An MCP (Model Context Protocol) server for the Keycloak Admin API, enabling AI models to manage Keycloak realms, users, clients, roles, and more.
- User Management: Create, read, update, delete users, manage credentials, and list sessions.
- Client Management: Create and manage OIDC/SAML clients, including client secrets and scopes.
- Role & Group Management: Create and assign realm and client roles, manage group hierarchies.
- Realm Management: Configure realm settings, security browser headers, and themes.
- Identity Providers: Configure social and OIDC/SAML identity providers.
- Authentication: Manage authentication flows, executions, and requirements.
- Authorization: Fine-grained authorization resources, policies, and permissions.
- OAuth 2.1 Support: Built-in support for secure OAuth 2.1 resource server implementation.
flowchart LR
subgraph Client
AI[AI Assistant]
end
subgraph MCP Server
Auth[JWT Auth]
MCP[MCP Protocol]
Tools[150+ Tools]
KC[Keycloak Client]
end
subgraph Keycloak
API[Admin REST API]
OIDC[OAuth/OIDC]
end
AI -->|MCP over HTTP| Auth
Auth -->|Validate| OIDC
Auth --> MCP --> Tools --> KC
KC -->|HTTP| API
The server sits between AI assistants and Keycloak, translating MCP tool calls into Admin REST API requests. All requests are authenticated via JWT tokens validated against Keycloak's own OIDC endpoints, so the AI operates within the caller's security context.
For detailed architecture documentation, see Architecture.
- Rust: 1.75 or later.
- Docker: For containerized deployment (optional).
- Keycloak: 26.0 or later (older versions may work but are not officially tested).
Copy the .env.example to .env and update the values:
cp .env.example .envKey required variables:
KEYCLOAK_URL: Your Keycloak base URL (e.g.,http://localhost:8080)KEYCLOAK_REALM: The realm to authenticate against (default:master)
cargo build --release
./target/release/keycloak-mcp-serverThe server will start listening on the port specified by MCP_PORT (default: 3000).
You can run the server and Keycloak together using Docker Compose:
docker-compose up -dThis will start:
- Keycloak on port 8080
- Keycloak MCP Server on port 3000
| Variable | Description | Default |
|---|---|---|
KEYCLOAK_URL |
Base URL of Keycloak | http://localhost:8080 |
KEYCLOAK_REALM |
Realm for Admin API access | master |
MCP_PORT |
Port for the MCP server | 3000 |
LOG_LEVEL |
Logging verbosity (trace/debug/info/warn/error) | info |
JWKS_CACHE_TTL |
JWKS cache time-to-live in seconds | 3600 |
For Keycloak documentation queries, AI assistants can use WebSearch and WebFetch tool calls to look up the official Keycloak docs at keycloak.org directly. No local vector database needed — just search and fetch on demand.
The server provides comprehensive coverage for Keycloak Admin REST API:
- Realms: Full CRUD and configuration.
- Users: Search, CRUD, password management, role mapping.
- Clients: CRUD, secrets, scopes, mappers.
- Roles: Realm and client level roles.
- Groups: Hierarchy management, member management.
- Authentication: Flows and executions.
- Identity Providers: Configuration and management.
For detailed documentation, see the docs/ directory:
| Document | Description |
|---|---|
| Overview | Project introduction and quick start guide |
| Architecture | System architecture with diagrams |
| Request Flow | Request lifecycle and authentication flow |
| Components | Detailed component documentation |
| API Reference | Complete tool reference (150+ tools) |
| Configuration | Environment variables and settings |
| Extending | Guide for adding new tools |
| Troubleshooting | Common issues and solutions |
To run tests:
cargo testTo check for linting issues:
cargo clippyTo format code:
cargo fmtThis project is licensed under the MIT License - see the LICENSE file for details.