Skip to main content
Glama
mrz1880

mcp-keycloak-admin

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
AUTH_MODEYesAuthentication mode: service_account or password.
READ_ONLYNoWhen true, write/destructive tools are not registered. Default: false.false
KC_CLIENT_IDNoConfidential client id (e.g. mcp-admin). Required if AUTH_MODE is service_account.
ALLOWED_REALMSNoComma-separated allow-list of realms. Empty = all.
KC_ADMIN_REALMNoRealm holding the admin user (password mode). Default: master.master
KEYCLOAK_REALMYesRealm the server operates on.
KC_CLIENT_SECRETNoClient secret. Required if AUTH_MODE is service_account.
KC_ADMIN_PASSWORDNoAdmin password. Required if AUTH_MODE is password.
KC_ADMIN_USERNAMENoAdmin username. Required if AUTH_MODE is password.
KEYCLOAK_BASE_URLYesBase URL of the Keycloak server (no trailing slash).

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}

Tools

Functions exposed to the LLM to take actions

NameDescription
keycloak_user_searchA

Read-only. Searches users in the configured realm and returns a JSON array of matches, each with id, username, email and enabled flag. Use this to discover a user's id before calling id-based tools such as keycloak_user_get, keycloak_user_update or keycloak_user_delete. All filters are optional and combined; with no filters it returns the first page of users. Results are paginated and capped at 500 per call.

keycloak_user_getA

Read-only. Fetches a single realm user by id and returns a JSON object with id, username, email and enabled flag, or the text "User not found." if no user has that id. Use keycloak_user_search first if you only know a username or email and need the id. Idempotent: repeated calls return the same result without changing anything.

keycloak_user_sessions_listA

Read-only. Returns a JSON array of a user's currently active sessions (an empty array if none). Use it to inspect where a user is logged in before deciding whether to revoke access with keycloak_user_logout. Idempotent: it never changes any state and repeated calls reflect only sessions that are still active.

keycloak_user_createA

Write operation that creates a new realm user and returns a confirmation message with the username. It does not set a password, so call keycloak_user_reset_password afterwards to give the account credentials; it also does not send any email. Not idempotent: calling it again with the same username creates a conflict rather than a duplicate. Use keycloak_user_update to change an existing user instead of recreating it.

keycloak_user_updateA

Write operation that updates an existing user's profile fields and returns a confirmation message. Only the fields you supply are changed; omitted fields are left untouched (no field is cleared by omission). Idempotent: applying the same values again leaves the user unchanged. Use keycloak_user_get first to read current values, and keycloak_user_reset_password for credentials rather than this tool.

keycloak_user_set_enabledA

Write operation that enables or disables a single user account by id, returning a confirmation message. Disabling blocks the user from logging in but does not delete the account or revoke existing sessions; use keycloak_user_logout to terminate active sessions, or keycloak_user_delete to remove the account. Idempotent: setting the same enabled value repeatedly leaves the account in the same state.

keycloak_user_send_action_emailA

Write operation that emails the user a link prompting them to complete one or more required actions (such as verifying their email or updating their password), and returns a confirmation message. The user must have a valid email address configured. Not idempotent: each call sends a fresh email. Use this for self-service flows; to set a password directly without involving the user, use keycloak_user_reset_password instead.

keycloak_user_reset_passwordA

Destructive write that overwrites a user's password with the supplied value, returning "Password reset." on success or a "Not reset: " message if confirmation was declined. Requires explicit confirmation: pass confirm=true, otherwise the operation is blocked pending approval. Commonly used right after keycloak_user_create to give a new account credentials. Not idempotent in effect, since it invalidates the previous password.

keycloak_user_logoutA

Destructive write that revokes all active sessions for a user, forcing them to re-authenticate, and returns "User logged out." on success or a "Not logged out: " message if confirmation was declined. Requires explicit confirmation: pass confirm=true, otherwise the operation is blocked pending approval. The account itself stays enabled; use keycloak_user_set_enabled to block future logins or keycloak_user_sessions_list to inspect sessions first. Effectively idempotent: once sessions are revoked, a repeat call has nothing left to revoke.

