Hello, We try to implement the following use case : We have a Realm and a Client that allow users to login with the rest api /auth/realms/{Realm}/protocol/openid-connect/token (from a mobile application). Users should be able to login with a Facebook token by using the same rest api but with token-exchange grant_type only if a keycloak user already exists and if it’s linked with Facebook identity provider. Problem: if a user that does not exist in Keycloak exchange a Facebook token, it’ll be automatically created by keycloak and an access_token is return. We try to modify First Login Flow in Identity provider configuration, but it does not work. How we can prevent keycloak to create user and return an error if there is no keycloak user linked to the facebook token? Thanks in advance, Florian