# Keycloak MCP

> Keycloak MCP manages identity and access control directly through your AI agent. You'll use this to audit security realms, create or delete users, manage groups, and configure OIDC/SAML clients without clicking a single button in the console.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** iam, authentication, authorization, sso, keycloak-admin

## Description

This connector gives you full command over complex Identity and Access Management (IAM) processes. Instead of navigating through multiple Keycloak consoles or writing repetitive scripts, you talk to your agent about what needs fixing—whether it’s deleting an orphaned client record or auditing who changed a realm setting last week. You can manage the core security infrastructure by simply asking for it. The system handles the complex API calls needed to update user credentials, assign roles, and force global logouts across entire realms. When you connect this MCP through Vinkius, your agent gets access to thousands of other specialized tools, so you stay in one place to handle everything from user lifecycle management to advanced security auditing.

## Tools

### create_auth_flow
Builds a new authentication process flow within Keycloak.

### create_client
Registers and creates a brand new client application in the realm.

### create_group
Establishes a new, top-level user group for organization.

### create_role
Defines and creates a new security role available at the realm level.

### create_user
Creates an account for a brand new user in the system.

### delete_client
Removes an existing client application from the realm entirely.

### delete_group
Deletes a defined group, removing all associated users and roles.

### delete_realm
Permanently deletes an entire security realm environment.

### delete_user
Removes a user account from the system, making it permanently inactive.

### get_client_secret
Retrieves the confidential secret key associated with a client application.

### get_client
Fetches and displays all current details for a specified client.

### get_group
Retrieves the full details of a specific user group.

### get_realm
Fetches and displays all information for a specified security realm.

### get_role
Retrieves the definition of a specific role by its name.

### get_user
Fetches and displays all current details for a specific user account.

### import_realm
Loads an entire realm environment into Keycloak from an external source.

### list_admin_events
Retrieves a chronological list of all administrative changes made to a specific realm.

### list_auth_flows
Lists all available authentication flows configured for the system.

### list_client_roles
Displays all roles that can be assigned to a client application.

### list_clients
Gets an overview of every client application registered in the realm.

### list_groups
Displays the entire group hierarchy structure, showing parent-child relationships.

### list_realms
Lists all accessible security realms managed by the instance.

### list_required_actions
Identifies and lists actions that are required to proceed with certain changes.

### list_roles
Displays all security roles available at the realm level for assignment.

### list_user_groups
Lists which groups a specific user currently belongs to.

### list_users
Retrieves a list of all active and inactive users within the specified realm.

### logout_all_users
Forces every logged-in user to log out instantly across the entire realm.

### partial_export_realm
Generates a partial data export of all settings and structures within a specific realm.

### regenerate_client_secret
Creates a brand new secret key for an existing client application.

### reset_user_password
Resets the password for a user without needing to know their previous credentials.

### update_client
Modifies existing settings or metadata for a client application.

### update_group
Changes the properties or membership of an established group.

### update_realm
Modifies general settings and metadata for an entire realm environment.

### update_user
Updates personal information or status details for a specific user account.

## Prompt Examples

**Prompt:** 
```
List all realms available in our Keycloak instance.
```

**Response:** 
```
I've retrieved the realms. You have 3 active realms: 'master', 'production-apps', and 'staging-environment'.
```

**Prompt:** 
```
Get the details for user ID '550e8400-e29b' in the 'production-apps' realm.
```

**Response:** 
```
Fetching user data... User 'john.doe' found. Email: john@example.com, Status: Enabled, Created: 2023-10-12.
```

**Prompt:** 
```
Create a new group called 'Engineering-Leads' in the 'master' realm.
```

**Response:** 
```
Group 'Engineering-Leads' has been successfully created in the 'master' realm.
```

## Capabilities

### Manage User Accounts
Create new users, update existing details, reset passwords, or delete accounts across different realms.

### Administer Security Realms
List and import entire security environments (realms), or audit changes using the list_admin_events tool.

### Handle Client Applications
Create, read, update, or delete client applications, and instantly regenerate forgotten secrets like `get_client_secret`.

### Define Roles and Groups
Organize your security structure by creating top-level groups, assigning roles at the realm level, or managing user group memberships.

### Control Sessions and Access
Force a global logout across an entire realm (`logout_all_users`) to mitigate immediate security threats.

## Use Cases

### The developer needs to onboard a new service.
A backend developer runs into an issue because the staging microservice is missing necessary permissions. They prompt their agent: 'I need to create a client for the payments service and assign it read-only access.' The agent calls `create_client` and then uses tools like `list_roles` and `update_client` to secure the connection, all in one go.

### Security audit detects stale accounts.
A security admin finds a list of users who haven't logged in for months. They ask their agent to 'List all inactive user accounts older than 90 days and delete them.' The agent calls `list_users` and then executes multiple `delete_user` commands, completing the cleanup cycle.

### A key application is compromised.
The ops team realizes an entire segment of users' access might be at risk. They immediately instruct their agent to 'Force a global logout across all production realms.' The agent calls `logout_all_users`, mitigating the threat instantly without any manual intervention.

### Restructuring user teams.
The HR team requires that all members of the Marketing department be moved into a new group. An admin prompts: 'Create a group called 'Mktg-V3' and add every user currently in the old Mktg group.' The agent handles `create_group` and updates membership via tools like `update_user`.

## Benefits

- You eliminate context switching. Instead of jumping between Keycloak's user list, group manager, and client config pages, you ask your agent to handle it all in one chat window.
- Instant security response. If you suspect a breach, calling `logout_all_users` through the MCP instantly terminates every active session across the entire realm—no manual work required.
- Never lose credentials again. With tools like `get_client_secret` and `regenerate_client_secret`, your agent retrieves or updates sensitive keys immediately upon request.
- Full audit trail visibility. Use `list_admin_events` to get a clean, natural language summary of who changed what and when across the entire security infrastructure.
- Efficient user lifecycle management. You can quickly call `create_user` or `delete_user`, ensuring accounts are provisioned or decommissioned exactly when needed.

## How It Works

The bottom line is that you get to run complex identity management tasks through conversation instead of console clicks or code deployments.

1. First, subscribe to this MCP on Vinkius and provide your Keycloak Base URL along with a valid Admin Access Token.
2. Second, point your AI client (Claude, Cursor, or any compatible agent) to the newly connected Keycloak data stream.
3. Third, prompt your agent using natural language—for example, 'List all users in the staging realm and reset John Doe's password.' — and watch it execute the necessary commands.

## Frequently Asked Questions

**How do I list all the environments available using Keycloak MCP?**
You use the `list_realms` tool. This command retrieves every active realm, letting you see exactly how many isolated security environments your instance manages.

**Can I reset a user's password with Keycloak MCP?**
Yes, you can use the `reset_user_password` tool. This lets you instantly reset any user's password without needing to know their current credentials or access the console.

**What is the difference between listing users and getting a user by ID using Keycloak MCP?**
The `list_users` tool provides an overview of all users in the realm. If you need specific, deep details about one person, you use the `get_user` tool with their unique identifier.

**How do I know who changed a setting last week using Keycloak MCP?**
You run `list_admin_events`. This tool gives you a comprehensive audit log, detailing administrative changes across the realm, including who made them and when.

**Does Keycloak MCP help me add new roles to users?**
Yes. After defining the role using `create_role`, you can update user memberships or group settings, which effectively applies that new role to the target user.