keycloak_user_deleteA

Destructive write that permanently removes a user from the realm, returning "User "" deleted." on success or a "Not deleted: " message otherwise. As a wrong-target guard, the supplied username must match the user that the id resolves to, and confirm must be true; otherwise the deletion is blocked. Look up the id and username with keycloak_user_get or keycloak_user_search first. Not reversible; consider keycloak_user_set_enabled to disable instead of deleting.

keycloak_role_listA

Read-only: lists all realm-level roles defined in the Keycloak realm (not client roles). Takes no parameters. Use this to discover available realm role names before assigning one with keycloak_user_role_assign; for roles scoped to a specific client, use keycloak_client_roles_list instead. Returns a JSON array of roles, each with id, name, and description.

keycloak_user_roles_getA

Read-only: lists the realm-level roles currently assigned to a single user (not client roles). Use this to inspect a user's realm role assignments before granting one with keycloak_user_role_assign or revoking one with keycloak_user_role_unassign; for client-scoped assignments use keycloak_user_client_roles_get. Returns a JSON array of roles, each with id, name, and description.

keycloak_client_roles_listA

Read-only: lists the client-level roles defined on a single Keycloak client (not realm roles). Use this to discover available client role names before assigning one with keycloak_user_client_role_assign; for realm-wide roles use keycloak_role_list instead. Returns a JSON array of roles (each with id, name, and description), or the message 'Client not found.' when no client matches the given ID.

keycloak_user_client_roles_getA

Read-only: lists the client-level roles assigned to a single user for one specific client (not realm roles). Use this to inspect a user's client role assignments before granting one with keycloak_user_client_role_assign or revoking one with keycloak_user_client_role_unassign; for realm-wide assignments use keycloak_user_roles_get. Returns a JSON array of roles (each with id, name, and description), or the message 'Client not found.' when no client matches the given ID.

keycloak_user_role_assignA

Write: grants a single realm-level role to a user (not a client role). This is idempotent — assigning a role the user already has succeeds without changing anything. The role must already exist in the realm; list candidates with keycloak_role_list and verify current assignments with keycloak_user_roles_get. Returns a confirmation that the role was assigned, or a message explaining why it was not (for example, the user or role was not found).

keycloak_user_client_role_assignA

Write: grants a single client-level role (belonging to one specific client) to a user, not a realm role. This is idempotent — assigning a role the user already has succeeds without changing anything. The role must already exist on the client; list candidates with keycloak_client_roles_list and verify current assignments with keycloak_user_client_roles_get. Returns a confirmation that the client role was assigned, or a message explaining why it was not (for example, the user, client, or role was not found).

keycloak_user_role_unassignA

Destructive write: revokes a single realm-level role from a user (not a client role), removing the access that role grants. This action requires explicit confirmation and will not proceed unless 'confirm' is true. Use keycloak_user_roles_get first to see the user's current realm roles; for client-scoped roles use keycloak_user_client_role_unassign instead. Returns a confirmation that the role was removed, or a message explaining why it was not (for example, confirmation was declined or the user or role was not found).

keycloak_user_client_role_unassignA

Destructive write: revokes a single client-level role (belonging to one specific client) from a user, removing the access that role grants; this is not a realm role. This action requires explicit confirmation and will not proceed unless 'confirm' is true. Use keycloak_user_client_roles_get first to see the user's current client roles; for realm-wide roles use keycloak_user_role_unassign instead. Returns a confirmation that the client role was removed, or a message explaining why it was not (for example, confirmation was declined or the user, client, or role was not found).

keycloak_client_listA

List all OAuth/OIDC clients registered in the configured Keycloak realm. Read-only and idempotent; it does not modify anything. Use this to discover clients before calling keycloak_client_get, keycloak_client_update, or keycloak_client_delete. Takes no parameters and returns a JSON array where each entry has uuid, clientId, enabled, and publicClient.

keycloak_client_getA

Fetch a single realm client by its clientId. Read-only and idempotent; it does not modify anything. Use keycloak_client_list first if you do not know the exact clientId. Returns a JSON object with uuid, clientId, enabled, and publicClient, or the text "Client not found." when no client matches.

keycloak_client_get_secretA

Read the current secret of a confidential (non-public) realm client. Read-only and idempotent; it does not change the secret. By default the secret is returned masked; pass reveal=true to return the plaintext value. Use keycloak_client_get to confirm a client is confidential first, and keycloak_client_regenerate_secret to rotate it. Returns the (masked or plaintext) secret string, or "Client not found." when no client matches.

