Hello Everyone,
We were facing an issue with keycloak, where sporadically, a user which logs in the first time over an external IDP fails to login.
Our Setup
- keycloak v26.0.x, deployed as a statefulset (with 3 instances) in kubernetes
- exposed externally via cloudflare tunnel
- external IDP is Google
- cache: ispn, kubernetes
Behaviour
- User logs in the first time via google
- After a while, the user will be redirected to /realms//login-actions/first-broker-login
- However, it will show
Account Already Exists. But since the user does not have a password, the IDP link could not be established.
Browser Network Activity
- None of the requests were seemingly duplicated or retried
What I noticed from the event logs:
- Multiple
IDENTITY_PROVIDER_FIRST_LOGINare sent for the same user (around the same time, differing only with a few hundred ms) - All
IDENTITY_PROVIDER_FIRST_LOGINhad differentcode_id - Some
IDENTITY_PROVIDER_FIRST_LOGINwill have a subsequentIDENTITY_PROVIDER_FIRST_LOGIN_ERROR(the pair have the samecode_id), but not all. - The user entity is still created in keycloak, without any IDP links and credential
From the server logs
- All 3 servers, with a few hundred ms difference processed the same request
Can anyone help me get insights on why this happens, and if there are any configurations that would prevent this from happening?