Tell me, could you tell me how linking accounts with different emails works?

, ,
1

Keycloak Version

Keycloak 26.0.8 (Docker)

Description

When attempting to generate a link for associating a social account with an existing Keycloak user using /realms/{realm}/broker/{provider}/link, the Keycloak API requires the session_state parameter. However, this parameter is missing in OpenID tokens and is not returned in responses from introspect.

In my case the user on the social network has a different email.

Documentation and code samples (including Java code in the official documentation) indicate that session_state is necessary for generating the hash. However, in the current versions of Keycloak, this parameter is unavailable.

Steps to Reproduce

  1. A user is already registered in Keycloak.
  2. We need to generate a link to associate a social account using /broker/{provider}/link.
  3. Decode the user’s access_token using decode_token() in python-keycloak.
  4. The session_state parameter is missing.
  5. Use introspect(), but session_state (or sid) is also missing there.
  6. Attempt to pass id_token or access_token in the KEYCLOAK_IDENTITY cookie, but Keycloak rejects the tokens with errors like Expected '[Serialized-ID]' but was 'Bearer' or Expected '[Serialized-ID]' but was 'ID'.

Expected Behavior

  • The Keycloak API should provide session_state or sid for generating a social account linking URL.
  • There should be a way to retrieve this parameter via introspect() or admin API.
  • Clear documentation should explain which token should be used in KEYCLOAK_IDENTITY and how to format it correctly.

Actual Behavior

  • session_state is missing from access_token, id_token, and introspect().
  • A request to /users/{user_id}/sessions via admin API also does not return session_state.
  • Setting KEYCLOAK_IDENTITY = access_token results in Failed to verify identity token.

Environment

  • Keycloak 26.0.8
  • python-keycloak 4.6.2
  • Python 3.8.10

Questions

  1. How can I use this link to link a user to a social network?
  • How can we retrieve session_state or sid for linking a social account?
  • What about Cookies?
  1. What are the alternative ways to link a social network to an existing user with different emails?