I have a custom read-only User Federation SPI and I’m trying to integrate with an IdP that has an incomplete oidc implementation. Its a Smart on FHIR service (which is OAuth for medical systems, that includes oidc in principle).
For a variety of reasons, the preferred usernames that come from their system does not match the usernames in ours. Since we want a transparent linking, I wrote a custom username mapper. I know that is a private SPI, but the boss gets what the boss wants.
As I was building this, I did create test users whose username did match what the IdP was giving me to make sure that side of things was setup correctly. When the time came to test my jar on the external (to me) dev box, I deleted that user, and then created a new use with the username that matches what we expect to use.
Now when I login with the IdP, I get this exception in my logs.
ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-7) Failed to make identity provider oauth callback: java.lang.IllegalStateException: More results found for identityProvider=testoidc, userId=useridfromidp, results=[f:d96c21c8-7220-45aa-b665-6966caf70c33:whatiwant, f:d96c21c8-7220-45aa-b665-6966caf70c33:useridfromidp] at org.keycloak.storage.jpa.JpaUserFederatedStorageProvider.getUserByFederatedIdentity(JpaUserFederatedStorageProvider.java:178)
I’m pretty sure this is just because I’ve messed things up with my testing, but if anyone has an idea of how I can fix this, I’d be very grateful.