MCP server for KeyCloak Admin REST API via Service Account

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for sigetika from gravatar.com sigetika

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: AIKAWA Shigechika
  • Tags keycloak , mcp , model-context-protocol , sso , authentication
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

keycloak-mcp

English | 日本語

MCP (Model Context Protocol) server for KeyCloak Admin REST API.

Uses Client Credentials Grant (Service Account) — no user password or TOTP required. Infinispan-safe: does not create user sessions or use the userinfo endpoint.

Features

User Management

Tool Description
count_users Get total user count in the realm
search_users Search users by username, email, or name
get_user Get detailed user information by username
reset_password Reset a user's password
reset_passwords_batch Reset passwords for multiple users from CSV
get_user_sessions Get active sessions for a user (local time)
logout_user Force logout a user by removing all sessions

Group Management

Tool Description
list_user_groups List groups a user belongs to
list_users_by_group List all members of a group

Security Monitoring

Tool Description
get_brute_force_status Check if a user is locked by brute force detection
get_login_failures_by_ip Login failure statistics by source IP (with site labels)
detect_login_loops Detect users with rapid repeated logins (redirect loop detection)

Event Analytics

Tool Description
get_events Get events with filters (type, username, client, IP, date). Resolves username to user ID automatically
get_login_stats Login success/failure statistics with full pagination
get_login_stats_by_hour Login statistics by hour (local time)
get_login_stats_by_client Login statistics by client (SP)
get_password_update_events Password update event history

Session & Client

Tool Description
get_session_stats Active session count per client
get_client_sessions Active sessions for a specific client
list_clients List all SAML/OIDC clients
get_realm_roles List all realm-level roles

Setup

# uv
uv pip install keycloak-mcp

# pip
pip install keycloak-mcp

Or from source:

git clone https://github.com/shigechika/keycloak-mcp.git
cd keycloak-mcp

# uv
uv sync

# pip
pip install -e .

Configuration

Set the following environment variables:

Variable Description Default
KEYCLOAK_URL KeyCloak base URL (e.g., https://sso.example.com) required
KEYCLOAK_REALM Realm name master
KEYCLOAK_CLIENT_ID Service Account client ID required
KEYCLOAK_CLIENT_SECRET Client secret required
KEYCLOAK_SITES_INI Path to INI file for IP-to-site classification (optional)

KeyCloak Client Setup

  1. Create a new client in KeyCloak Admin Console
  2. Enable Client authentication and Service account roles
  3. Assign realm roles: view-users, view-events, view-clients, manage-users (for password reset)

Usage

Claude Code

Add to .mcp.json:

{
  "mcpServers": {
    "keycloak-mcp": {
      "type": "stdio",
      "command": "keycloak-mcp",
      "env": {
        "KEYCLOAK_URL": "https://sso.example.com",
        "KEYCLOAK_CLIENT_ID": "keycloak-mcp",
        "KEYCLOAK_CLIENT_SECRET": ""
      }
    }
  }
}

Claude Desktop

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "keycloak-mcp": {
      "command": "keycloak-mcp",
      "env": {
        "KEYCLOAK_URL": "https://sso.example.com",
        "KEYCLOAK_CLIENT_ID": "keycloak-mcp",
        "KEYCLOAK_CLIENT_SECRET": ""
      }
    }
  }
}

Direct Execution

export KEYCLOAK_URL=https://sso.example.com
export KEYCLOAK_CLIENT_ID=keycloak-mcp
export KEYCLOAK_CLIENT_SECRET=your-secret
keycloak-mcp

Development

git clone https://github.com/shigechika/keycloak-mcp.git
cd keycloak-mcp

# uv
uv sync --dev
uv run pytest -v
uv run ruff check .

# pip
python3 -m venv .venv
.venv/bin/pip install -e . && .venv/bin/pip install pytest pytest-cov respx ruff
.venv/bin/pytest -v
.venv/bin/ruff check .

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for sigetika from gravatar.com sigetika

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: AIKAWA Shigechika
  • Tags keycloak , mcp , model-context-protocol , sso , authentication
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

0.6.0

0.5.0

0.4.0

0.3.0

This version

0.2.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keycloak_mcp-0.2.1.tar.gz (17.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

keycloak_mcp-0.2.1-py3-none-any.whl (13.5 kB view details)

Uploaded Python 3

File details

Details for the file keycloak_mcp-0.2.1.tar.gz.

File metadata

  • Download URL: keycloak_mcp-0.2.1.tar.gz
  • Upload date:
  • Size: 17.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for keycloak_mcp-0.2.1.tar.gz
Algorithm Hash digest
SHA256 48fa81970cf559fa740b89cd76e362fc22a2c0f2a9ff59f7cacb398289109215
MD5 6d69951cb824a4831a38307a88fc069c
BLAKE2b-256 db1a28d38763ec00e5a0c1387bce2adb9b6988222eddb2c9b794107f200db02f

See more details on using hashes here.

Provenance

The following attestation bundles were made for keycloak_mcp-0.2.1.tar.gz:

Publisher: release.yml on shigechika/keycloak-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file keycloak_mcp-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: keycloak_mcp-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 13.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for keycloak_mcp-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 72d88cd352b91ec45eab4a1ceeeb5863c24c6001737f5599ccdb3297576eed1b
MD5 d5ac64e323d3efcf562edee39d6f30d4
BLAKE2b-256 f70f57501441c5deccdd7361375e1d86cd46805961bdbb8016a0e3a138e5181d

See more details on using hashes here.

Provenance

The following attestation bundles were made for keycloak_mcp-0.2.1-py3-none-any.whl:

Publisher: release.yml on shigechika/keycloak-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page