Hi everyone,
I am having some troubles with “First Broker Login Flow” especially the AutoLink flow.
Keycloak v 12.0.2 was working as expected but when I migrate to v 14.0.0 I start getting this error on new accounts coming from external IDP.
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR error=invalid_user_credentials
Some things you need to know, the user already exists on our LDAP, so on the AutoLink Flow we have(See image attached)
Basically the issue is that Keycloak is not able to Link the account coming from the IDP with our LDAP, If we set up the Identity Provider Link manually, the user is able to login.
Thanks for your help.
The logs that I am getting are:
14:48:20,498 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE
14:48:20,498 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE ONLY
14:48:20,498 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) processFlow: AutoLink
14:48:20,498 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-create-user-if-unique', requirement: 'ALTERNATIVE'
14:48:20,498 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) authenticator: idp-create-user-if-unique
14:48:20,498 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Going through the flow 'AutoLink' for adding executions
14:48:20,498 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Selections when trying execution 'idp-create-user-if-unique' : [ authSelection - idp-create-user-if-unique, authSelection - idp-auto-link]
14:48:20,498 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) invoke authenticator.authenticate: idp-create-user-if-unique
14:48:20,499 WARN [org.keycloak.services] (default task-160) KC-SERVICES0020: Email is null. Reset flow and enforce showing reviewProfile page
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) RESET FLOW
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-160) AUTHENTICATE ONLY
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) processFlow: AutoLink
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-create-user-if-unique', requirement: 'ALTERNATIVE'
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) authenticator: idp-create-user-if-unique
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Going through the flow 'AutoLink' for adding executions
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Selections when trying execution 'idp-create-user-if-unique' : [ authSelection - idp-create-user-if-unique, authSelection - idp-auto-link]
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) invoke authenticator.authenticate: idp-create-user-if-unique
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-auto-link', requirement: 'ALTERNATIVE'
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) authenticator: idp-auto-link
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Going through the flow 'AutoLink' for adding executions
14:48:20,500 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-160) Selections when trying execution 'idp-auto-link' : [ authSelection - idp-auto-link]
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) invoke authenticator.authenticate: idp-auto-link
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) check execution: 'idp-auto-link', requirement: 'ALTERNATIVE'
14:48:20,500 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-160) execution 'idp-auto-link' is processed
14:48:20,500 WARN [org.keycloak.services] (default task-160) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
at org.keycloak.ke...@14.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:993)
at org.keycloak.ke...@14.0.0//org.keycloak.services.resources.LoginActionsService$1.authenticateOnly(LoginActionsService.java:799)
at org.keycloak.ke...@14.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:852)
at org.keycloak.ke...@14.0.0//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:314)
at org.keycloak.ke...@14.0.0//org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:829)
at org.keycloak.ke...@14.0.0//org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:723)
at jdk.internal.reflect.GeneratedMethodAccessor919.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjetorImpl.java:138)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokenTarget(ResourceMethodInvoker.java:546)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetfterFilter(ResourceMethodInvoker.java:435)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOTarget$0(ResourceMethodInvoker.java:396)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequesContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetResourceMethodInvoker.java:398)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourcMethodInvoker.java:365)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargeObject(ResourceLocatorInvoker.java:150)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResoureLocatorInvoker.java:104)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchroousDispatcher.java:440)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$(SynchronousDispatcher.java:229)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocss$0(SynchronousDispatcher.java:135)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequesContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynhronousDispatcher.java:138)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchroousDispatcher.java:215)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDipatcher.service(ServletContainerDispatcher.java:245)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcer.service(HttpServletDispatcher.java:61)
at org.jboss.restea...@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcer.service(HttpServletDispatcher.java:56)
at javax.se...@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHndler.java:129)
at org.keycloak.keycloa...@14.0.0//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$dFilter$0(WildFlyRequestFilter.java:41)
at org.keycloak.ke...@14.0.0//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractReuestFilter.java:43)
at org.keycloak.keycloa...@14.0.0//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilterWildFlyRequestFilter.java:39)
at io.undert...@2.2.5.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.under...@2.2.5.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.under...@2.2.5.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.under...@2.2.5.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.under...@2.2.5.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at io.under...@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
at io.undert...@2.2.5.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undert...@2.2.5.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at org.wildfly.ext...@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
at io.undert...@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
at io.under...@2.2.5.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
at io.under...@2.2.5.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at org.jbo...@3.8.4.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
at java.base/java.lang.Thread.run(Thread.java:829)