keycloak_client_createA

Create a new OAuth/OIDC client in the configured realm. This is a write operation and is not idempotent: calling it again with the same clientId creates a conflict rather than reusing the existing client. Use keycloak_client_list or keycloak_client_get first to verify the clientId is not already taken, and keycloak_client_update to modify an existing client. Returns a confirmation message naming the created client.

keycloak_client_updateA

Update an existing client's enabled flag, public flag, redirect URIs and/or web origins. Only the fields you supply are changed; omitted fields are left untouched. This is a write operation and is idempotent: applying the same values again yields the same state. Use keycloak_client_list or keycloak_client_get to find the client first. Returns a confirmation message, or a reason string (e.g. when the client does not exist).

keycloak_client_regenerate_secretA

Regenerate (rotate) a confidential client's secret. This is a destructive, non-idempotent write: it invalidates the previous secret, which immediately stops working, so any system using the old value must be updated. Requires explicit confirmation via confirm=true (otherwise it aborts without changing anything). Use keycloak_client_get_secret to read the current secret without rotating. Returns the new plaintext secret, or a reason string when not regenerated.

keycloak_client_deleteA

Permanently delete a client from the realm. This is a destructive operation and is not idempotent: once deleted, deleting the same clientId again fails because it no longer exists. Requires explicit confirmation via confirm=true (otherwise it aborts without deleting). Use keycloak_client_get to verify the target first, and keycloak_client_update to merely disable a client instead of removing it. Returns a confirmation message, or a reason string when not deleted.

keycloak_client_scopes_listA

Lists every client scope defined in the realm. This is a read-only, idempotent operation that takes no parameters and does not modify Keycloak. Use it to discover available scope names before calling keycloak_client_scope_assign or keycloak_client_scope_unassign. Returns a JSON array where each entry holds the scope's id, name, and protocol.

keycloak_client_default_scopes_getA

Lists the default client scopes currently assigned to a single client. This is a read-only, idempotent operation that does not modify Keycloak. Use it to inspect a client's effective default scopes before assigning or unassigning one; for the full catalog of available scopes use keycloak_client_scopes_list instead. Returns a JSON array of the assigned scopes (each with id, name, and protocol), or the text "Client not found." when no client matches the given clientId.

keycloak_client_mappers_listA

Lists the protocol mappers configured on a single client, aggregated across the client and its assigned scopes. This is a read-only, idempotent operation that does not modify Keycloak. Use it to inspect how tokens issued for the client are shaped; to first find a client's scopes use keycloak_client_default_scopes_get. Returns the protocol mappers as a JSON array, or the text "Client not found." when no client matches the given clientId.

keycloak_client_scope_assignA

Assigns an existing realm client scope to a client as a default scope. This is a write operation; it is idempotent, so re-assigning an already-assigned scope leaves the client unchanged. Use keycloak_client_scopes_list to find a valid scope name and keycloak_client_default_scopes_get to check current assignments before calling this. Returns a confirmation message when the scope is assigned, or a message starting with "Not assigned:" with the reason (for example when the client or scope does not exist).

keycloak_client_scope_unassignA

Removes a default client scope from a client. This is a destructive write operation and is gated by an explicit confirmation step, so it does nothing unless confirm is true. It is not idempotent in effect: the first successful call detaches the scope, and a later call once the scope is gone reports that it was not removed. Use keycloak_client_default_scopes_get first to see which scopes are currently assigned. Returns a confirmation message when the scope is removed, or a message starting with "Not removed:" with the reason (for example missing confirmation, or an unknown client or scope).

keycloak_group_listA

Read-only. Lists the realm's top-level groups. Use this to discover group IDs and names before calling group write tools such as keycloak_group_member_add, keycloak_group_role_assign, or keycloak_group_delete. Idempotent and takes no parameters; returns a JSON array of objects, each with the group id, name, and path.

keycloak_group_members_listA

Read-only and idempotent. Lists the users that are direct members of the given group. Resolve the group ID first with keycloak_group_list. Returns a JSON array of user objects, each with id, username, email (or null), and enabled status.

keycloak_user_groups_listA

Read-only and idempotent. Lists the groups the given user belongs to. Resolve the user ID first with a user listing tool. Returns a JSON array of group objects, each with id, name, and path.

