"User already exists" when calling the /token endpoint through an external IdP

Question

Im using an external IdP to obtain users JWT tokens using the token-exchange protocol. When the user is not created in the admin console i get no problem and everything works fine, but if when i call the /token endpoint to obtain the access token and the user is already created in the console i get the error “User already created”.

In the DEBUG logs i can see this error error=federated_identity_account_exists, that seems to be part of the DefaultTokenExchange.java class.

Is there a way to avoid this error and merge accounts when calling the endpoint?

Also i noticed that if I create the Identity Provider Link manually, in the user settings it solves the problem.

enter image description here

Thanks in advance

Answer 1

I have experienced the same problem but I have kind of solved it, this was my scenario:

• I have a custom frontend application with custom authentication (not using the keycloak login panel). I create users with this gui using apis to keycloak.
• I have set up google provider and token exchange
• What I want to achieve is being able to create a user with my custom gui and then being able to login with google and have the same account. It works fine when the user logging in does not exist already (with the same email) but does not work when a user with the same email exists. I tried giving the user permissions to impersonate and also tried to manually link the idp account with the user but no luck, I was always receiving the same error as you.

I have kind of solved this situation by trying to use the keycloak login portal, let me explain. I was reading this online discussion: https://keycloak.discourse.group/t/link-idp-to-existing-user/1094/7 and discovered that you can actually see and modify the details and steps of the login flow. Reading the login flow of the google identity provider. The scenario is this, maybe it can help you:

• You create a user manually using keycloak (or a custom gui via keycloak api in my case)
• You then use the keycloak login panel where the user is created (and of course you should have google idp configured here too) and click on login with google.
• It will detect the situation and allow you to link the accounts! And from there on, it works as you'd expect

Unfortunately, from the api this error is not manageable and I think it would be very complicated to solve. Maybe if you implement the code with the keycloak api to link the accounts it could work, but I don't think it's worth it, so I will be moving to using the keycloak login portal which works better and requires less effort.