[keycloak-user] Account linking as a required login action

[Erik Orbons]

Hello,

I'm facing difficulties implementing a specific requirement using Keycloak. Since searches on the topic also came up empty I'm hoping someone could shed some insight into how I can approach the following situation:

We have a Keycloak realm containing user accounts that can access several clients also within the same realm, all pretty standard. This realm also has a federated identity provider (using OpenID Connect) which can be linked to the local accounts and for which external claims are mapped to local user attributes.

One of our client applications requires the attributes from the external identity provider to be present, which may not be the case if the user hasn't set up the account link yet (through explicit linking or brokered login). Also from a strategic point of view we want to encourage users to log in using their local accounts instead of the external accounts (we're using this construction as a first step to migrate away from the external IDP).

Now I'm tasked with the challenge to come up with a login flow that after a normal local login (form+OTP) checks if the link to the external account is present and if not, present the user with the choice to set up the link there and then as part of the login flow. I've tried:

- Implementing a custom authenticator that checks if the IDP link is present. Combined with the IDP redirector authenticator I'm able to force a login at the external IDP. After being redirected back to Keycloak the user enters the first broker login flow, however any kind of customization there doesn't seem to allow me to link the external account to the existing local account without re-authentication (which doesn't make sense from a user point of view because he or she just logged in to the local account).
- It occurred to me that a required action might be a more suitable solution, however Keycloak doesn't appear to offer such functionality out of the box and so far I've come up blank as to how to implement this specific use case as a required action.

As for my questions:

1) What would be the best way to approach this specific use case using Keycloak? Or perhaps there's a good reason why I should avoid this situation that I haven't spotted yet?
2) Assuming customization is required: could someone share some pointers as to how to implement the account linking as a required login step? I've implemented my fair share of required actions and authenticators, so I'm familiar with the basics.

Thank you, any insights are greatly appreciated!
     
Regards,

Erik