keycloak/keycloak

invite-existing-user API should reject invitations for users already in the organization

Open

#45.553 geöffnet am 19. Jan. 2026

Auf GitHub ansehen
 (1 Kommentar) (3 Reaktionen) (0 zugewiesene Personen)Java (8.346 Forks)batch import
area/organizationshelp wantedkind/bugpriority/normalstatus/auto-bumpteam/core-iam

Repository-Metriken

Stars
 (34.398 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 6T 19h) (384 gemergte PRs in 30 T)

Beschreibung

Description

Currently, it is possible to send organization invitations multiple times to a user who already belongs to the target Organization when using the invite-existing-user API.

This behavior differs from the Admin Console, where invitations to users who are already members of the Organization are correctly rejected with an error. The lack of validation in the API leads to inconsistent behavior and allows duplicate invitation emails to be sent.

Value Proposition

Preventing invitations from being sent to users who already belong to an Organization avoids unnecessary and confusing emails, improves consistency between the Admin Console and API behavior, and makes the invitation flow easier and safer for integrators to use.

This enhancement also aligns the API behavior with the conceptual purpose of invitations, which is to onboard users who are not yet members of an Organization.

Goals

  • Reject organization invitations sent via the invite-existing-user API when the target user is already a member of the Organization
  • Ensure consistent validation behavior between the Admin Console and the API
  • Prevent duplicate invitation emails from being sent to existing Organization members

Non-Goals

  • Adding or redesigning invitation resend functionality
  • Changing the behavior of invitation links after they are sent
  • Managing or visualizing pending invitations
  • Automatically adding users to Organizations without an explicit invitation

Discussion

No response

Notes

The Admin Console already prevents inviting users who are existing members of the Organization, while the invite-existing-user API does not perform the same validation.

Aligning the API behavior with the Admin Console by adding a membership check before sending an invitation would resolve this inconsistency and prevent duplicate invitations.

Contributor Guide