What can Keycloak MCP Server do?

jwt-authenticated mcp protocol bridging to keycloak admin api, user management operations via keycloak admin api proxy, native binary compilation and containerized deployment, stateless request processing with request-scoped dependency injection, realm configuration and management through mcp tools, client application registration and configuration, role-based access control (rbac) definition and assignment, group-based user organization and permission inheritance, identity provider (idp) federation and social login configuration, authentication flow and policy configuration, keycloak admin api operation marshaling and error handling, request-scoped jwt validation and authenticated keycloak client instantiation

Keycloak MCP Server

MCP ServerFree

** - designed to work with Keycloak for identity and access management, with about 40+ tools covering, Users, Realms, Clients, Roles, Groups, IDPs, Authentication. Native builds available.

Open Source

/ 100

12 capabilities

Capabilities12 decomposed

jwt-authenticated mcp protocol bridging to keycloak admin api

Medium confidence

Implements the Model Context Protocol (MCP) specification over Server-Sent Events (SSE) transport, accepting HTTP requests at /mcp/sse endpoint with JWT bearer tokens. The server validates each JWT against the Keycloak instance, extracts user identity and permissions, then proxies authenticated requests to Keycloak's Admin API using the user's own token rather than a shared service account. This zero-authorization proxy design delegates all permission enforcement to Keycloak itself, eliminating authorization bypass vulnerabilities.

Solves for

Enable AI assistants and IDE plugins to manage Keycloak without custom integration codeAuthenticate MCP clients using individual user JWT tokens instead of shared service accountsEnsure all Keycloak operations are attributed to the actual user performing them for audit trailsEliminate the need to manage and rotate elevated service account credentials

Best for

Teams integrating AI assistants (Claude Desktop, Cursor IDE) with Keycloak

Organizations requiring per-user audit trails for identity management operations

DevOps teams automating Keycloak administration through MCP-compatible tools

Requires

Keycloak instance 18.0+ with Admin API enabled

MCP-compatible client (Claude Desktop, Cursor, or custom MCP client)

Valid JWT token obtained from Keycloak's token endpoint

Limitations

SSE transport adds request-response latency compared to direct REST API calls

Requires valid JWT token from Keycloak for every request — no token caching across requests

MCP protocol overhead adds ~50-100ms per operation compared to raw HTTP

What makes it unique

Uses per-request JWT validation with request-scoped authenticated context instead of shared service accounts, combined with zero-authorization proxy pattern that delegates all permission checks to Keycloak itself. Quarkus-based implementation provides native binary compilation for minimal startup time and memory footprint.

vs alternatives

Eliminates service account credential management and provides true per-user audit trails compared to traditional proxy approaches that use shared credentials, while native Quarkus builds offer 10-50x faster startup than JVM-based alternatives.

user management operations via keycloak admin api proxy

Medium confidence

Exposes 40+ Keycloak Admin API operations through MCP tools, with dedicated service layer for user management including create, read, update, delete, and search operations. The UserService class implements domain-specific user operations that are marshaled through KeycloakTool and exposed as callable MCP tools. Each operation constructs authenticated Keycloak client instances via KeycloakClientFactory using the request's JWT token, ensuring operations execute with the user's actual Keycloak permissions.

Solves for

Create, update, and delete user accounts programmatically through AI assistantsSearch and filter users by attributes, email, username, or custom propertiesManage user credentials, password resets, and account statusBulk user operations through sequential MCP tool invocations

Best for

Identity administrators automating user lifecycle management

AI agents handling user onboarding/offboarding workflows

Teams building self-service user management interfaces

Requires

Keycloak user with manage-users realm role

Target realm must exist in Keycloak instance

Valid JWT token with appropriate user management permissions

Limitations

No built-in pagination — large user searches may timeout if result sets exceed 1000 users

Password operations limited to admin-initiated resets; users cannot self-serve password changes through this interface

Bulk operations require sequential tool calls — no atomic multi-user transactions

What makes it unique

Implements domain-specific UserService class that abstracts Keycloak Admin API complexity, with request-scoped client factory pattern ensuring each operation uses the authenticated user's JWT token. Exposes user operations as discrete MCP tools callable by AI assistants without requiring knowledge of Keycloak REST API structure.

vs alternatives

Provides higher-level user management abstractions compared to raw Keycloak Admin API calls, while maintaining per-user permission enforcement that prevents privilege escalation compared to service account-based approaches.

native binary compilation and containerized deployment

Medium confidence

Provides Quarkus-based native binary compilation enabling deployment as standalone executables without JVM, with Docker container images and Kubernetes/OpenShift manifests for orchestrated deployment. The build system generates native binaries with GraalVM, producing executables with sub-second startup time and minimal memory footprint (~50-100MB vs 300-500MB for JVM). Includes pre-built container images and deployment configurations for Docker, Kubernetes, and OpenShift environments.

