loading…
Search for a command to run...
loading…
An MCP server that enables AI assistants to navigate, search, and analyze local Keycloak source code to support developer customizations like SPIs and authentic
An MCP server that enables AI assistants to navigate, search, and analyze local Keycloak source code to support developer customizations like SPIs and authenticators. It provides tools for searching classes, generating boilerplate code, detecting breaking changes between versions, and tracing dependencies.
An MCP (Model Context Protocol) server that allows AI assistants to navigate and understand Keycloak source code locally. Built for developers creating Keycloak customizations — SPIs, Authenticators, Required Actions, Token Handlers, User Policies, and more.
rg) recommended for fast search — falls back to grep if not installedNo installation needed — just configure your MCP client:
{
"mcpServers": {
"keycloak-source": {
"command": "npx",
"args": ["-y", "keycloak-source-mcp"],
"env": {
"KEYCLOAK_SOURCE_PATH": "/absolute/path/to/your/keycloak/source"
}
}
}
}
git clone https://github.com/keycloak/keycloak.git
# macOS
brew install ripgrep
# Ubuntu/Debian
sudo apt install ripgrep
# Windows
choco install ripgrep
Set the KEYCLOAK_SOURCE_PATH environment variable to point to your local Keycloak source checkout:
export KEYCLOAK_SOURCE_PATH=/path/to/keycloak
Search for a Java class or interface by name.
> search_class("AuthenticationProcessor")
Search results for class: "AuthenticationProcessor"
services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java
Package: org.keycloak.authentication
public class AuthenticationProcessor {
Get the full source code of a Java class.
> get_class_source("services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java")
File: services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java
============================================================
package org.keycloak.authentication;
...
Find all classes that implement a given interface or extend a given class.
> find_interface_implementors("Authenticator")
Implementors/subclasses of: "Authenticator"
services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java:25
public class UsernamePasswordForm extends AbstractUsernameFormAuthenticator implements Authenticator
...
List SPI definitions from META-INF/services files.
> search_spi_definitions("Authenticator")
SPI Definitions (filter: "Authenticator")
============================================================
Found 2 SPI definition(s):
SPI Interface: org.keycloak.authentication.AuthenticatorFactory
File: services/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory
Implementations:
- org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory
...
Full-text regex search across the entire codebase.
> grep_source("@AutoService", "*.java", 10)
Search results for: "@AutoService" (files: *.java)
server-spi/src/main/java/org/keycloak/provider/Spi.java:3:import com.google.auto.service.AutoService;
...
The primary tool for understanding Keycloak internals. Accepts natural language queries about features or specific class names. Orchestrates deep source analysis including class hierarchies, interface method signatures, SPI extension points, implementations, and dependencies.
Topic query — conceptual overview:
> explain_implementation("authentication flow")
Keycloak Implementation Analysis: "authentication flow"
============================================================
Key Classes
----------------------------------------
AuthenticationProcessor
File: services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java
Processes authentication flow executions
Key methods: authenticate, attachSession, ...
Main Interfaces
----------------------------------------
Authenticator
File: server-spi/src/main/java/org/keycloak/authentication/Authenticator.java
An authenticator is responsible for authenticating a user in the context of an authentication flow.
Methods:
- void authenticate(AuthenticationFlowContext context) — Called to authenticate a user
- void action(AuthenticationFlowContext context) — Called after a form action has been submitted
- boolean requiresUser() — Does this authenticator require the user to already be identified?
...
Default Implementations
----------------------------------------
UsernamePasswordForm implements Authenticator
File: services/src/main/java/org/.../UsernamePasswordForm.java
Username/password form authenticator implementation
SPI Extension Points
----------------------------------------
META-INF service: org.keycloak.authentication.AuthenticatorFactory
Registered providers:
- org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory
...
Class query — deep analysis of a specific class:
> explain_implementation("UsernamePasswordForm")
Deep Analysis: UsernamePasswordForm
============================================================
Overview
----------------------------------------
File: services/src/main/java/org/.../UsernamePasswordForm.java
Package: org.keycloak.authentication.authenticators
Extends: AbstractUsernameFormAuthenticator
Username/password form authenticator implementation.
Methods
----------------------------------------
void authenticate(AuthenticationFlowContext context)
void action(AuthenticationFlowContext context)
...
Interface / Superclass Hierarchy
----------------------------------------
AbstractUsernameFormAuthenticator
Abstract base class for authenticators that use a username form
Implements: Authenticator
Methods: validateUser, requiresUser, close
Known Implementors / Subclasses
----------------------------------------
(none — this is a concrete class)
Keycloak Dependencies
----------------------------------------
org.keycloak.authentication.AuthenticationFlowContext
org.keycloak.models.KeycloakSession
...
