[keycloak-user] Accounts linking on multiple identity providers returns "Invalid username or password"

Yuriy Yunikov yuriy.yunikov at verygood.systems
Fri May 4 08:40:49 EDT 2018


In our setup we have 2 identity providers set up (further I refer as
*custom_idp* and *google*), *custom_idp* of them is a default one and has
browser authentication to "Identity Provider Redirector" set.

The goal is the following:
- When user is logged in via *custom_idp*, KeyCloak should authenticate
user successfully
- When user is logged in via *google* KeyCloak should link existing account
created with *custom_idp* and just add another identity provider to a user.
After that user should be authenticated successfully.

Considering that user is already created in *custom_idp*, login *google*
via option *kc_idp_hint=google* gives an error "Invalid username or
password".

Here is the debug log from server:
[org.keycloak.broker.oidc.OIDCIdentityProvider] (default task-7) GOOGLE
userInfoUrl: https://www.googleapis.com/plus/v1/people/me/openIdConnect
2018-05-04 11:23:15,589 DEBUG [org.keycloak.social.user_profile_dump]
(default task-7) User Profile JSON Data for provider google: {...}
...
[org.keycloak.services.resources.IdentityBrokerService] (default task-7)
Federated user not found for provider 'google' and broker username
'yuriy.yunikov at test' . Redirecting to flow for firstBrokerLogin
2018-05-04 11:23:15,593 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-7)
RESET FLOW
...
2018-05-04 11:23:15,804 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-12)
execution is processed
2018-05-04 11:23:15,805 WARN  [org.keycloak.services] (default task-12)
KC-SERVICES0013: Failed authentication:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.keycloak-services//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:856)
at
org.keycloak.keycloak-services//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)
at
org.keycloak.keycloak-services//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:286)

Here is a line which specifies what is happening:
"Federated user not found for provider 'google' and broker username
'yuriy.yunikov at test' . Redirecting to flow for firstBrokerLogin"

With configuration added as an attachment I expect KeyCloak to link
accounts and login, however this doesn't happening.

I've tried to switch IDP's vice versa, and tried to reproduce in opposite
way but it's still the same issue, so it doesn't look like IDP
configuration issue to me.

I've seen this issues happened to other users but there is not solution to
fix it:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Force-Keycloak-to-use-external-IdP-as-authentication-mechanism-td2747.html

Please let me know if I'm wrong, but this doesn't look like correct
behavior to me. Any ideas?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: idp_config.png
Type: image/png
Size: 170216 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180504/f4acc574/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: first_broker_login.png
Type: image/png
Size: 245075 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180504/f4acc574/attachment-0003.png 


More information about the keycloak-user mailing list