Solves for

Deploy Keycloak MCP server as lightweight native binary without JVM overheadRun MCP server in containerized environments with minimal resource consumptionDeploy to Kubernetes/OpenShift with provided manifests and configurationsAchieve sub-second startup time for serverless or ephemeral deployments

Best for

Teams deploying to resource-constrained environments (edge, embedded)

Kubernetes/OpenShift operators requiring minimal container footprint

Serverless deployments requiring fast cold-start times

Requires

GraalVM 21+ for native binary compilation

Docker for container image builds

Kubernetes 1.20+ or OpenShift 4.8+ for orchestrated deployment

Limitations

Native binary compilation adds 5-10 minutes to build time compared to JVM builds

Native binaries are platform-specific — separate builds required for Linux, macOS, Windows

Some Java reflection patterns may not work in native binaries — requires GraalVM configuration

What makes it unique

Leverages Quarkus framework for native binary compilation with GraalVM, producing sub-second startup executables with minimal memory footprint. Includes pre-built container images and Kubernetes/OpenShift deployment manifests for production-ready deployment.

vs alternatives

Provides 10-50x faster startup time and 50-80% lower memory consumption compared to traditional JVM-based Java applications, while maintaining full Keycloak Admin API compatibility.

stateless request processing with request-scoped dependency injection

Medium confidence

Implements stateless architecture using Quarkus request-scoped dependency injection, where each HTTP request receives isolated service instances and authenticated Keycloak client. The architecture eliminates shared state across requests, preventing credential leakage and ensuring request isolation. Request-scoped beans are instantiated per request and garbage collected after response, providing automatic resource cleanup and preventing memory leaks from accumulated client connections.

Solves for

Ensure request isolation preventing credential leakage across concurrent requestsImplement automatic resource cleanup without manual connection managementEnable horizontal scaling without shared state synchronizationPrevent memory leaks from accumulated client connections

Best for

High-concurrency deployments with many simultaneous MCP requests

Horizontally scaled deployments without shared state

Security-conscious teams requiring strict request isolation

Requires

Quarkus 2.0+ framework

Understanding of request-scoped dependency injection patterns

Limitations

Request-scoped instantiation adds ~10-20ms overhead per request

No cross-request caching — repeated operations make redundant API calls

Garbage collection of request-scoped beans may cause GC pauses under high load

What makes it unique

Implements strict request-scoped architecture using Quarkus DI, ensuring each request receives isolated service instances and authenticated client with automatic garbage collection. Eliminates shared state and credential leakage vulnerabilities.

vs alternatives

Provides stronger request isolation compared to singleton-scoped services, while enabling horizontal scaling without shared state synchronization or connection pooling complexity.

realm configuration and management through mcp tools

Medium confidence

Exposes Keycloak realm-level operations through dedicated RealmService class, enabling creation, configuration, and management of realms as isolated security domains. The service layer abstracts realm operations including realm creation with default settings, theme configuration, security policy updates, and realm deletion. Each realm operation is authenticated using the request's JWT token and executed against the Keycloak Admin API with the user's actual permissions.

Solves for

Create and configure new Keycloak realms for multi-tenant applicationsUpdate realm-wide security policies, token lifetimes, and authentication settingsManage realm themes, branding, and internationalization settingsDelete or archive realms when tenants are offboarded

Best for

SaaS platforms implementing multi-tenant identity management

DevOps teams automating realm provisioning for new environments

Identity architects configuring realm-level security policies at scale

Requires

Keycloak user with manage-realm role or realm-admin role

Sufficient permissions to create realms (typically admin-only)

Valid JWT token with realm management permissions

Limitations

Realm deletion is permanent and cannot be undone — no soft-delete or recovery mechanism

Theme customization limited to Keycloak's built-in theme system; custom theme uploads require direct file access

Realm-level settings changes apply immediately to all users in that realm — no staged rollout support

What makes it unique

Implements RealmService abstraction layer that encapsulates realm lifecycle operations, with request-scoped JWT authentication ensuring realm operations respect the authenticated user's actual Keycloak permissions. Enables AI assistants to manage realm configuration without exposing raw Keycloak Admin API complexity.

vs alternatives

Provides realm management through MCP protocol compared to manual Keycloak Admin Console or raw REST API calls, while maintaining per-user audit trails and permission enforcement that prevents unauthorized realm modifications.

client application registration and configuration

Medium confidence

Exposes Keycloak client (OAuth2/OIDC application) management through dedicated ClientService, enabling creation, configuration, and lifecycle management of client applications. The service handles client creation with protocol-specific settings (OpenID Connect, SAML, etc.), credential generation, redirect URI configuration, and scope/role assignment. Each client operation uses the request's JWT token to authenticate against Keycloak Admin API, ensuring operations respect the user's actual permissions.

