If the first IDP login of a user on a KC instance gets interrupted, the user won't be ever able to login to this KC Realm.
We did have an issue that our client would not follow the redirection to after-first-broker-login
first-broker-login already created a user but without IDP linking, so subsequent logins will ask the user to merge his account which doesn't work either. the user will be stuck in this dialog and wont be able to login till the user account gets deleted on the KC side.
the documentation of after-first-broker-login states Keycloak account is successfully linked/created was already done:
but than a few lines later in this very method:
I would propose to do this linking in the first-broker-login or somewhere else so user account creation and linking with the IDP is atomic, otherwise clients missing the call to after-first-broker-login due to connection issues wont be able to use the service till manual intervention of a KC admin.