[keycloak-user] No way to use First Broker Login without enabling Create User If Unique

Marek Posolda mposolda at redhat.com
Tue Mar 7 11:03:24 EST 2017 

Someone else asked recently for it. I think that JIRA already exists. 
Feel free to create new JIRA if you are not able to find the existing one.

Yes, currently the builtin CreateUserIfUnique authenticator does 2 things:
- Check if brokered user already exists in Keycloak DB. If no, then 
create new user
- If it exists, then set some info into the current clientSession about 
the existing user

The other authenticators in the chain assume that there is the info 
about duplicated user in clientSession already.  There should be some 
more flexibility here (either possibility to configure 
CreateUserIfUnique authenticator to never create new users, or let the 
existing authenticators to find-out by themselves if duplicated user 
here or not).

You can also send PR for it or as a workaround, replace the 
CreateUserIfUnique authenticator with your own authenticator impl, which 
won't allow to register new users.

Btv. There is also possibility that Keycloak users can link brokers in 
account management console.

Marek

On 07/03/17 15:16, teroz wrote:
> Hi there
> is there a way to pre-create users and have these users able to link these
> existing acounts google accounts without also being forced to allow any
> random google user from being able to create an account?
>       Seems thats How First Broker Login works. Any attempt to disable the
> "Create User If Unique" step makes the flow unusable with always the same
> error
>
> *WARN  [org.keycloak.events] (default task-94)
> type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=example,
> clientId=js-console, userId=null, ipAddress=127.0.0.1,
> error=invalid_user_credentials, identity_provider=google,
> auth_method=openid-connect, auth_type=code,
> redirect_uri=http://127.0.0.1:8080/js-console/
> <http://127.0.0.1:8080/js-console/>, identity_provider_identity=......*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list