Solves for

Register new OAuth2/OIDC applications with KeycloakGenerate and rotate client credentials (client secrets, certificates)Configure redirect URIs, allowed origins, and protocol-specific settingsAssign roles and scopes to client applications for fine-grained access control

Best for

Platform teams onboarding new applications to centralized identity management

DevOps automating client provisioning for microservices

Identity teams managing OAuth2/OIDC application lifecycle at scale

Requires

Keycloak user with manage-clients realm role

Target realm must exist

Valid JWT token with client management permissions

Limitations

Client secret rotation requires manual credential update in client applications — no automatic secret distribution

Protocol-specific settings (SAML metadata, OIDC discovery) require separate configuration steps

No built-in client secret versioning — old secrets are immediately invalidated on rotation

What makes it unique

Implements ClientService abstraction that handles protocol-specific client configuration (OpenID Connect, SAML) through unified MCP interface, with request-scoped JWT authentication ensuring client operations respect user permissions. Supports both public and confidential client types with automatic credential generation.

vs alternatives

Provides application registration through MCP protocol compared to manual Keycloak Admin Console, while supporting multiple OAuth2/OIDC protocols and maintaining per-user audit trails for compliance requirements.

role-based access control (rbac) definition and assignment

Medium confidence

Exposes Keycloak role management through dedicated RoleService, enabling creation of realm-level and client-level roles, role hierarchy definition, and role assignment to users and groups. The service abstracts role operations including role creation with descriptions, composite role definition (roles containing other roles), and role-to-user/group mappings. Each role operation uses the request's JWT token to authenticate against Keycloak Admin API with the user's actual permissions.

Solves for

Define realm-wide roles for application-agnostic access controlCreate client-specific roles for application-level authorizationBuild role hierarchies using composite roles for permission inheritanceAssign roles to users and groups for fine-grained access control

Best for

Identity architects designing role hierarchies for enterprise applications

DevOps teams automating RBAC setup for microservices

Platform teams managing role lifecycle across multiple applications

Requires

Keycloak user with manage-realm role

Target realm must exist

Valid JWT token with role management permissions

Limitations

No role versioning — role definition changes apply immediately to all users with that role

Composite role cycles are not prevented — circular role hierarchies can cause authorization loops

Role removal does not cascade — users retain role assignments if role is deleted then recreated

What makes it unique

Implements RoleService abstraction supporting both realm-level and client-level roles with composite role hierarchies, exposed through MCP interface. Request-scoped JWT authentication ensures role operations respect user permissions while enabling AI assistants to design and manage complex RBAC structures.

vs alternatives

Provides role management through MCP protocol compared to manual Keycloak Admin Console, while supporting composite role hierarchies and maintaining per-user audit trails for compliance.

group-based user organization and permission inheritance

Medium confidence

Exposes Keycloak group management through dedicated GroupService, enabling creation of hierarchical user groups, group membership management, and group-level role assignment. The service handles group creation with parent-child relationships, user membership operations, and role inheritance through group membership. Each group operation uses the request's JWT token to authenticate against Keycloak Admin API with the user's actual permissions.

Solves for

Organize users into hierarchical groups representing organizational structureAssign roles at group level for inherited permissions across group membersManage group membership for bulk user permission updatesCreate department or team-based access control structures

Best for

Enterprise organizations with hierarchical team structures

Teams implementing department-based access control

Identity teams managing group lifecycle for large user populations

Requires

Keycloak user with manage-users realm role

Target realm must exist

Valid JWT token with group management permissions

Limitations

Group hierarchies are limited to parent-child relationships — no arbitrary graph structures

Moving users between groups does not automatically update role assignments — manual re-assignment required

Group deletion cascades to remove all child groups — no soft-delete option

What makes it unique

Implements GroupService supporting hierarchical group structures with parent-child relationships and group-level role assignment, exposed through MCP interface. Request-scoped JWT authentication ensures group operations respect user permissions while enabling organizational structure management.

vs alternatives

Provides group management through MCP protocol compared to manual Keycloak Admin Console, while supporting hierarchical organization structures and group-level role inheritance for simplified permission management.

identity provider (idp) federation and social login configuration

Medium confidence

Exposes Keycloak identity provider management through dedicated IDPService, enabling configuration of external identity providers (SAML, OpenID Connect, social providers) for user federation and social login. The service handles IDP creation with protocol-specific settings, mapper configuration for attribute transformation, and IDP-to-realm linking. Each IDP operation uses the request's JWT token to authenticate against Keycloak Admin API with the user's actual permissions.