keycloak_group_createA

Write operation. Creates a new top-level group in the realm with the given name. Not idempotent: calling it again with the same name creates or attempts another group rather than reusing one. Use keycloak_group_list afterward to obtain the new group's id. Returns a confirmation message containing the created group's name.

keycloak_group_member_addA

Write operation. Adds an existing user to an existing group by their IDs. Idempotent: adding a user already in the group leaves membership unchanged. Resolve the IDs first with keycloak_group_list and a user listing tool; to undo, use keycloak_group_member_remove. Returns a fixed confirmation message.

keycloak_group_role_assignA

Write operation. Grants an existing realm role to a group, so the group's members inherit that role. Idempotent: re-assigning an already-granted role makes no further change. Resolve the group ID with keycloak_group_list and ensure the realm role exists beforehand. Returns a message stating the role was assigned, or, if it could not be, that it was not assigned with the reason.

keycloak_group_member_removeA

Destructive write operation that requires confirmation. Removes a user from a group by their IDs. Not idempotent in effect since it gates on confirmation; resolve IDs with keycloak_group_list and keycloak_group_members_list first, and use keycloak_group_member_add to reverse it. Returns a message stating the user was removed, or, if confirmation was withheld, that it was not removed with the reason.

keycloak_group_deleteA

Destructive write operation that requires confirmation. Permanently deletes a group by its ID, including its membership and role assignments. This cannot be undone; find the ID with keycloak_group_list first. Returns a message confirming deletion, or, if confirmation was withheld, that it was not deleted with the reason.

keycloak_idp_listA

Lists all identity providers configured in the target realm. Read-only and idempotent; it makes no changes. Use it to discover available providers before calling keycloak_idp_get, keycloak_idp_mappers_list, or keycloak_idp_delete. Takes no parameters and returns a JSON array of providers, each with alias, providerId, enabled, and displayName.

keycloak_idp_getA

Fetches a single identity provider by its alias from the target realm. Read-only and idempotent; it makes no changes. Use it to inspect one provider after finding its alias with keycloak_idp_list. Returns a JSON object with alias, providerId, enabled, and displayName, or the text "Identity provider not found." if no provider matches the alias.

keycloak_idp_mappers_listA

Lists the mappers configured on a single identity provider, identified by its alias. Mappers control how claims and attributes from the external provider are mapped into Keycloak users. Read-only and idempotent; it makes no changes. Use it after keycloak_idp_list or keycloak_idp_get to inspect a provider's mappers. Returns a JSON array of mapper definitions.

keycloak_idp_createA

Creates a new identity provider in the target realm. This is a write operation and is not idempotent: calling it again with an existing alias will fail rather than update. Check keycloak_idp_list first to avoid alias collisions, and use keycloak_idp_get afterward to verify the result. Returns a confirmation message naming the created provider.

keycloak_idp_deleteA

Permanently deletes an identity provider from the target realm by its alias. This is a destructive write operation that requires confirmation: it proceeds only when confirm is true, otherwise it is skipped. It is not idempotent, since deleting an already-removed provider has no provider to remove. Use keycloak_idp_list or keycloak_idp_get first to confirm the alias. Returns a message stating whether the provider was deleted or, if not, the reason.

keycloak_federation_listA

Lists all user federation providers (such as LDAP or Kerberos) configured in the current realm. Read-only and idempotent; it does not modify any configuration. Use this to discover available providers and obtain their ids before calling keycloak_federation_get for details or keycloak_federation_sync to trigger a sync. Returns a JSON array where each entry contains the provider id, name, and providerId; an empty array means no providers are configured.

keycloak_federation_getA

Fetches a single user federation provider (such as LDAP or Kerberos) by its component id in the current realm. Read-only and idempotent; it does not modify any configuration. Use keycloak_federation_list first to obtain a valid id, then call this tool to inspect that specific provider. Returns a JSON object with the provider id, name, and providerId, or the text "Federation provider not found." when no provider matches the given id.

keycloak_federation_syncA

Triggers a user synchronization from a user federation provider (such as LDAP) into the current realm. This is a write operation that imports or updates users; it is not destructive but is not idempotent, since each call re-runs the sync and the imported counts can differ between runs. Use keycloak_federation_list or keycloak_federation_get first to confirm the provider id, then run this to refresh users. Returns a JSON object describing the sync result reported by Keycloak.

