Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8957

Federated ID Login results in broken user accounts

    Details

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      If the first IDP login of a user on a KC instance gets interrupted, the user won't be ever able to login to this KC Realm.

      We did have an issue that our client would not follow the redirection to after-first-broker-login

      http://10.63.21.108:8092/auth/realms/local/broker/cas/endpoint?state=xxx&ticket=xxx
      http://10.63.21.108:8092/auth/realms/local/login-actions/first-broker-login?client_id=xxx&tab_id=UAraHZPxSaI
      // not executed
      http://10.63.21.108:8092/auth/realms/local/broker/after-first-broker-login?session_code=xxx&tab_id=UAraHZPxSaI
      
      

      first-broker-login already created a user but without IDP linking, so subsequent logins will ask the user to merge his account which doesn't work either. the user will be stuck in this dialog and wont be able to login till the user account gets deleted on the KC side.

      the documentation of after-first-broker-login states Keycloak account is successfully linked/created was already done:

      // Callback from LoginActionsService after first login with broker was done and Keycloak account is successfully linked/created
          @GET
          @NoCache
          @Path("/after-first-broker-login")
          public Response afterFirstBrokerLogin(@QueryParam(LoginActionsService.SESSION_CODE) String code,...)
      

      but than a few lines later in this very method:

                  // Add federated identity link here
                  FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(context.getIdpConfig().getAlias(), context.getId(),
                          context.getUsername(), context.getToken());
                  session.users().addFederatedIdentity(realmModel, federatedUser, federatedIdentityModel);
      

      I would propose to do this linking in the first-broker-login or somewhere else so user account creation and linking with the IDP is atomic, otherwise clients missing the call to after-first-broker-login due to connection issues wont be able to use the service till manual intervention of a KC admin.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ataraxus Anton G
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: