Hi Keycloak community,
I have Keycloak server 5.0.0 configured to have a custom oidc identity provider as only authentication option. This setup seemed to work until I got a bug report from a user getting an “invalid username or password” page. Due to the server log this is caused by an AuthenticationFlowException thrown in AuthenticationProcesseor::authenticateOnly because the authenticated user is not found.
After some research, I found out that this error shows up for user accounts without an idp link (FederatedIdentity entity), which is strange because this link should be made on first broker login. It turns out that these users have closed their browser/tab during the very first broker login process, so that the /after-first-broker-login path is never reached and the FederatedIdentity is not created (but the User entity is created). The next time the user authenticates, he gets the error described above.
I was wondering if anyone has experienced this issue before or knows a solution for this. Should this be reported as a bug?
Note that I have hundreds of these “corrupted” users in the realm. This realm secures a quite slow web application that is loaded in a webview whithin a mobile app, causing users to close this webview when the loading takes 5+ seconds.
Regards,
Jens