Hi, I’m investigating using the token exchange mechanism to provide in-game SSO for a cross-platform title. The player can sign in with eg Xbox live on their console, which gives us a token that we can exchange.
The slight complication is that we have been using KeyCloak for a few years for our website and forums and already have many thousands of registered users, so the following notice in the docs is very concerning:
The current limitation on external token exchanges is that if the external token maps to an existing user an exchange will not be allowed unless the existing user already has an account link to the external identity provider.
I need to know if/how this limitation can be lifted, otherwise we’re likely to see a lot of failed sign-in attempts from players who use the same email address for Xbox live as they already use for our forums & website.
Is it something that requires a change to the core codebase, or something that we can fix with a setting/SPI etc?
We did, but we didn’t use token exchange. It would have required changes to the core codebase, which the KeyCloak team was reluctant to accept on security/privacy grounds.
Instead, we found that both Xbox Live and PlayStation Network implemented enough of the OpenID Connect protocol to enable us to use custom Identity Provider SPIs.
We were able to copy the Microsoft Identity Provider from the core codebase and modify it to create two new providers which handled XBL and PSN.
We ‘solved’ it by mapping the username and email for the identity provider used with the exchange. This way it’s not interfering with the other login options.
@gklijs - Can you please provide more information on your solution. I also have an similar problem where I need to link existing users with token change to an IDP.