A comprehensive Model Context Protocol (MCP) server for Keycloak IAM with advanced user management capabilities and built-in safety features.
For installation and setup instructions, see SETUP.md
AKC-MCP provides a complete MCP interface to Keycloak, enabling AI assistants like Claude to manage Identity and Access Management operations safely and efficiently. Built with TypeScript and the official Keycloak Admin Client, it offers 45 tools across user management, group management, realm operations, authentication flows, and client scopes.
- 🔍 Advanced User Search: Multi-field search with exact/fuzzy matching, duplicate detection, IDP link checking
- 👥 Comprehensive Group Management: Full CRUD with attribute management, hierarchy navigation, boolean flags
- 🌐 Realm Operations: Export, statistics, SAML certificate monitoring, custom SPI detection
- 🔐 Authentication Management: Flow inspection, required actions, configuration analysis
- 🎯 Client Scope Management: Full CRUD operations for OIDC and SAML scopes
- 🛡️ Safety Features: Development/Production modes, read-only mode, operation warnings
- 📝 Type Safety: Full TypeScript with Zod runtime validation
- 🔌 Dual Transport: Stdio (MCP) and HTTP/SSE support
- Keycloak administrators and DevOps teams
- Identity and Access Management automation
- Bulk user operations and auditing
- Realm configuration management
- Security compliance monitoring
- Development and testing workflows
Advanced user lookup and management with safety checks.
| Tool | Description |
|---|---|
| search-user | Multi-field search (username, email, firstName, lastName) with exact/fuzzy matching |
| get-user-details | Complete user profile with attributes, groups, and IDP links |
| check-multiple-accounts | Find multiple user accounts sharing the same email |
| check-user-idp-broker-link | Check if user is linked to Identity Provider (broker link) |
| get-user-idp-links | List all identity provider connections for a user |
| list-user-attributes | Get all custom attributes for a user |
| list-user-sessions | View active user sessions |
| create-user | Create new user with optional temporary password |
| update-user | Modify user information |
| delete-user | Remove user (destructive operation with warnings) |
| reset-password | Reset user password (temporary or permanent) |
| toggle-user-status | Enable or disable user account |
| list-users | List all users in realm with pagination |
Complete group lifecycle management with attribute support.
| Tool | Description |
|---|---|
| list-groups | List all groups with optional search filtering |
| get-group | Get detailed group information |
| create-group | Create new group or subgroup |
| update-group | Modify group name or attributes |
| delete-group | Remove group (destructive operation) |
| add-user-to-group | Add user to group membership |
| remove-user-from-group | Remove user from group |
| list-user-groups | List all groups a user belongs to |
| list-group-members | List all users in a specific group |
| search-groups-by-attributes | Search groups by attribute key-value pairs |
| get-group-attributes | Get all attributes for a group |
| set-group-attribute | Set or update group attribute |
| delete-group-attribute | Remove group attribute |
| toggle-group-boolean-attribute | Toggle boolean attribute (true/false flags) |
| get-parent-groups | Navigate up the group hierarchy |
| get-subgroups | Get child groups with optional recursive traversal |
Realm configuration, statistics, and management.
| Tool | Description |
|---|---|
| list-realms | List all available Keycloak realms |
| get-realm | Get detailed realm configuration |
| get-realm-stats | Get statistics (users, groups, clients, sessions) |
| export-realm | Export realm configuration with granular options |
| check-saml-certificates | Monitor SAML certificate expiration |
| list-realm-spis | List custom Service Provider Interfaces |
Authentication flow and required action management.
| Tool | Description |
|---|---|
| list-authentication-flows | List all authentication flows in realm |
| get-authentication-flow | Get flow details including executions |
| list-required-actions | List all required actions configuration |
OIDC and SAML client scope management.