Solves for

Configure external identity providers (Google, GitHub, Microsoft, SAML, OIDC) for social loginSet up user federation from external identity systemsMap external user attributes to Keycloak user propertiesEnable multi-provider authentication for user choice at login

Best for

Teams implementing social login for consumer applications

Enterprise organizations federating users from corporate identity systems

Identity teams managing multi-provider authentication at scale

Requires

Keycloak user with manage-identity-providers realm role

Target realm must exist

Valid JWT token with IDP management permissions

Limitations

IDP configuration changes require realm restart to take effect — no hot-reload

Attribute mappers are protocol-specific — SAML mappers cannot be reused for OIDC providers

User linking between IDPs requires manual configuration — no automatic account linking

What makes it unique

Implements IDPService supporting multiple identity provider protocols (SAML, OpenID Connect, social providers) with protocol-specific attribute mappers, exposed through MCP interface. Request-scoped JWT authentication ensures IDP operations respect user permissions while enabling federated identity configuration.

vs alternatives

Provides IDP management through MCP protocol compared to manual Keycloak Admin Console, while supporting multiple federation protocols and attribute transformation for complex identity scenarios.

authentication flow and policy configuration

Medium confidence

Exposes Keycloak authentication flow management through dedicated AuthenticationService, enabling creation and configuration of custom authentication flows, execution policies, and authentication requirements. The service handles flow creation with execution steps (password, OTP, WebAuthn, etc.), conditional execution policies, and flow binding to realms or clients. Each authentication operation uses the request's JWT token to authenticate against Keycloak Admin API with the user's actual permissions.

Solves for

Define custom authentication flows combining multiple authentication methodsConfigure conditional authentication (step-up authentication, risk-based policies)Set up multi-factor authentication (MFA) requirements and policiesCreate authentication policies for specific applications or user groups

Best for

Security teams implementing advanced authentication policies

Identity architects designing multi-factor authentication strategies

Teams implementing risk-based or conditional authentication

Requires

Keycloak user with manage-realm role

Target realm must exist

Valid JWT token with authentication management permissions

Limitations

Authentication flow changes apply immediately — no staged rollout or gradual migration

Flow execution order is rigid — no dynamic flow branching based on user attributes

Conditional policies are limited to built-in conditions — custom conditions require provider extensions

What makes it unique

Implements AuthenticationService supporting complex authentication flows with conditional execution policies and multiple authentication methods, exposed through MCP interface. Request-scoped JWT authentication ensures authentication operations respect user permissions while enabling advanced security policy configuration.

vs alternatives

Provides authentication flow management through MCP protocol compared to manual Keycloak Admin Console, while supporting conditional execution and multi-factor authentication policies for advanced security scenarios.

keycloak admin api operation marshaling and error handling

Medium confidence

Implements KeycloakTool class that marshals 40+ Keycloak Admin API operations into discrete MCP tool definitions with standardized input/output schemas, error handling, and response transformation. The tool layer accepts MCP tool invocation requests, validates parameters against operation schemas, invokes corresponding service methods, and transforms responses into MCP-compatible format. Implements comprehensive error handling that catches Keycloak API errors and transforms them into human-readable MCP error responses.

Solves for

Expose Keycloak Admin API operations as callable MCP tools for AI assistantsStandardize input/output schemas across 40+ different Keycloak operationsTransform Keycloak API errors into user-friendly error messagesProvide operation documentation and parameter validation for MCP clients

Best for

MCP client developers integrating Keycloak operations into AI assistants

Teams building Keycloak automation without direct REST API knowledge

Identity teams using AI assistants for Keycloak administration

Requires

MCP-compatible client implementation

Valid JWT token from Keycloak

Network connectivity to Keycloak Admin API

Limitations

Tool invocation latency includes Keycloak API call time — typically 100-500ms per operation

Error messages are limited to Keycloak API error codes — no custom error context

Tool schemas are static — cannot dynamically adapt to Keycloak version differences

What makes it unique

Implements KeycloakTool marshaling layer that abstracts 40+ Keycloak Admin API operations into standardized MCP tool definitions with schema validation and error transformation. Provides single point of integration between MCP protocol and Keycloak Admin API with comprehensive error handling.

vs alternatives

Provides standardized tool marshaling compared to direct Keycloak Admin API calls, while abstracting protocol differences and providing consistent error handling across 40+ operations.

request-scoped jwt validation and authenticated keycloak client instantiation

Medium confidence

Implements KeycloakClientFactory that creates request-scoped authenticated Keycloak client instances using JWT tokens from HTTP Authorization headers. The factory validates JWT tokens against the Keycloak instance, extracts user identity and realm information, and instantiates Keycloak Admin API clients with the user's credentials. Each request receives its own client instance ensuring isolation and preventing credential leakage across requests. The authentication system delegates all permission enforcement to Keycloak itself — the proxy contains zero authorization logic.

