Closing browser during first broker login causes missing idp link

Hi Keycloak community,

I have Keycloak server 5.0.0 configured to have a custom oidc identity provider as only authentication option. This setup seemed to work until I got a bug report from a user getting an “invalid username or password” page. Due to the server log this is caused by an AuthenticationFlowException thrown in AuthenticationProcesseor::authenticateOnly because the authenticated user is not found.

After some research, I found out that this error shows up for user accounts without an idp link (FederatedIdentity entity), which is strange because this link should be made on first broker login. It turns out that these users have closed their browser/tab during the very first broker login process, so that the /after-first-broker-login path is never reached and the FederatedIdentity is not created (but the User entity is created). The next time the user authenticates, he gets the error described above.

I was wondering if anyone has experienced this issue before or knows a solution for this. Should this be reported as a bug?

Note that I have hundreds of these “corrupted” users in the realm. This realm secures a quite slow web application that is loaded in a webview whithin a mobile app, causing users to close this webview when the loading takes 5+ seconds.

Regards,
Jens

1 Like

You’re using an older version of Keycloak.

Have you checked the release notes if this was not already fixed if this is a bug?
Check also https://issues.redhat.com/projects/KEYCLOAK/issues/ if there isn’t already a mention about this.

Maybe this is one of them.
https://issues.redhat.com/browse/KEYCLOAK-8957
or
https://issues.redhat.com/browse/KEYCLOAK-8957?jql=project%20%3D%20KEYCLOAK%20AND%20resolution%20%3D%20Unresolved%20AND%20text%20~%20"idp%20link"%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC

Thanks for your answer zonaut. This issue describes the same problem indeed. Since it is not fixed yet, I’ll have to think about a workaround. My first thought would be using database triggers.