An MCP Server for Keycloak

Keycloak MCP Server

A Model Context Protocol (MCP) server that provides programmatic access to Keycloak administration functionality.

Overview

The Keycloak MCP Server enables AI assistants and development tools to interact with Keycloak through the Model Context Protocol. It supports comprehensive Keycloak operations including user management, realm configuration, client administration, and authentication flow management.

Key Features

• User JWT Token Authentication
• Comprehensive Keycloak Operations (users, realms, clients, roles, groups, etc.)
• SSE Transport for HTTP-based communication
• Production-ready OpenShift/Kubernetes deployment
• Multi-architecture container images
• GraalVM native image support

Quick Start

Using Docker

docker run -d \
  --name keycloak-mcp-server \
  -p 8080:8080 \
  -e KC_URL=https://keycloak.example.com \
  -e KC_REALM=master \
  -e OIDC_CLIENT_ID=mcp-server \
  quay.io/sshaaf/keycloak-mcp-server:latest

Authentication

Users authenticate with their own JWT tokens from Keycloak:

# Get your token
./scripts/get-mcp-token.sh \
  --keycloak-url https://keycloak.example.com \
  --username your-username \
  --password your-password

Configure in your MCP client (~/.cursor/mcp.json):

{
  "mcpServers": {
    "keycloak": {
      "transport": "sse",
      "url": "https://mcp-server.example.com/mcp/sse",
      "headers": {
        "Authorization": "Bearer <your-jwt-token>"
      }
    }
  }
}

Documentation

Complete documentation is available in the docs directory:

• Getting Started Guide - Setup instructions
• Authentication Guide - User authentication
• OpenShift Deployment - Production deployment
• Developers Guide - Development guide
• Full Documentation Index - Complete table of contents

Building Documentation

This project uses MkDocs for documentation. To build and serve locally:

pip install mkdocs-material
mkdocs serve

Visit http://localhost:8000 to view the documentation.

Container Images

Pre-built images are available on Quay.io:

docker pull quay.io/sshaaf/keycloak-mcp-server:latest

Images are automatically built and pushed on commits to main and on releases.

Building

JAR

mvn clean package
java -jar target/quarkus-app/quarkus-run.jar

Native Image

mvn clean package -Pnative
./target/keycloak-mcp-server-runner

Container Image

mvn clean package -Dquarkus.container-image.build=true

Technology Stack

• Quarkus - Cloud-native Java framework
• Keycloak Admin Client - Official Keycloak Java client
• MCP Protocol - Model Context Protocol for AI integration
• Jib - Containerization without Docker daemon
• GraalVM - Native image compilation support

License

MIT License - see LICENSE file for details.

Contributing

Contributions are welcome. See Contributors Guide for details.

Support

• Documentation: docs/index.md
• Issues: GitHub Issues
• Community: Keycloak Discourse

---

Maintainer: Shaaf Syed
Repository: https://github.com/sshaaf/keycloak-mcp-server
Container Registry: https://quay.io/repository/sshaaf/keycloak-mcp-server