keycloak_auth_flows_listA

Lists every authentication flow defined in the currently configured Keycloak realm. This is a read-only, idempotent operation that takes no parameters and does not modify any data. Returns a JSON array of flow objects (including alias, description, provider id, top-level and built-in indicators) as formatted text. Use it to inspect or audit the realm's login, registration, and reset-credential flows before configuring related authentication settings.

keycloak_auth_required_actions_listA

Lists every required action configured in the currently configured Keycloak realm (for example Verify Email, Update Password, or Configure OTP). This is a read-only, idempotent operation that takes no parameters and does not change any data. Returns a JSON array of required-action objects (including alias, name, enabled, defaultAction, and priority) as formatted text. Use it to discover available aliases before enabling or disabling a required action with keycloak_auth_required_action_set_enabled.

keycloak_auth_required_action_set_enabledA

Enables or disables a single required action in the currently configured Keycloak realm, identified by its alias. This is a write operation that is not destructive and is idempotent: setting an already-matching state leaves the action unchanged. Call keycloak_auth_required_actions_list first to obtain valid aliases. Returns a short text confirmation stating whether the action was enabled or disabled.

keycloak_authz_resources_listA

Lists the authorization-services resources defined on a Keycloak client (the protected resources that policies and permissions apply to). Read-only and idempotent: it performs no writes and returns the same data for unchanged configuration. Use it to inspect a client's fine-grained authorization model; call keycloak_clients_list first to obtain the client's internal id, and pair it with keycloak_authz_policies_list and keycloak_authz_permissions_list for the full picture. Returns a JSON array of resource entries, or the text "Client not found." when no client matches the given id.

keycloak_authz_policies_listA

Lists the authorization-services policies defined on a Keycloak client (the rules, such as role, user, or JS policies, that decide whether access is granted). Read-only and idempotent: it performs no writes and returns the same data for unchanged configuration. Use it to review the policies that back a client's permissions; call keycloak_clients_list first to obtain the client's internal id, and combine with keycloak_authz_resources_list and keycloak_authz_permissions_list to understand the whole authorization model. Returns a JSON array of policy entries, or the text "Client not found." when no client matches the given id.

keycloak_authz_permissions_listA

Lists the authorization-services permissions defined on a Keycloak client (the bindings that tie resources and/or scopes to the policies that govern them). Read-only and idempotent: it performs no writes and returns the same data for unchanged configuration. Use it to see how a client's resources are protected; call keycloak_clients_list first to obtain the client's internal id, and pair with keycloak_authz_resources_list and keycloak_authz_policies_list for full context. Returns a JSON array of permission entries, or the text "Client not found." when no client matches the given id.

keycloak_events_loginA

Read-only. Returns recent user login events from the realm's login event log (such as LOGIN, LOGIN_ERROR, and LOGOUT), as a JSON array ordered by the event log's default ordering. Use this to audit authentication activity or investigate failed logins; for administrative changes (user/role/config updates) use keycloak_events_admin instead. This tool is idempotent and never modifies Keycloak.

keycloak_events_adminA

Read-only. Returns recent administrative events from the realm's admin event log (such as CREATE, UPDATE, and DELETE operations on users, roles, clients, and configuration) as a JSON array. Use this to audit who changed what in the realm; for end-user authentication activity use keycloak_events_login instead. This tool is idempotent and never modifies Keycloak.

keycloak_realm_get_configA

Read-only. Returns a curated subset of the realm's configuration as a JSON object, including realm name and enabled state, self-registration and password-reset flags, email verification and login-with-email settings, brute-force protection, the SSL requirement, and token and SSO session lifespans. Use this to inspect security-relevant realm settings without retrieving the full realm representation. Takes no parameters; it is idempotent and never modifies Keycloak.

keycloak_server_infoA

Read-only. Returns a small JSON summary of the connected Keycloak server, containing the 'keycloakVersion' field (the server version, or null when it cannot be determined). Use this for a quick connectivity and version check; for realm-specific settings use keycloak_realm_get_config instead. Takes no parameters; it is idempotent and never modifies Keycloak.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mrz1880/mcp-keycloak-admin'

If you have feedback or need assistance with the MCP directory API, please join our Discord server