude Code) and SSE (GitHub Copilot, other MCP clients)
  • Auto-authentication: Supports both password and client credentials flows with automatic token refresh
  • Zero configuration tools: Each tool is self-describing with full input schemas

API Categories

CategoryTools
Attack Detection3
Authentication Management38
Client Certificates6
Client Initial Access3
Client Registration Policy1
Client Role Mappings10
Client Scopes10
Clients33
Components6
Groups11
Identity Providers15
Keys2
Organizations13
Protocol Mappers14
Realms Admin37
Roles28
Roles by ID10
Scope Mappings29
Users30
Total299

Demo

(Add a GIF or screenshot here demonstrating 3 real prompts and their executed tools!)

Security & Production Recommendations

โš ๏ธ SECURITY WARNING: This MCP Server registers all Keycloak Admin REST API endpoints (299 tools), including sensitive write operations (like creating/deleting users, resetting passwords, and managing realms). Do not use your master realm super-admin credentials in a production environment.

When attaching this MCP server to your AI Assistants, please strictly follow the Principle of Least Privilege:

  1. Use Service Accounts (Client Credentials Flow): Avoid using the Password flow (KEYCLOAK_ADMIN_USERNAME / KEYCLOAK_ADMIN_PASSWORD). Instead, create a dedicated Keycloak Client with Service Accounts Enabled, and use the KEYCLOAK_CLIENT_ID and KEYCLOAK_CLIENT_SECRET.

  2. Limit Target Realms: Do not attach the server to the master realm unless specifically necessary. Point KEYCLOAK_ADMIN_REALM to the exact realm your AI assistant should manage.

  3. Grant Only Required Roles: Only assign the minimum necessary roles to your MCP Service Account.

    • If your LLM only needs to read data: Assign only view-users, view-clients, or view-realm.
    • If your LLM needs to manage users: Assign only manage-users.
    • Never assign admin or realm-admin roles to the AI unless you are fully aware of the risks.
  4. Always Verify SSL: Keep KEYCLOAK_VERIFY_SSL=true enabled in production to prevent Man-in-the-Middle (MITM) attacks. Setting it to false is only acceptable for local development.

Examples

Once connected, you can use natural language to interact with Keycloak:

  • "List all realms" โ†’ calls list_realms
  • "Create a user called john in the master realm" โ†’ calls create_user
  • "Show me all clients in the production realm" โ†’ calls list_clients
  • "What roles does user X have?" โ†’ calls get_user_role_mappings
  • "Add the admin role to the developers group" โ†’ calls add_group_realm_role_mappings

Project Structure

src/keycloak_mcp_server/
โ”œโ”€โ”€ __init__.py          # Package entry point
โ”œโ”€โ”€ __main__.py          # CLI entry point
โ”œโ”€โ”€ config.py            # Environment-based configuration
โ”œโ”€โ”€ client.py            # Async HTTP client with auto-auth
โ”œโ”€โ”€ server.py            # MCP server setup and tool registration
โ””โ”€โ”€ endpoints/           # Endpoint definitions by category
    โ”œโ”€โ”€ __init__.py      # Base classes (EndpointDef, Param)
    โ”œโ”€โ”€ attack_detection.py
    โ”œโ”€โ”€ authentication.py
    โ”œโ”€โ”€ certificates.py
    โ”œโ”€โ”€ client_initial_access.py
    โ”œโ”€โ”€ client_registration_policy.py
    โ”œโ”€โ”€ client_role_mappings.py
    โ”œโ”€โ”€ client_scopes.py
    โ”œโ”€โ”€ clients.py
    โ”œโ”€โ”€ component.py
    โ”œโ”€โ”€ groups.py
    โ”œโ”€โ”€ identity_providers.py
    โ”œโ”€โ”€ key.py
    โ”œโ”€โ”€ organizations.py
    โ”œโ”€โ”€ protocol_mappers.py
    โ”œโ”€โ”€ realms.py
    โ”œโ”€โ”€ roles.py
    โ”œโ”€โ”€ roles_by_id.py
    โ”œโ”€โ”€ scope_mappings.py
    โ””โ”€โ”€ users.py