keycloak-agent 0.30.0

Keycloak Identity MCP Server and Agent for Agentic AI!

Keycloak Agent

MCP Server | Agent

Keycloak Identity and Access Management MCP Server + Agent for the agent-utilities ecosystem. Built with the standardized dynamic-facade architecture, custom API routing, and FastMCP tool registration.

Documentation — Installation, deployment, usage across the API, CLI, and MCP interfaces, and guidance for provisioning the Keycloak platform are maintained in the official documentation.

Table of Contents

• Overview
• Features
• Installation
• Usage
• Configuration
• MCP Tools
• Architecture
• Deployment
• Contributing
• License

---

Overview

Keycloak MCP provides a high-performance, model-optimized interface to Keycloak capabilities. It isolates the model from underlying API transport complexity, ensuring safe, idempotent, and highly traceable system interactions.

---

Features

• Dynamic Facade Orchestration: Integrates multi-inheritance clients cleanly under a single facade.
• Battle-Tested Resilience: Out-of-the-box credential authentication, connection polling, and request retry strategies.
• FastMCP Declarative Tools: Fast, native schema registration with full inline validation.
• Complete Test Intent Diversity: Deep, automated unit, integration, and mock tests ensuring high code coverage.

---

⚙️ Dynamic Tool Selection & Visibility

This MCP server supports dynamic toolset selection and visibility filtering at runtime. This allows you to restrict the set of exposed tools in order to prevent blowing up the LLM's context window.

You can configure tool filtering via multiple input channels:

• CLI Arguments: Pass --tools or --toolsets (or their disabled counterparts --disabled-tools and --disabled-toolsets) during startup.
• Environment Variables: Define standard environment variables:
  • MCP_ENABLED_TOOLS / MCP_DISABLED_TOOLS
  • MCP_ENABLED_TAGS / MCP_DISABLED_TAGS
• HTTP SSE Request Headers: Pass custom headers during transport initialization:
  • x-mcp-enabled-tools / x-mcp-disabled-tools
  • x-mcp-enabled-tags / x-mcp-disabled-tags
• HTTP SSE Request Query Parameters: Append query parameters directly to your transport connection URL:
  • ?tools=tool1,tool2
  • ?tags=tag1

When query strings or parameters are supplied, an LLM-free Knowledge Graph resolution layer (using DynamicToolOrchestrator) matches query intents against known tool tags, names, or descriptions, with safe fallback and automated 24-hour background cache refreshing.

---

Installation

Install in editable mode directly inside your active workspace:

pip install -e .[all]

Or via the uv tool:

uv pip install -e .

---

Usage

You can launch the FastMCP server in stdio mode via Python module execution:

import asyncio
from keycloak_agent.mcp_server import get_mcp_instance

async def main():
    mcp = get_mcp_instance()
    # Execute stdio loop or launch server
    print("MCP Server ready.")

if __name__ == "__main__":
    asyncio.run(main())

For direct shell launch, execute:

python -m keycloak_agent.mcp_server

---

Configuration

The package is fully configurable via the environment variables listed below:

Variable	Description	Default	Required
KEYCLOAK_URL	Keycloak Base Admin URL	http://localhost:8080	Yes
KEYCLOAK_USERNAME	Admin account username	admin	Yes
KEYCLOAK_PASSWORD	Admin account password	admin_secure_password	Yes
KEYCLOAK_REALM	KeycloakRealm name	master	Yes

A local template is supplied inside .env.example. Copy this file as .env and fill out your specific service endpoint parameters before starting execution.

---

MCP Tools

The following declarative FastMCP tools are registered and available to upstream AI agents:

Tool Name	Description	Parameters
get_users	List realm users	limit: int = 100
create_user	Create user in realm	username: str, email: str, enabled: bool = True
get_realms	List realms	None
get_clients	List realm clients	None

See docs/overview.md or docs/concepts.md for deeper operational examples.

---

Architecture

This package uses the standardized Agent-Utilities dynamic facade architecture:

graph TD
    User([User Agent]) --> Server[FastMCP Server]
    Server --> Facade[Api Dynamic Facade]
    Facade --> ClientBase[ApiClientBase]
    Facade --> Auth[Credentials Auth Handler]
    ClientBase --> Service([External Service API])

---

Deployment

Bare-Metal (Standard pip)

1. Set up your Python virtual environment (>= 3.10).
2. Install the package: pip install .[all]
3. Export credentials:

   export KEYCLOAK_URL="http://localhost:8080"
   

4. Run: python -m keycloak_agent.mcp_server

Container (Docker Compose)

A standard compose structure is provided inside the docker/ folder. Build and deploy:

docker compose -f docker/compose.yml up --build -d

---

Contributing

Please audit all code changes against ecosystem guidelines in CONTRIBUTING.md if available, and run:

pre-commit run --all-files

---

Documentation

The complete documentation is published as the official documentation site and is the recommended reference for installation, deployment, and day-to-day operation.

Page	Contents
Installation	pip, source, extras, prebuilt Docker image
Deployment	run the MCP server and agent, Compose, Caddy + Technitium, env config
Usage	the MCP tools, the Api client, the CLI
Backing Platform	deploy Keycloak with Docker
Overview	the dynamic facade and tool surface
Concepts	concept registry (CONCEPT:KEY-*)

AGENTS.md is the canonical contributor/agent guidance.

License

This project is licensed under the MIT License. See the LICENSE file for complete details.