[BUG] First broker login flow not linking account on restricted client

[beezerk23]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I created a auth flow containing everything from the default First Broker Login Flow and the restrict-client-auth step. When i now login with a user which exists already in keycloak but is not linked to the IdP, it gives me the keycloak linking process. Once i click the link in the mail to link my user to the existing one i immediately get the "access denied" message from the plugin.

Expected Behavior

Instead of showing the access denied message the user should first be linked to the provider and afterwards check if the user has the needed roles. It seems like skips this step.

Steps To Reproduce

No response

Version

- Keycloak: 24.0.3
- This extension: 24.0.0

Anything else?

Here is a screenshot from my flow. I zoomed out to have everything on one screenshot. If its to small i can provide more.

[sventorben]

Hey,

why did you add it the first broker login flow instead of the post broker login flow?

If I remember correctly Keycloak will not link users when the first broker login flow does not return successfully. That is by design, I think.

Can you give the post broker login flow a try, please?

Best,
Sven-Torben

[beezerk23]

Hey Sven-Torben,

i am new to keycloak. As far as i see there is no post broker login flow. I just "copied" the existing first broker login flow, wrapped in in another subflow and added the plugin as a second step.

[sventorben]

You have to create a new flow and then bind it to your identity provider. Within your identity provider configuration there should be a dropdown box "Post login flow" where you can select the flow to bind it.