Full Source
----------------------------------------
(complete source code)
Compare Keycloak SPI interfaces between two source versions to detect breaking changes.
fromVersion, toVersion, optionally interfaceNames, sourcePathV1, sourcePathV2> detect_breaking_changes("24.0.0", "26.0.0", ["Authenticator", "AuthenticatorFactory"])
Trace what a Keycloak class depends on and what depends on it — understand the blast radius.
className, direction (upstream/downstream/both), optionally depth> trace_dependencies("AuthenticationProcessor", "both", 2)
Connect to a running Keycloak instance and perform administrative queries.
action (list_realms, list_flows, list_clients, list_providers, get_realm_settings), optionally realmKEYCLOAK_ADMIN_URL, KEYCLOAK_ADMIN_USERNAME, KEYCLOAK_ADMIN_PASSWORD, optionally KEYCLOAK_ADMIN_REALM, KEYCLOAK_ADMIN_CLIENT_ID> keycloak_admin("list_flows", "master")
Analyze your custom SPI implementations and detect compatibility issues when upgrading Keycloak.
customSourcePath, targetKeycloakVersion, optionally currentKeycloakSourcePath> upgrade_assistant("/projects/my-keycloak-spi", "26.0.0")
Visualize a Keycloak authentication flow as a Mermaid flowchart diagram from a realm export or plain English description.
source (realm_export or description), realmExportPath, flowName, description> visualize_auth_flow("realm_export", "/tmp/realm-export.json", "browser")
> visualize_auth_flow("description", undefined, undefined, "First cookie SSO, then username/password (required), then OTP (conditional)")
Check Keycloak's GitHub security advisories for known CVEs affecting a specific version.
keycloakVersion, optionally severity (all/critical/high/medium/low)> check_security_advisories("24.0.3", "critical")
Connect to a locally running Keycloak instance for real-time development assistance. Works with Docker, IDELauncher, or Maven — see what providers are loaded, trace authentication flows through logs, validate SPI registration, and inspect the running configuration.
Start Keycloak (Docker is the simplest option):
docker run -p 8080:8080 \
-e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
-e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
quay.io/keycloak/keycloak:latest start-dev
Then set these env vars in your MCP client config:
KC_DEV_URL=http://localhost:8080
KC_DEV_ADMIN_USERNAME=admin
KC_DEV_ADMIN_PASSWORD=admin
KC_DEV_LOG_PATH=/tmp/keycloak.log # optional, enables log analysis
Then ask: "Use connect_dev_instance to check my Keycloak setup"
| Tool | Description |
|---|---|
connect_dev_instance |
Test connection, show version info and custom providers |
get_loaded_providers |
List all runtime SPI providers with source correlation |
analyze_logs |
Parse and analyze Keycloak log entries |
trace_authentication_flow |
Guide through tracing an auth flow |
validate_spi_registration |
Check custom SPI setup for common mistakes |
get_dev_instance_config |
Show active configuration filtered by prefix |
You: "Check if my Keycloak is running and show custom providers" AI: 🟢 Keycloak 26.0.1 connected. 2 custom providers found — SmsSenderAuthenticatorFactory (✅ source found), AuditEventListener (⚠️ source not found)
You: "My SMS authenticator isn't working. Analyze the last 500 log lines" AI: Found 1 ERROR: AuthenticationFlowException at AuthenticationProcessor.java:456. Auth flow: cookie→skip, username-password→success, sms-auth→failure.
You: "Validate my SMS authenticator SPI registration" AI: ✅ Factory source found, ✅ META-INF/services entry present, ✅ Provider loaded at runtime. Registration looks correct — the issue is in the authenticator logic, not registration.
For comprehensive documentation, see docs/live-dev-intelligence.md.
Add this to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json on macOS):
{
"mcpServers": {
"keycloak-source": {
"command": "npx",
"args": ["-y", "keycloak-source-mcp"],
"env": {
"KEYCLOAK_SOURCE_PATH": "/absolute/path/to/your/keycloak/source"
}
}
}
}
"How does Keycloak handle authentication flows?"
Use explain_implementation("authentication flow") — returns key classes, interface method signatures, default implementations, and SPI extension points in a single call.
"I want to build a custom Authenticator SPI"
Use explain_implementation("Authenticator") to get the full interface contract with method javadocs, known implementors, and SPI registration. Then explain_implementation("UsernamePasswordForm") to study a concrete example with full source.
"Where is the token refresh logic?"
Use explain_implementation("token refresh") to find the relevant classes, interfaces, and SPI extension points.
"Show me how Required Actions work"
Use explain_implementation("required action") to discover key interfaces with method signatures, or explain_implementation("RequiredActionProvider") for a deep dive into the interface itself.
npm install
npm run build
npm start
Potential future tools:
MIT
Добавь это в claude_desktop_config.json и перезапусти Claude Desktop.
{
"mcpServers": {
"keycloak-source-mcp": {
"command": "npx",
"args": []
}
}
}PRs, issues, code search, CI status
Database, auth and storage
Reference / test server with prompts, resources, and tools.
Secure file operations with configurable access controls.