Just in time user provisioning

Jake · November 19, 2019, 2:42pm

Hey,

I have a keycloak connected to a OIDC IDP. This OIDC connection is where the users are stored. That hooks up fine however when testing I found that the account could only login once or it will get an info box upon the second login to say the account already exists. I did some digging and found that I needed to make an authentication flow for the OIDC IDP:

https://www.keycloak.org/docs/latest/server_admin/index.html#automatically-link-existing-first-login-flow

I setup a new flow with the following executions:
Create user if Unique (alt)
Automatically Set Existing User (alt)

Problem is that I can login with my OIDC account the first time but the second time I get:

We are sorry…

Unexpected error when authenticating with identity provider

If i delete the account and test login again it works fine, and then on the second login get that error.

In terms of attributes I am sending over first name, lastname and email and I have mapped this in the OIDC mapper.

Am I missing something with the flow?

antonio · January 27, 2020, 6:14pm

I have the same problem here!

Topic		Replies	Views
Authenticate to Link Account Failed (Keycloak OIDC) Configuring the server authentication , identity-brokering , oidc	0	1236	January 20, 2021
Link IdP to existing user Configuring the server	12	31576	December 5, 2024
Multiple IDENTITY_PROVIDER_FIRST_LOGIN at the same time for the same user preventing user from signing in authentication , identity-brokering	0	36	February 13, 2025
Keycloak login via token exchange with IDP works, but not every time Getting advice authentication , identity-brokering	0	23	November 9, 2024
First Broker Login Flow not working Keycloak v 14.0.0 Getting advice	0	2124	September 29, 2021

Just in time user provisioning

We are sorry…

Related topics