Hello everyone,
I implemented the exchange token logic to exchange a Microsoft token with one from Keycloak.
If the user I’m trying to log in with doesn’t exist, the system logs me in without problems.
However, if the user was already present (in my case imported from LDAP), the system does not allow me to exchange the token and generates the following error:
Rest api response:
{"error":"invalid_token","error_description":"User already exists"}
Keycloak logs:
[org.keycloak.events] (executor-thread-268) type=TOKEN_EXCHANGE_ERROR, realmId=********, clientId=******, userId=null, ipAddress=172.18.0.1, error=federated_identity_account_exists, auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_issuer=microsoft, validation_method='user info', client_auth_method=client-secret
I have enabled the token exchange logic as per the official guide and I have successfully configured the Microsoft provider.
I request the token via the following call:
curl -X POST \
-d "client_id=#CLIENT_ID#" \
-d "client_secret=#CLIENT_SECRET#" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=#MICROSOFT_ACCESS_TOKEN#" \
-d "subject_issuer=http://localhost:8080/auth/realms/%REALM_NAME" \
--data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
http://localhost:8080/auth/realms/#REALM_NAME#/protocol/openid-connect/token
What am I doing wrong? Why can’t I link an existing user with the one I’m trying to log in with?