Hi,
I would like to use OIDC token exchange on my application beside a saml authentication and I’m facing a problem when the user is created by saml first (I receive a “User already exists” when I try to do the token exchange).
In detail, the problem could be resumed like this :
- My users can log on a portal using saml authentication, a user is created in KC where the username is the email
- On another app, I receive a token from an external provider (Microsoft Azure in this situtation) that I want to exchange to have a valid token on my API. When I do the exchange, KC refuse to do it because the user already exists from another provider
When the user already exists I fall on this.
There is one possible fix explained here where you force the username to be different (easy to implement by playing with the mappers) to avoid the issue, but it seems a bit dirty to me since you’ll have 2 different KC user while this is the same person.
Another fix could be to “force” the user to log using oidc first and then saml (very hard in practice). We don’t face the issue when the user is created by the token exchange first because we can set the “auto link” first broker login flow as described in the keycloak documentation
I was wondering why we need this security ? In my situation the SAML and OIDC provider are related to the same users (as it’s the same user directory behind both provider).
Maybe we could add an extra option (at the realm or broker level) to allow the linking on the username ? or use the first broker flow during a token exchange ?
Thanks by advance