Just in time user provisioning


I have a keycloak connected to a OIDC IDP. This OIDC connection is where the users are stored. That hooks up fine however when testing I found that the account could only login once or it will get an info box upon the second login to say the account already exists. I did some digging and found that I needed to make an authentication flow for the OIDC IDP:


I setup a new flow with the following executions:
Create user if Unique (alt)
Automatically Set Existing User (alt)

Problem is that I can login with my OIDC account the first time but the second time I get:

We are sorry…

Unexpected error when authenticating with identity provider

If i delete the account and test login again it works fine, and then on the second login get that error.

In terms of attributes I am sending over first name, lastname and email and I have mapped this in the OIDC mapper.

Am I missing something with the flow?

1 Like

I have the same problem here!