Solves for

Validate JWT tokens from MCP requests against KeycloakCreate authenticated Keycloak clients using user's own JWT tokenEnsure each request operates with the authenticated user's permissionsPrevent credential sharing and service account management complexity

Best for

Teams requiring per-user audit trails for identity operations

Organizations eliminating shared service account credentials

Security-conscious teams implementing zero-trust proxy patterns

Requires

Valid JWT token in Authorization: Bearer header

Keycloak instance reachable for token validation

JWT token must be issued by the target Keycloak instance

Limitations

JWT validation adds ~50-100ms latency per request

Token expiration requires client to obtain new token — no automatic token refresh

Keycloak instance must be reachable for JWT validation — no offline token validation

What makes it unique

Implements request-scoped client factory pattern with per-request JWT validation and zero authorization logic, delegating all permission enforcement to Keycloak itself. Eliminates service account credential management while maintaining complete per-user audit trails.

vs alternatives

Provides per-user authentication compared to shared service account approaches, while eliminating authorization bypass vulnerabilities through zero-authorization proxy design that delegates all permission checks to Keycloak.

Capabilities are decomposed by AI analysis. Each maps to specific user intents and improves with match feedback.

Related Artifactssharing capabilities

Artifacts that share capabilities with Keycloak MCP Server, ranked by overlap. Discovered automatically through the match graph.

MCP Server38

mcp-auth

Plug and play auth for Model Context Protocol (MCP) servers

plug-and-play authentication middleware for mcp serversjwt token validation and claims extraction for mcp

2 shared capabilities

MCP Server42

mcp-remote

Remote proxy for Model Context Protocol, allowing local-only clients to connect to remote servers using oAuth

oauth-authenticated remote mcp server proxyingtransparent client authentication abstraction

2 shared capabilities

MCP Server26

mcp-auth

Plug and play auth for Model Context Protocol (MCP) servers

oauth 2.0 / openid connect server integration for mcpmcp protocol-aware token validation and session management

2 shared capabilities

MCP Server23

MCPVerse

** - A portal for creating & hosting authenticated MCP servers and connecting to them securely.

authenticated mcp server hosting and deployment

1 shared capability

MCP Server40

mcp-use

The fullstack MCP framework to develop MCP Apps for ChatGPT / Claude & MCP Servers for AI Agents.

authentication and credential management for mcp servers

1 shared capability

MCP Server26

1mcpserver

** - MCP of MCPs. Automatic discovery and configure MCP servers on your local machine. Fully REMOTE! Just use [https://mcp.1mcpserver.com/mcp/](https://mcp.1mcpserver.com/mcp/)

mcp-server-authentication-and-authorization-bridging

1 shared capability

Best For

✓Teams integrating AI assistants (Claude Desktop, Cursor IDE) with Keycloak
✓Organizations requiring per-user audit trails for identity management operations
✓DevOps teams automating Keycloak administration through MCP-compatible tools
✓Identity administrators automating user lifecycle management
✓AI agents handling user onboarding/offboarding workflows
✓Teams building self-service user management interfaces
✓Teams deploying to resource-constrained environments (edge, embedded)
✓Kubernetes/OpenShift operators requiring minimal container footprint

Known Limitations

⚠SSE transport adds request-response latency compared to direct REST API calls
⚠Requires valid JWT token from Keycloak for every request — no token caching across requests
⚠MCP protocol overhead adds ~50-100ms per operation compared to raw HTTP
⚠No built-in request batching — each operation requires separate HTTP request
⚠No built-in pagination — large user searches may timeout if result sets exceed 1000 users
⚠Password operations limited to admin-initiated resets; users cannot self-serve password changes through this interface

Requirements

Keycloak instance 18.0+ with Admin API enabledMCP-compatible client (Claude Desktop, Cursor, or custom MCP client)Valid JWT token obtained from Keycloak's token endpointNetwork connectivity between MCP server and Keycloak instanceKeycloak user with manage-users realm roleTarget realm must exist in Keycloak instanceValid JWT token with appropriate user management permissionsGraalVM 21+ for native binary compilation

