[BUG] subsequent login after first login fails

[simonpayne1]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

A user can login via the discovered IDP on first login successfully,

However, once the user has been created in the 'test-realm' subsequent login fails on 'Invalid username or password.'

The user is not given the opportunity to enter a password either on the test realm or the linked idp.

Expected Behavior

User can login

Steps To Reproduce

1. as admin create a user in IDP e.g. simon@example.com
2. as user browse to http://localhost:8080/admin/test-realm/console
3. enter simon@example.com to be redirected to idp realm
4. enter password - user authenticates successfully and is redirected back to test-realm, user is created in test-realm
5. logout of test-realm
6. try to login again using same user
7. shows error message

Version

- Keycloak:
- This extension:

Anything else?

No response

[sventorben]

Hey @simonpayne1,

thanks for reporting this.
On first sight, this behaviour may seem irritating, but it actually works as designed.

When the user first logs in via the home IdP, the authenticator assumes that the user's email simon@example.com is verified and trusted. Otherwise redirecting to that IdP based on the email domain example.com would not make sense, right?

During the first login, Keycloak will import the user to the realm (test-realm in this case). During second login the user now already exists with the email simon@example.com in the test-realm. Therefore, the authenticator will now validate whether the email address is verified. In your case this does not seem to be the case. The outcome of the authenticator will be marked as attempted. If you do not have an additional alternative configured, authentication fails.

In your example, please ensure that Trust Email is switched on to trust emails and to make the second login succeed.

Best regards
Sven-Torben

[simonpayne1]

I can confirm that this suggestion work. thanks