Keycloak MCP Server

assign-client-role-to-user

Assign a specific client role to a user in a Keycloak realm using the MCP server, ensuring proper access control based on defined roles and permissions.

Instructions

Assign a client role to a user

Input Schema

TableJSON Schema

Name	Required	Description	Default
`clientUniqueId`	Yes
`realm`	Yes
`roleName`	Yes
`userId`	Yes

Implementation Reference

src/services/keycloak.ts:66-87 (handler)

Core handler function that executes the tool logic: parses args, lists client roles, finds the role, assigns it to the user via Keycloak admin client, and returns success message.

public async assignClientRoleToUser(args: unknown): Promise<string> {
  const { realm, userId, clientUniqueId, roleName } =
    AssignClientRoleSchema.parse(args);
  const roles: RoleRepresentation[] =
    await this.kcAdminClient.clients.listRoles({
      id: clientUniqueId,
      realm,
    });
  const role: RoleRepresentation | undefined = roles.find(
    (r) => r.name === roleName
  );
  if (!role || !role.id || !role.name) {
    throw new Error(`Role '${roleName}' not found or has no ID.`);
  }
  await this.kcAdminClient.users.addClientRoleMappings({
    realm,
    id: userId,
    clientUniqueId,
    roles: [{ id: role.id, name: role.name }],
  });
  return `Assigned role '${roleName}' to user ${userId} in client ${clientUniqueId}`;
}

src/server.ts:119-127 (handler)

MCP server tool handler switch case that receives tool call and delegates to the KeycloakService method.

case "assign-client-role-to-user":
  return {
    content: [
      {
        type: "text",
        text: await keycloakService.assignClientRoleToUser(args),
      },
    ],
  };

src/schemas/index.ts:20-25 (schema)

Zod schema used for input validation within the handler function.

export const AssignClientRoleSchema = z.object({
  realm: z.string(),
  userId: z.string(),
  clientUniqueId: z.string(),
  roleName: z.string(),
});

src/schemas/index.ts:78-87 (schema)

JSON schema definition for the tool input, used in MCP tool registration.

"assign-client-role-to-user": {
  type: "object",
  properties: {
    realm: { type: "string" },
    userId: { type: "string" },
    clientUniqueId: { type: "string" },
    roleName: { type: "string" },
  },
  required: ["realm", "userId", "clientUniqueId", "roleName"],
},

src/server.ts:56-60 (registration)

Tool registration in the MCP server's listTools response.

{
  name: "assign-client-role-to-user",
  description: "Assign a client role to a user",
  inputSchema: InputSchema["assign-client-role-to-user"],
},

Tool Definition Quality

C2.8/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It implies a mutation ('assign') but doesn't specify permissions required, whether the operation is idempotent, error handling, or what happens if the role or user doesn't exist. This leaves significant gaps for a tool that modifies user permissions.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, clear sentence with no wasted words, making it highly concise and front-loaded. It efficiently communicates the core action without unnecessary elaboration.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (a mutation with 4 parameters), lack of annotations, and no output schema, the description is incomplete. It doesn't cover behavioral aspects, parameter meanings, or expected outcomes, leaving the agent with insufficient information to use the tool effectively.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters2/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must compensate for all four parameters. It only mentions 'client role' and 'user' generically, without explaining what 'clientUniqueId', 'realm', 'roleName', or 'userId' represent or how to obtain them, failing to add meaningful context beyond the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('assign') and the target ('client role to a user'), making the purpose understandable. However, it doesn't differentiate this tool from potential siblings like 'add-user-to-group' or specify what distinguishes a 'client role' from other role types, keeping it from a perfect score.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No guidance is provided on when to use this tool versus alternatives like 'add-user-to-group' or 'create-user', nor are prerequisites or context for role assignment mentioned. The description merely states what it does without indicating appropriate scenarios.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Related Tools

assign_client_role_to_user
@idoyudha/mcp-keycloak
create_client_role
@idoyudha/mcp-keycloak
assign_realm_role_to_user
@idoyudha/mcp-keycloak
list-roles
@Octodet/keycloak-mcp
update-user-roles
@Octodet/keycloak-mcp
list-client-rolesC
@HaithamOumerzoug/keycloak-mcp

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/HaithamOumerzoug/keycloak-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server