[keycloak-user] How to delete an federated identity?
Eric Wittmann
eric.wittmann at redhat.com
Mon Sep 3 15:37:41 EDT 2018
Ok, thanks. Will do.
On Mon, Sep 3, 2018 at 4:26 AM Stian Thorgersen <sthorger at redhat.com> wrote:
>
>
> On Wed, 29 Aug 2018 at 20:13, Eric Wittmann <eric.wittmann at redhat.com>
> wrote:
>
>> Apicurio uses Keycloak to support Account Linking with GitHub, GitLab, and
>> Bitbucket. Creating a link works well, but deleting the link does not.
>> It's been awhile since I've checked for this functionality - but is there
>> an API call in KC 4.x that Apicurio can use to delete the linked account
>> for an authenticated user?
>>
>> Previously I was trying to use this:
>>
>>
>> /auth/realms/apicurio/account/federated-identity-update?action=REMOVE&provider_id=gitlab
>>
>> But I don't think this ever worked, and it's definitely returning a 404
>> now.
>>
>
> We don't currently have a rest API to remove the link, this will come as
> part of the work we are doing around REST API for account management.
>
>
>>
>> In a related followup question - in Keycloak 4.3.0 (most recent testing)
>> if
>> I delete the linked account record in Apicurio, I cannot re-create it.
>> When I try, the result is a PK violation in the Keycloak database. I can
>> work around this problem only by logging into Keycloak and deleting the
>> "Identity Provider Link" in Manage->Users. The URL Apicurio uses when
>> initiating an account link is:
>>
>>
>> /auth/realms/apicurio/broker/gitlab/link?nonce=abc&hash=xyz&client_id=apicurio-studio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fstudio%2Fsettings%2Faccounts%2FGitLab%2Fcreated
>>
>> If the user already has an identity provider link for "gitlab" then the
>> result is:
>>
>> Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
>> violation: "PRIMARY_KEY_40 ON PUBLIC.FEDERATED_IDENTITY(IDENTITY_PROVIDER,
>> USER_ID) VALUES ('gitlab', 'c0e35a37-ad19-49d1-a030-42ac1a1b1dae', 3)";
>> SQL
>> statement:
>> insert into FEDERATED_IDENTITY (REALM_ID, TOKEN, FEDERATED_USER_ID,
>> FEDERATED_USERNAME, IDENTITY_PROVIDER, USER_ID) values (?, ?, ?, ?, ?, ?)
>> [23505-193]
>> at
>> org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
>> at org.h2.message.DbException.get(DbException.java:179)
>> at org.h2.message.DbException.get(DbException.java:155)
>> at
>> org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:103)
>> at
>> org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:231)
>> at
>> org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:190)
>> at org.h2.mvstore.db.MVTable.addRow(MVTable.java:704)
>> at org.h2.command.dml.Insert.insertRows(Insert.java:156)
>> at org.h2.command.dml.Insert.update(Insert.java:114)
>> at
>> org.h2.command.CommandContainer.update(CommandContainer.java:98)
>> at org.h2.command.Command.executeUpdate(Command.java:258)
>> at
>>
>> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:160)
>> at
>>
>> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:146)
>> at
>>
>> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
>> at
>>
>> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
>> ... 82 more
>>
>> Seeking help on both issues. I'm likely just doing the wrong thing. :)
>>
>
> Not sure what would be the expected behaviour when you are trying to add a
> link to a provider that already exists. As the app can't always detect if
> there is a link I guess it should really redirect to the app with a message
> stating already added or something. Shouldn't throw an error like that
> though. Can you open a bug for this one please?
>
>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
More information about the keycloak-user
mailing list