Input / Output

Accepts: HTTP request with Authorization: Bearer <JWT>, MCP tool invocation with JSON parameters, User object with fields: username, email, firstName, lastName, enabled, attributes, Search filters: username, email, firstName, lastName, exact match flags, Credential objects: type (password, otp), temporary flag, Source code repository, Build configuration (pom.xml for Maven), Deployment manifests (Dockerfile, Kubernetes YAML), HTTP request with request context, Realm configuration object: name, displayName, enabled, accessTokenLifespan, refreshTokenLifespan, Theme settings: loginTheme, accountTheme, adminTheme, emailTheme, Security policies: passwordPolicy, bruteForceProtected, maxFailureWaitSeconds, Client configuration: clientId, name, protocol (openid-connect, saml), enabled, publicClient, Credential settings: clientAuthenticatorType (client-secret, client-jwt), Redirect URIs: array of valid redirect URLs for OAuth2 flows, Role mappings: array of realm roles to assign to client, Role definition: name, description, composite flag, Composite role members: array of role names to include in composite, Role assignments: userId or groupId, array of role names to assign, Group definition: name, path (for hierarchy), attributes (custom key-value pairs), Parent group reference: parentId for hierarchical group creation, User membership: userId to add/remove from group, Role assignments: array of role names to assign at group level, IDP configuration: alias, providerId (google, github, oidc, saml), enabled, Provider-specific settings: clientId, clientSecret, authorizationUrl, tokenUrl, userInfoUrl, Attribute mappers: name, mapperType, configuration for attribute transformation, IDP linking: firstBrokerLoginFlowAlias for account linking strategy, Flow definition: alias, description, providerId (basic-flow, client-flow), Execution configuration: providerId (auth-password, auth-otp, etc.), requirement (REQUIRED, OPTIONAL, CONDITIONAL), Conditional policies: condition type, configuration for policy evaluation, MCP tool invocation with operation name and parameters, JSON-structured parameters matching operation schema, HTTP Authorization header with Bearer token, JWT token payload containing user identity and realm

Produces: Server-Sent Events (SSE) stream, JSON-structured tool results, Error responses with Keycloak-native error codes, User object with id, username, email, createdTimestamp, enabled status, Array of user objects from search operations, Success/failure status for create/update/delete operations, Native executable binary, Docker container image, Kubernetes deployment manifests, OpenShift deployment configurations, Request-scoped service instances, Authenticated Keycloak client for request duration, Realm object with id, name, displayName, enabled status, and configuration, Array of realm objects from list operations, Client object with id, clientId, name, protocol, enabled status, Client secret (returned only on creation/rotation), Array of client objects from list operations, Success/failure status for configuration updates, Role object with id, name, description, composite status, Array of role objects from list operations, Array of roles assigned to user/group, Success/failure status for assignment operations, Group object with id, name, path, parent reference, attributes, Array of group objects from list/hierarchy operations, Array of users in group, Array of roles assigned to group, Success/failure status for membership/role operations, IDP object with alias, providerId, enabled status, configuration, Array of IDP objects from list operations, Array of attribute mappers for IDP, Authentication flow object with alias, description, executions, Array of authentication flows from list operations, Array of executions in flow with requirement levels, Success/failure status for flow configuration updates, MCP tool result with operation response data, MCP error response with error code and message, Structured JSON data matching operation output schema, Authenticated Keycloak client instance, User identity extracted from JWT, Realm context for operations

UnfragileRank

Adoption15%(25% weight)

Quality31%(25% weight)

Ecosystem30%(15% weight)

Match Graph25%(30% weight)

Freshness75%(5% weight)

UnfragileRank is computed from adoption signals, documentation quality, ecosystem connectivity, match graph feedback, and freshness. No artifact can pay for a higher rank.

Type: MCP Server

12 capabilities

Visit Keycloak MCP Server→

About

** - designed to work with Keycloak for identity and access management, with about 40+ tools covering, Users, Realms, Clients, Roles, Groups, IDPs, Authentication. Native builds available.

Alternatives to Keycloak MCP Server

IntelliCode46Extension

AI-assisted development

Compare →

GitHub Copilot Chat49Extension

AI chat features powered by Copilot

Compare →

GitHub Copilot48Extension

Your AI pair programmer

Compare →

Claude Code for VS Code48Extension

Claude Code for VS Code: Harness the power of Claude Code without leaving your IDE

Compare →

Are you the builder of Keycloak MCP Server?

Claim this artifact to get a verified badge, access match analytics, see which intents users search for, and manage your listing.

Claim this artifact →Verification via email

Get the weekly brief

New tools, rising stars, and what's actually worth your time. No spam.

Data Sources

github awesome

Looking for something else?

Search →

Capabilities12 decomposed

jwt-authenticated mcp protocol bridging to keycloak admin api

Medium confidence

Solves for

Best for

Teams integrating AI assistants (Claude Desktop, Cursor IDE) with Keycloak

Organizations requiring per-user audit trails for identity management operations

DevOps teams automating Keycloak administration through MCP-compatible tools

Requires

Keycloak instance 18.0+ with Admin API enabled

MCP-compatible client (Claude Desktop, Cursor, or custom MCP client)

Valid JWT token obtained from Keycloak's token endpoint

Limitations

SSE transport adds request-response latency compared to direct REST API calls

Requires valid JWT token from Keycloak for every request — no token caching across requests

