[keycloak-dev] Federated Identity Collisions
Marc Spehlmann
marc at autonomic.ai
Fri Jun 21 19:02:44 EDT 2019
Hello dev community,
I was building a feature on top of keycloak which allows my company’s
customers to provision users. While working on this, I realized that
I can break a user's federated login by the following procedure:
1. create a User A, add to this user a federation
{"identityProvider": "google", "userId":"123", “marc at google.com"}
2. create a User B, add to this user a federation
{"identityProvider": "google", "userId":"123", “marc at google.com"}
Now when either user A or B tries to do federated login using the
google provider, they receive a 500 error with a phrase like `More
results found for identityProvider` being logged on the backend. The
code in `getUserByFederatedIdentity` of the JpaUserProvider does not
check for uniqueness of the userId/federated_username.
Couple questions:
- Is there a check I can do prior to adding a user in the admin-api
for a duplicate federated_identity?
- Is this a known deficiency?
Best, Marc
More information about the keycloak-dev
mailing list