| Tool | Description |
|---|---|
| list-client-scopes | List all client scopes in realm |
| get-client-scope | Get scope details with protocol mappers |
| create-client-scope | Create new OIDC or SAML scope |
| update-client-scope | Modify existing client scope |
| delete-client-scope | Remove client scope (destructive) |
| assign-client-scope | Assign scope to client (default/optional) |
| remove-client-scope | Remove scope assignment from client |
Development Mode (default)
- Write operations allowed with warnings
- Full error stack traces for debugging
- Verbose logging available
Production Mode
OPERATION_MODE=production- Additional confirmations for write operations
- Enhanced warnings for destructive operations
- Sanitized error messages
READ_ONLY_MODE=true- Blocks all write operations (create, update, delete)
- Perfect for auditing and inspection
- Safe for production environments
- Ideal for learning and exploration
All write operations include:
- ✅ Operation mode validation
- ✅ Read-only mode enforcement
- ✅ Destructive operation warnings
- ✅ Structured logging
- ✅ Safety warning messages in responses
- Language: TypeScript with strict mode
- Runtime: Node.js 18+
- Keycloak Client: Official
@keycloak/keycloak-admin-clientv26.x - MCP SDK:
@modelcontextprotocol/sdk - Validation: Zod schemas for runtime type checking
- Logging: Winston structured logging
- Build: tsup for efficient ESM bundling
src/
├── common/ # Server setup, constants
├── config/ # Environment-based configuration
├── schemas/ # Zod validation schemas
├── services/ # Keycloak client wrapper
├── tools/ # MCP tool implementations
│ ├── user-tools.ts (13 tools)
│ ├── group-tools.ts (16 tools)
│ ├── realm-operations.ts (3 tools)
│ ├── realm-tools.ts (3 tools)
│ ├── authentication-tools.ts (3 tools)
│ └── client-scope-tools.ts (7 tools)
├── types/ # TypeScript definitions
├── utils/ # Logger, safety checks
└── index.ts # Main entry point
- Node.js 18+
- Keycloak server running (v26.4.5 recommended)
- Keycloak admin credentials
npm install -g another-keycloak-mcp# Create .env file
cat > .env << EOF
KEYCLOAK_URL=http://0.0.0.0:8082
KEYCLOAK_REALM=master
KEYCLOAK_ADMIN_USERNAME=admin
KEYCLOAK_ADMIN_PASSWORD=admin
EOF
# Run
akc-mcpFor complete setup instructions, see SETUP.md
- Bulk user creation and updates
- Duplicate email detection and cleanup
- Identity provider link verification
- Session monitoring and management
- User attribute auditing
- Dynamic group organization
- Feature flag management via boolean attributes
- Group hierarchy navigation
- Bulk membership operations
- Attribute-based group filtering
- Configuration backup and export
- SAML certificate expiration monitoring
- Custom SPI inventory
- Multi-realm statistics collection
- Realm configuration analysis
- Flow configuration inspection
- Required action management
- Authentication method auditing
- Login flow analysis
- Scope template management
- Bulk scope assignment
- OIDC/SAML configuration
- Protocol mapper analysis
{
"tool": "search-user",
"arguments": {
"realm": "master",
"email": "@example.com",
"exact": false
}
}{
"tool": "check-user-idp-broker-link",
"arguments": {
"realm": "master",
"userId": "user-id-here",
"identityProvider": "google"
}
}{
"tool": "search-groups-by-attributes",
"arguments": {
"realm": "master",
"attributeKey": "feature_flag",
"attributeValue": "true",
"exact": true
}
}{
"tool": "export-realm",
"arguments": {
"realm": "master",
"includeUsers": false,
"includeGroups": true,
"includeRoles": true,
"includeClients": true
}
}{
"tool": "check-saml-certificates",
"arguments": {
"realm": "production",
"warnDays": 30
}
}- SETUP.md - Installation, configuration, and deployment
- Keycloak: Tested with version 26.4.5
- Node.js: Requires version 18 or higher
- MCP Protocol: Version 1.0
Note: While this server is designed for Keycloak 26.4.5, it may work with other versions. Some features might behave differently with version mismatches.
MIT License - see LICENSE file for details
- Built with Model Context Protocol SDK
- Uses Keycloak Admin Client
- Inspired by the Keycloak community and existing MCP implementations