Keycloak MCP Server
12 MCP tools for Keycloak identity management — users, roles, realms, clients, and groups in the FAS realm.
Overview
The Keycloak MCP Server provides 12 tools for querying and managing identities in the platform’s Keycloak instance. It integrates with the FAS (Federal Authentication Service) realm, which is the primary identity realm for the Federal Frontier Platform. Operators can use Compass chat to look up users, list role assignments, inspect client configurations, and manage groups.
| Property |
Value |
| Port |
50057 |
| Transport |
JSON-RPC at /jsonrpc |
| Namespace |
f3iai |
Users
| Tool |
Description |
keycloak_list_users |
List users in a realm, with optional search by username, email, or name |
keycloak_get_user |
Get detailed user information including attributes and federation links |
keycloak_get_user_roles |
List all realm and client roles assigned to a user |
keycloak_get_user_groups |
List groups a user belongs to |
Roles
| Tool |
Description |
keycloak_list_roles |
List all realm-level roles |
keycloak_get_role |
Get details of a specific role including its composite roles |
keycloak_get_role_members |
List users assigned to a specific role |
Realms
| Tool |
Description |
keycloak_list_realms |
List all configured realms |
keycloak_get_realm |
Get configuration details of a specific realm |
Clients
| Tool |
Description |
keycloak_list_clients |
List all clients (applications) registered in a realm |
keycloak_get_client |
Get detailed client configuration (redirect URIs, scopes, protocol mappers) |
Groups
| Tool |
Description |
keycloak_list_groups |
List all groups in a realm, with nested subgroup hierarchy |
Common Use Cases
- “List users in the FAS realm” — calls
keycloak_list_users scoped to FAS
- “What roles does user jdoe have?” — calls
keycloak_get_user_roles
- “Show me all clients in the FAS realm” — calls
keycloak_list_clients
- “Who has the admin role?” — calls
keycloak_get_role_members
- “What groups exist?” — calls
keycloak_list_groups
Authentication
The server authenticates to Keycloak using a service account with the realm-management client role:
| Environment Variable |
Description |
KEYCLOAK_URL |
Keycloak base URL |
KEYCLOAK_REALM |
Target realm (default: FAS) |
KEYCLOAK_CLIENT_ID |
Service account client ID |
KEYCLOAK_CLIENT_SECRET |
Service account client secret |
Health Endpoints
| Endpoint |
Purpose |
/health |
Liveness — process is running |
/ready |
Readiness — can authenticate to Keycloak |