MCP protocol overhead adds ~50-100ms per operation compared to raw HTTP

What makes it unique

vs alternatives

user management operations via keycloak admin api proxy

Medium confidence

Solves for

Best for

Identity administrators automating user lifecycle management

AI agents handling user onboarding/offboarding workflows

Teams building self-service user management interfaces

Requires

Keycloak user with manage-users realm role

Target realm must exist in Keycloak instance

Valid JWT token with appropriate user management permissions

Limitations

No built-in pagination — large user searches may timeout if result sets exceed 1000 users

Password operations limited to admin-initiated resets; users cannot self-serve password changes through this interface

Bulk operations require sequential tool calls — no atomic multi-user transactions

What makes it unique

vs alternatives

native binary compilation and containerized deployment

Medium confidence

Solves for

Best for

Teams deploying to resource-constrained environments (edge, embedded)

Kubernetes/OpenShift operators requiring minimal container footprint

Serverless deployments requiring fast cold-start times

Requires

GraalVM 21+ for native binary compilation

Docker for container image builds

Kubernetes 1.20+ or OpenShift 4.8+ for orchestrated deployment

Limitations

Native binary compilation adds 5-10 minutes to build time compared to JVM builds

Native binaries are platform-specific — separate builds required for Linux, macOS, Windows

Some Java reflection patterns may not work in native binaries — requires GraalVM configuration

What makes it unique

vs alternatives

Provides 10-50x faster startup time and 50-80% lower memory consumption compared to traditional JVM-based Java applications, while maintaining full Keycloak Admin API compatibility.

stateless request processing with request-scoped dependency injection

Medium confidence

Solves for

Best for

High-concurrency deployments with many simultaneous MCP requests

Horizontally scaled deployments without shared state

Security-conscious teams requiring strict request isolation

Requires

Quarkus 2.0+ framework

Understanding of request-scoped dependency injection patterns

Limitations

Request-scoped instantiation adds ~10-20ms overhead per request

No cross-request caching — repeated operations make redundant API calls

Garbage collection of request-scoped beans may cause GC pauses under high load

What makes it unique

vs alternatives

Provides stronger request isolation compared to singleton-scoped services, while enabling horizontal scaling without shared state synchronization or connection pooling complexity.

realm configuration and management through mcp tools

Medium confidence

Solves for

Best for

SaaS platforms implementing multi-tenant identity management

DevOps teams automating realm provisioning for new environments

Identity architects configuring realm-level security policies at scale

Requires

Keycloak user with manage-realm role or realm-admin role

Sufficient permissions to create realms (typically admin-only)

Valid JWT token with realm management permissions

Limitations

Realm deletion is permanent and cannot be undone — no soft-delete or recovery mechanism

Theme customization limited to Keycloak's built-in theme system; custom theme uploads require direct file access

Realm-level settings changes apply immediately to all users in that realm — no staged rollout support

What makes it unique

vs alternatives

client application registration and configuration

Medium confidence

Solves for

Best for

Platform teams onboarding new applications to centralized identity management

DevOps automating client provisioning for microservices

Identity teams managing OAuth2/OIDC application lifecycle at scale

Requires

Keycloak user with manage-clients realm role

Target realm must exist

Valid JWT token with client management permissions

Limitations

Client secret rotation requires manual credential update in client applications — no automatic secret distribution

Protocol-specific settings (SAML metadata, OIDC discovery) require separate configuration steps

No built-in client secret versioning — old secrets are immediately invalidated on rotation

What makes it unique

vs alternatives

role-based access control (rbac) definition and assignment

Medium confidence

Solves for

Best for

Identity architects designing role hierarchies for enterprise applications

DevOps teams automating RBAC setup for microservices

Platform teams managing role lifecycle across multiple applications

Requires

Keycloak user with manage-realm role

Target realm must exist

Valid JWT token with role management permissions

Limitations

No role versioning — role definition changes apply immediately to all users with that role

Composite role cycles are not prevented — circular role hierarchies can cause authorization loops

Role removal does not cascade — users retain role assignments if role is deleted then recreated

What makes it unique

vs alternatives

Provides role management through MCP protocol compared to manual Keycloak Admin Console, while supporting composite role hierarchies and maintaining per-user audit trails for compliance.

group-based user organization and permission inheritance

Medium confidence

Solves for

Best for

Enterprise organizations with hierarchical team structures

Teams implementing department-based access control

Identity teams managing group lifecycle for large user populations

Requires

Keycloak user with manage-users realm role

Target realm must exist

Valid JWT token with group management permissions

Limitations

Group hierarchies are limited to parent-child relationships — no arbitrary graph structures

Moving users between groups does not automatically update role assignments — manual re-assignment required

Group deletion cascades to remove all child groups — no soft-delete option

What makes it unique

vs alternatives

identity provider (idp) federation and social login configuration

Medium confidence

Solves for

Best for

Teams implementing social login for consumer applications

Enterprise organizations federating users from corporate identity systems

Identity teams managing multi-provider authentication at scale

Requires

Keycloak user with manage-identity-providers realm role

Target realm must exist

Valid JWT token with IDP management permissions

Limitations

IDP configuration changes require realm restart to take effect — no hot-reload

Attribute mappers are protocol-specific — SAML mappers cannot be reused for OIDC providers

