Account linking with Keycloak

Hello to all,
I am trying to configure our own Authorization server based on Keycloak. At the moment I have a problem with “Account linking”. I want to integrate Keycloak with external Identity Providers (custom, not social) but do not want to provide an option to login via these Identity providers. As a result, an existing user account can be linked to different external IDPs. So, a single account (on our side, managed by Keycloak) can be linked with many different external identity providers.

We have provided a REST API (based on .Net Core) that generates the broker URI on the server-side instead of a client. So, the client just needs to call the REST API, which returns back the properly formatted URI. On the client-side I do something like this window.location.replace(accountLinkUri). This calls the Keycloak broker, which should redirect us to the identity provider. On our side, I think, we met all the required preconditions: - The desired identity provider must be configured and enabled for the user’s realm in the admin console. - The user account must already be logged in as an existing user via the OIDC protocol. - The user must have an account.manage-account or account.manage-account-links role mapping. - The application must be granted the scope for those roles within its access token. - The application must have access to its access token as it needs information within it to generate the redirect URL.

But instead of being redirected to the login page of the identity provider, we get this error: I have tried to construct final URI on client-side only, without backend involvement, but got the same error.

I am using Keycloak version 8.0.1. I think the problem that I face, mostly connected to configuration or user session management. Keycloak is very particular about how you create the “hash”.

I would be grateful for any useful information or help.

Thank you in advance!

I successfully managed the issue. The obvious step has been missed. As soon as I switched to SSL, this solved my problem.