Keycloak login via token exchange with IDP works, but not every time

Hello, friends!
What do i need, - user can register on KC (via my next app) and use KC access token for backend, or user can register on KC with Google and use KC access token for backend.
If user is already registered by login+password, but trying to login via Google with same email, Google account links to existing one, so from now user can go 2 ways - via login+password or by Google.

This works for me, but!

  • if first login was with IDP, than i passed through “forgot password” flow, - user is able to login via login+password and Google, no problem
  • if user first registered with login+password, than tried Google, - account is linked, but KC won’t accept IDP login with 400 error

Really, can’t understand where’s the problem, - both users look absolutely similar. Please, help!