invite-existing-user API should reject invitations for users already in the organization
#45.553 geöffnet am 19. Jan. 2026
Repository-Metriken
- Stars
- (34.398 Stars)
- PR-Merge-Metriken
- (Durchschn. Merge 6T 19h) (384 gemergte PRs in 30 T)
Beschreibung
Description
Currently, it is possible to send organization invitations multiple times to a user who already belongs to the target Organization when using the invite-existing-user API.
This behavior differs from the Admin Console, where invitations to users who are already members of the Organization are correctly rejected with an error. The lack of validation in the API leads to inconsistent behavior and allows duplicate invitation emails to be sent.
- https://github.com/keycloak/keycloak/blob/6ceaa2d391f9c7f7dc9dc5874503066a34397669/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationInvitationResource.java#L96-L138
- https://github.com/keycloak/keycloak/blob/6ceaa2d391f9c7f7dc9dc5874503066a34397669/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationInvitationResource.java#L140-L152
Value Proposition
Preventing invitations from being sent to users who already belong to an Organization avoids unnecessary and confusing emails, improves consistency between the Admin Console and API behavior, and makes the invitation flow easier and safer for integrators to use.
This enhancement also aligns the API behavior with the conceptual purpose of invitations, which is to onboard users who are not yet members of an Organization.
Goals
- Reject organization invitations sent via the
invite-existing-userAPI when the target user is already a member of the Organization - Ensure consistent validation behavior between the Admin Console and the API
- Prevent duplicate invitation emails from being sent to existing Organization members
Non-Goals
- Adding or redesigning invitation resend functionality
- Changing the behavior of invitation links after they are sent
- Managing or visualizing pending invitations
- Automatically adding users to Organizations without an explicit invitation
Discussion
No response
Notes
The Admin Console already prevents inviting users who are existing members of the Organization, while the invite-existing-user API does not perform the same validation.
Aligning the API behavior with the Admin Console by adding a membership check before sending an invitation would resolve this inconsistency and prevent duplicate invitations.