[keycloak-user] How to delete an federated identity?

Eric Wittmann eric.wittmann at redhat.com
Wed Aug 29 13:06:28 EDT 2018 

Apicurio uses Keycloak to support Account Linking with GitHub, GitLab, and
Bitbucket.  Creating a link works well, but deleting the link does not.
It's been awhile since I've checked for this functionality - but is there
an API call in KC 4.x that Apicurio can use to delete the linked account
for an authenticated user?

Previously I was trying to use this:

/auth/realms/apicurio/account/federated-identity-update?action=REMOVE&provider_id=gitlab

But I don't think this ever worked, and it's definitely returning a 404 now.

In a related followup question - in Keycloak 4.3.0 (most recent testing) if
I delete the linked account record in Apicurio, I cannot re-create it.
When I try, the result is a PK violation in the Keycloak database.  I can
work around this problem only by logging into Keycloak and deleting the
"Identity Provider Link" in Manage->Users.  The URL Apicurio uses when
initiating an account link is:

/auth/realms/apicurio/broker/gitlab/link?nonce=abc&hash=xyz&client_id=apicurio-studio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fstudio%2Fsettings%2Faccounts%2FGitLab%2Fcreated

If the user already has an identity provider link for "gitlab" then the
result is:

Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
violation: "PRIMARY_KEY_40 ON PUBLIC.FEDERATED_IDENTITY(IDENTITY_PROVIDER,
USER_ID) VALUES ('gitlab', 'c0e35a37-ad19-49d1-a030-42ac1a1b1dae', 3)"; SQL
statement:
insert into FEDERATED_IDENTITY (REALM_ID, TOKEN, FEDERATED_USER_ID,
FEDERATED_USERNAME, IDENTITY_PROVIDER, USER_ID) values (?, ?, ?, ?, ?, ?)
[23505-193]
        at
org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
        at org.h2.message.DbException.get(DbException.java:179)
        at org.h2.message.DbException.get(DbException.java:155)
        at
org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:103)
        at
org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:231)
        at org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:190)
        at org.h2.mvstore.db.MVTable.addRow(MVTable.java:704)
        at org.h2.command.dml.Insert.insertRows(Insert.java:156)
        at org.h2.command.dml.Insert.update(Insert.java:114)
        at org.h2.command.CommandContainer.update(CommandContainer.java:98)
        at org.h2.command.Command.executeUpdate(Command.java:258)
        at
org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:160)
        at
org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:146)
        at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
        at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
        ... 82 more

Seeking help on both issues.  I'm likely just doing the wrong thing.  :)

More information about the keycloak-user mailing list