User linking between IDPs requires manual configuration — no automatic account linking

What makes it unique

vs alternatives

Provides IDP management through MCP protocol compared to manual Keycloak Admin Console, while supporting multiple federation protocols and attribute transformation for complex identity scenarios.

authentication flow and policy configuration

Medium confidence

Solves for

Best for

Security teams implementing advanced authentication policies

Identity architects designing multi-factor authentication strategies

Teams implementing risk-based or conditional authentication

Requires

Keycloak user with manage-realm role

Target realm must exist

Valid JWT token with authentication management permissions

Limitations

Authentication flow changes apply immediately — no staged rollout or gradual migration

Flow execution order is rigid — no dynamic flow branching based on user attributes

Conditional policies are limited to built-in conditions — custom conditions require provider extensions

What makes it unique

vs alternatives

keycloak admin api operation marshaling and error handling

Medium confidence

Solves for

Best for

MCP client developers integrating Keycloak operations into AI assistants

Teams building Keycloak automation without direct REST API knowledge

Identity teams using AI assistants for Keycloak administration

Requires

MCP-compatible client implementation

Valid JWT token from Keycloak

Network connectivity to Keycloak Admin API

Limitations

Tool invocation latency includes Keycloak API call time — typically 100-500ms per operation

Error messages are limited to Keycloak API error codes — no custom error context

Tool schemas are static — cannot dynamically adapt to Keycloak version differences

What makes it unique

vs alternatives

Provides standardized tool marshaling compared to direct Keycloak Admin API calls, while abstracting protocol differences and providing consistent error handling across 40+ operations.

request-scoped jwt validation and authenticated keycloak client instantiation

Medium confidence

Solves for

Best for

Teams requiring per-user audit trails for identity operations

Organizations eliminating shared service account credentials

Security-conscious teams implementing zero-trust proxy patterns

Requires

Valid JWT token in Authorization: Bearer header

Keycloak instance reachable for token validation

JWT token must be issued by the target Keycloak instance

Limitations

JWT validation adds ~50-100ms latency per request

Token expiration requires client to obtain new token — no automatic token refresh

Keycloak instance must be reachable for JWT validation — no offline token validation

What makes it unique

vs alternatives

Capabilities are decomposed by AI analysis. Each maps to specific user intents and improves with match feedback.

Alternatives to Keycloak MCP Server

IntelliCode46Extension

AI-assisted development

Compare →

GitHub Copilot Chat49Extension

AI chat features powered by Copilot

Compare →

GitHub Copilot48Extension

Your AI pair programmer

Compare →

Claude Code for VS Code48Extension

Claude Code for VS Code: Harness the power of Claude Code without leaving your IDE

Compare →

Keycloak MCP Server

Capabilities12 decomposed

jwt-authenticated mcp protocol bridging to keycloak admin api

user management operations via keycloak admin api proxy

native binary compilation and containerized deployment

stateless request processing with request-scoped dependency injection

realm configuration and management through mcp tools

client application registration and configuration

role-based access control (rbac) definition and assignment

group-based user organization and permission inheritance

identity provider (idp) federation and social login configuration

authentication flow and policy configuration

keycloak admin api operation marshaling and error handling

request-scoped jwt validation and authenticated keycloak client instantiation

Related Artifactssharing capabilities

mcp-auth

mcp-remote

mcp-auth

MCPVerse

mcp-use

1mcpserver

Best For

Known Limitations

Requirements

Input / Output

UnfragileRank

About

Categories

Alternatives to Keycloak MCP Server

Are you the builder of Keycloak MCP Server?

Get the weekly brief

Data Sources

Keycloak MCP Server

Capabilities12 decomposed

jwt-authenticated mcp protocol bridging to keycloak admin api

user management operations via keycloak admin api proxy

native binary compilation and containerized deployment

stateless request processing with request-scoped dependency injection

realm configuration and management through mcp tools

client application registration and configuration

role-based access control (rbac) definition and assignment

group-based user organization and permission inheritance

identity provider (idp) federation and social login configuration

authentication flow and policy configuration

keycloak admin api operation marshaling and error handling

request-scoped jwt validation and authenticated keycloak client instantiation

Related Artifactssharing capabilities

mcp-auth

mcp-remote

mcp-auth

MCPVerse

mcp-use

1mcpserver

Best For

Known Limitations

Requirements

Input / Output

UnfragileRank

About

Categories

Alternatives to Keycloak MCP Server

Are you the builder of Keycloak MCP Server?

Get the weekly brief

Data Sources