Hi everyone,
I am having some troubles with “First Broker Login Flow” especially the AutoLink flow.
Keycloak v 12.0.2 was working as expected but when I migrate to v 14.0.0 I start getting this error on new accounts coming from external IDP.
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR error=invalid_user_credentials
Some things you need to know, the user already exists on our LDAP, so on the AutoLink Flow we have:
Basically the issue is that Keycloak is not able to Link the account coming from the IDP with our LDAP, If we set up the Identity Provider Link manually, the user is able to login.
Thanks for your help.
The logs that I am getting are:
14:48:20,499 WARN [org.keycloak.services] (default task-160) KC-SERVICES0020: Email is null. Reset flow and enforce sh
owing reviewProfile page
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) RESET FLOW
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE ONLY
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) processFlow: AutoLink
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-cre
ate-user-if-unique', requirement: 'ALTERNATIVE'
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) authenticator: idp-create
-user-if-unique
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Going through the f
low 'AutoLink' for adding executions
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Selections when try
ing execution 'idp-create-user-if-unique' : [ authSelection - idp-create-user-if-unique, authSelection - idp-auto-link
]
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) invoke authenticator.auth
enticate: idp-create-user-if-unique
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-aut
o-link', requirement: 'ALTERNATIVE'
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) authenticator: idp-auto-l
ink
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Going through the f
low 'AutoLink' for adding executions
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Selections when try
ing execution 'idp-auto-link' : [ authSelection - idp-auto-link]
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) invoke authenticator.auth
enticate: idp-auto-link
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-aut
o-link', requirement: 'ALTERNATIVE'
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) execution 'idp-auto-link'
is processed
14:48:20,500 WARN [org.keycloak.services] (default task-160) KC-SERVICES0013: Failed authentication: org.keycloak.auth
entication.AuthenticationFlowException
at org.keycloak.keycloak-services@14.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(
AuthenticationProcessor.java:993)
at org.keycloak.keycloak-services@14.0.0//org.keycloak.services.resources.LoginActionsService$1.authenticateOnl
y(LoginActionsService.java:799)
at org.keycloak.keycloak-services@14.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticate(Auth
enticationProcessor.java:852)
at org.keycloak.keycloak-services@14.0.0//org.keycloak.services.resources.LoginActionsService.processFlow(Login
ActionsService.java:314)
at org.keycloak.keycloak-services@14.0.0//org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(L
oginActionsService.java:829)
at org.keycloak.keycloak-services@14.0.0//org.keycloak.services.resources.LoginActionsService.firstBrokerLoginG
et(LoginActionsService.java:723)
at jdk.internal.reflect.GeneratedMethodAccessor919.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
torImpl.java:138)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvoke
nTarget(ResourceMethodInvoker.java:546)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
fterFilter(ResourceMethodInvoker.java:435)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeO
Target$0(ResourceMethodInvoker.java:396)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerReques
Context.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
ResourceMethodInvoker.java:398)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
MethodInvoker.java:365)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
Object(ResourceLocatorInvoker.java:150)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
eLocatorInvoker.java:104)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
ousDispatcher.java:440)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$
(SynchronousDispatcher.java:229)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preproc
ss$0(SynchronousDispatcher.java:135)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerReques
Context.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(Syn
hronousDispatcher.java:138)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
ousDispatcher.java:215)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
patcher.service(ServletContainerDispatcher.java:245)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
er.service(HttpServletDispatcher.java:61)
at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
er.service(HttpServletDispatcher.java:56)
at javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.ja
a:74)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterH
ndler.java:129)
at org.keycloak.keycloak-wildfly-extensions@14.0.0//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$d
Filter$0(WildFlyRequestFilter.java:41)
at org.keycloak.keycloak-services@14.0.0//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRe
uestFilter.java:43)
at org.keycloak.keycloak-wildfly-extensions@14.0.0//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter
WildFlyRequestFilter.java:39)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterH
andler.java:131)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java
:84)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequ
est(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java
:68)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(Servle
tDispatchingHandler.java:36)
at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextAssociat
ionHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.ja
va:43)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHa
ndler.java:68)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.hand
leRequest(SSLInformationAssociationHandler.java:117)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.hand
leRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.ja
va:43)
at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(Abs
tractConfidentialityHandler.java:46)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandl
er.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(Au
thenticationMechanismsHandler.java:60)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.han
dleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(Notifi
cationReceiverHandler.java:50)
at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handle
Request(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.ja
va:43)
at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandl
er.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.ja
va:43)
at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControll
erHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPa
geHandler.java:52)
at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.ja
va:43)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(Servl
etInitialHandler.java:269)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitia
lHandler.java:78)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHan
dler.java:133)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHan
dler.java:130)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(Serv
letRequestContextThreadSetupAction.java:48)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassL
oaderSetupAction.java:43)
at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSe
tupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInf
oService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInf
oService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInf
oService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInf
oService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletI
nitialHandler.java:249)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitia
lHandler.java:78)
at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletI
nitialHandler.java:99)
at io.undertow.core@2.2.5.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
at io.undertow.core@2.2.5.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavi
ngRunnable.java:35)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:19
90)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExe
cutor.java:1486)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.
java:1377)
at org.jboss.xnio@3.8.4.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
at java.base/java.lang.Thread.run(Thread.java:829)