[keycloak-user] How to delete an federated identity?
Stian Thorgersen
sthorger at redhat.com
Mon Sep 3 04:26:00 EDT 2018
On Wed, 29 Aug 2018 at 20:13, Eric Wittmann <eric.wittmann at redhat.com>
wrote:
> Apicurio uses Keycloak to support Account Linking with GitHub, GitLab, and
> Bitbucket. Creating a link works well, but deleting the link does not.
> It's been awhile since I've checked for this functionality - but is there
> an API call in KC 4.x that Apicurio can use to delete the linked account
> for an authenticated user?
>
> Previously I was trying to use this:
>
>
> /auth/realms/apicurio/account/federated-identity-update?action=REMOVE&provider_id=gitlab
>
> But I don't think this ever worked, and it's definitely returning a 404
> now.
>
We don't currently have a rest API to remove the link, this will come as
part of the work we are doing around REST API for account management.
>
> In a related followup question - in Keycloak 4.3.0 (most recent testing) if
> I delete the linked account record in Apicurio, I cannot re-create it.
> When I try, the result is a PK violation in the Keycloak database. I can
> work around this problem only by logging into Keycloak and deleting the
> "Identity Provider Link" in Manage->Users. The URL Apicurio uses when
> initiating an account link is:
>
>
> /auth/realms/apicurio/broker/gitlab/link?nonce=abc&hash=xyz&client_id=apicurio-studio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fstudio%2Fsettings%2Faccounts%2FGitLab%2Fcreated
>
> If the user already has an identity provider link for "gitlab" then the
> result is:
>
> Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
> violation: "PRIMARY_KEY_40 ON PUBLIC.FEDERATED_IDENTITY(IDENTITY_PROVIDER,
> USER_ID) VALUES ('gitlab', 'c0e35a37-ad19-49d1-a030-42ac1a1b1dae', 3)"; SQL
> statement:
> insert into FEDERATED_IDENTITY (REALM_ID, TOKEN, FEDERATED_USER_ID,
> FEDERATED_USERNAME, IDENTITY_PROVIDER, USER_ID) values (?, ?, ?, ?, ?, ?)
> [23505-193]
> at
> org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
> at org.h2.message.DbException.get(DbException.java:179)
> at org.h2.message.DbException.get(DbException.java:155)
> at
> org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:103)
> at
> org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:231)
> at
> org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:190)
> at org.h2.mvstore.db.MVTable.addRow(MVTable.java:704)
> at org.h2.command.dml.Insert.insertRows(Insert.java:156)
> at org.h2.command.dml.Insert.update(Insert.java:114)
> at org.h2.command.CommandContainer.update(CommandContainer.java:98)
> at org.h2.command.Command.executeUpdate(Command.java:258)
> at
>
> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:160)
> at
>
> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:146)
> at
>
> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
> at
>
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
> ... 82 more
>
> Seeking help on both issues. I'm likely just doing the wrong thing. :)
>
Not sure what would be the expected behaviour when you are trying to add a
link to a provider that already exists. As the app can't always detect if
there is a link I guess it should really redirect to the app with a message
stating already added or something. Shouldn't throw an error like that
though. Can you open a bug for this one please?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list