Keycloak MCP Server

MCP server for Keycloak — the leading open-source Identity and Access Management (IAM) platform — enabling AI agents to manage Keycloak realms, users, roles, clients, and authentication flows. Allows agents to automate identity management tasks: creating users, assigning roles, configuring OAuth clients, managing realm settings, and querying authentication policies.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security keycloak identity oauth sso mcp-server iam authentication authorization redhat
⚙ Agent Friendliness
74
/ 100
Can an agent use this?
🔒 Security
86
/ 100
Is it safe for agents?
⚡ Reliability
71
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
70
Documentation
72
Error Messages
70
Auth Simplicity
80
Rate Limits
80

🔒 Security

TLS Enforcement
92
Auth Strength
88
Scope Granularity
85
Dep. Hygiene
78
Secret Handling
82

Admin access to identity infrastructure. Extremely sensitive credentials. Require human approval for any identity changes. Use minimal-scope service accounts. Self-hosted — your security responsibility.

⚡ Reliability

Uptime/SLA
72
Version Stability
72
Breaking Changes
70
Error Recovery
70
AF Security Reliability

Best When

An organization running Keycloak for IAM wants AI agents to assist with user management, role configuration, and realm administration — particularly for automating repetitive identity management tasks.

Avoid When

You use commercial IAM providers (Okta, Auth0, Azure AD) — each has its own management API. Only relevant for Keycloak/Red Hat SSO deployments.

Use Cases

  • Managing Keycloak users and role assignments from user administration agents
  • Configuring OAuth clients and authentication flows from DevOps agents
  • Auditing realm security settings and user permissions from security assessment agents
  • Automating Keycloak configuration for new environments from infrastructure agents
  • Querying user authentication status from incident response agents

Not For

  • Teams using Auth0, Okta, or other commercial identity providers (different MCPs needed)
  • Production IAM changes without human review (identity changes have security implications)
  • Organizations not running Keycloak (requires self-hosted or Red Hat SSO)

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No
OpenAPI Spec ↗

Authentication

Methods: oauth
OAuth: Yes Scopes: Yes

Keycloak admin credentials required (master realm admin or per-realm admin). Client credentials or username/password flow. Configure KEYCLOAK_URL, KEYCLOAK_REALM, admin credentials.

Pricing

Model: free
Free tier: Yes
Requires CC: No

Keycloak is free and open source (Apache 2.0). Red Hat SSO (commercial version) has subscription pricing. MCP server is free open source from sshaaf (Red Hat developer).

Agent Metadata

Pagination
page
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • CRITICAL SECURITY: Identity changes (user creation, role assignment) have production security implications — require human review
  • Keycloak admin credentials have full realm control — use dedicated service accounts with minimal permissions
  • Keycloak REST API behavior varies between versions (18, 19, 20+) — test with your exact version
  • From sshaaf (Red Hat developer) — good quality with Red Hat Keycloak expertise

Alternatives

okta-mcp auth0-mcp azure-ad-mcp

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Keycloak MCP Server.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5220
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered