Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8957

Federated ID Login results in broken user accounts



    • NEW
    • NEW


      If the first IDP login of a user on a KC instance gets interrupted, the user won't be ever able to login to this KC Realm.

      We did have an issue that our client would not follow the redirection to after-first-broker-login
      // not executed

      first-broker-login already created a user but without IDP linking, so subsequent logins will ask the user to merge his account which doesn't work either. the user will be stuck in this dialog and wont be able to login till the user account gets deleted on the KC side.

      the documentation of after-first-broker-login states Keycloak account is successfully linked/created was already done:

      // Callback from LoginActionsService after first login with broker was done and Keycloak account is successfully linked/created
          public Response afterFirstBrokerLogin(@QueryParam(LoginActionsService.SESSION_CODE) String code,...)

      but than a few lines later in this very method:

                  // Add federated identity link here
                  FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(context.getIdpConfig().getAlias(), context.getId(),
                          context.getUsername(), context.getToken());
                  session.users().addFederatedIdentity(realmModel, federatedUser, federatedIdentityModel);

      I would propose to do this linking in the first-broker-login or somewhere else so user account creation and linking with the IDP is atomic, otherwise clients missing the call to after-first-broker-login due to connection issues wont be able to use the service till manual intervention of a KC admin.




            Unassigned Unassigned
            ataraxus6sic6 Anton G. (Inactive)
            6 Vote for this issue
            10 Start watching this issue