First Broker Login Flow(AutoLink) not working Keycloak v 14.0.0

919 views

Skip to first unread message

Juan Blanco

unread,

Oct 1, 2021, 12:28:10 PM10/1/21

to Keycloak User

Hi everyone,

I am having some troubles with “First Broker Login Flow” especially the AutoLink flow.

Keycloak v 12.0.2 was working as expected but when I migrate to v 14.0.0 I start getting this error on new accounts coming from external IDP.

type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR error=invalid_user_credentials

Some things you need to know, the user already exists on our LDAP, so on the AutoLink Flow we have(See image attached)

Basically the issue is that Keycloak is not able to Link the account coming from the IDP with our LDAP, If we set up the Identity Provider Link manually, the user is able to login.

Thanks for your help.

The logs that I am getting are:

14:48:20,498 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE

14:48:20,498 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE ONLY

14:48:20,498 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) processFlow: AutoLink

14:48:20,498 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-create-user-if-unique', requirement: 'ALTERNATIVE'

14:48:20,498 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) authenticator: idp-create-user-if-unique

14:48:20,498 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Going through the flow 'AutoLink' for adding executions

14:48:20,498 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Selections when trying execution 'idp-create-user-if-unique' : [ authSelection - idp-create-user-if-unique, authSelection - idp-auto-link]

14:48:20,498 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) invoke authenticator.authenticate: idp-create-user-if-unique

14:48:20,499 WARN [org.keycloak.services] (default task-160) KC-SERVICES0020: Email is null. Reset flow and enforce showing reviewProfile page

14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) RESET FLOW

14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE

14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE ONLY

14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) processFlow: AutoLink

14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-create-user-if-unique', requirement: 'ALTERNATIVE'

14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) authenticator: idp-create-user-if-unique

14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Going through the flow 'AutoLink' for adding executions

14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Selections when trying execution 'idp-create-user-if-unique' : [ authSelection - idp-create-user-if-unique, authSelection - idp-auto-link]

14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) invoke authenticator.authenticate: idp-create-user-if-unique

14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-auto-link', requirement: 'ALTERNATIVE'

14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) authenticator: idp-auto-link

14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Going through the flow 'AutoLink' for adding executions

14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Selections when trying execution 'idp-auto-link' : [ authSelection - idp-auto-link]

14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) invoke authenticator.authenticate: idp-auto-link

14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-auto-link', requirement: 'ALTERNATIVE'

14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) execution 'idp-auto-link' is processed

14:48:20,500 WARN [org.keycloak.services] (default task-160) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException

at org.keycloak.ke...@14.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:993)

at org.keycloak.ke...@14.0.0//org.keycloak.services.resources.LoginActionsService$1.authenticateOnly(LoginActionsService.java:799)

at org.keycloak.ke...@14.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:852)

at org.keycloak.ke...@14.0.0//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:314)

at org.keycloak.ke...@14.0.0//org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:829)

at org.keycloak.ke...@14.0.0//org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:723)

at jdk.internal.reflect.GeneratedMethodAccessor919.invoke(Unknown Source)

at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.base/java.lang.reflect.Method.invoke(Method.java:566)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjetorImpl.java:138)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokenTarget(ResourceMethodInvoker.java:546)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetfterFilter(ResourceMethodInvoker.java:435)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOTarget$0(ResourceMethodInvoker.java:396)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequesContext.filter(PreMatchContainerRequestContext.java:358)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetResourceMethodInvoker.java:398)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourcMethodInvoker.java:365)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargeObject(ResourceLocatorInvoker.java:150)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResoureLocatorInvoker.java:104)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchroousDispatcher.java:440)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$(SynchronousDispatcher.java:229)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocss$0(SynchronousDispatcher.java:135)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequesContext.filter(PreMatchContainerRequestContext.java:358)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynhronousDispatcher.java:138)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchroousDispatcher.java:215)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDipatcher.service(ServletContainerDispatcher.java:245)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcer.service(HttpServletDispatcher.java:61)

at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcer.service(HttpServletDispatcher.java:56)

at javax.se...@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHndler.java:129)

at org.keycloak.keycloa...@14.0.0//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$dFilter$0(WildFlyRequestFilter.java:41)

at org.keycloak.ke...@14.0.0//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractReuestFilter.java:43)

at org.keycloak.keycloa...@14.0.0//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilterWildFlyRequestFilter.java:39)

at io.undert...@2.2.5.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at io.under...@2.2.5.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

at io.under...@2.2.5.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

at io.under...@2.2.5.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

at io.under...@2.2.5.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)

at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)

at io.undert...@2.2.5.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)

at io.undert...@2.2.5.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)

at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)

at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)

at io.under...@2.2.5.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)

at io.under...@2.2.5.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)

at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)

at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)

at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)

at org.jbo...@3.8.4.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)

at java.base/java.lang.Thread.run(Thread.java:829)

image.png

Reply all

Reply to author

Forward

0 new messages