keycloak/keycloak

The `Redirect URI` field on the broker settings it not based on the front-end URL set to the realm but to the master realm

Open

#38.826 aperta il 10 apr 2025

Vedi su GitHub
 (7 commenti) (1 reazione) (0 assegnatari)Java (8346 fork)batch import
area/admin/uiarea/identity-brokeringhelp wantedkind/bugpriority/lowstatus/auto-bumpteam/core-iam

Metriche repository

Star
 (34.398 star)
Metriche merge PR
 (Merge medio 6g 19h) (384 PR mergiate in 30 g)

Descrizione

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering

Describe the bug

When a frontend URL for a realm is set, identity providers do not seem to respect this setting. The identity provider configuration shows the original URL inside the redirect URL instead of the realm's specific one. Even when using the realm's URL inside the configuration on the identity provider side, logging into a client through said identity provider does not work.

When first logging in through the identity provider, the user is redirected back to the login form instead of the client. Keycloak in the meantime did create the user. When logging in through the same identity provider again, an internal error in Keycloak occurs because it's trying to create the user again and a unique constraint exception is thrown: Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "constraint_offl_us_ses_pk2" Detail: Key (user_session_id, offline_flag)=(ID_HERE, 0) already exists.

Version

26.1.4

Regression

  • The issue is a regression

Expected behavior

I would expect two things:

  1. The automatically generated redirect URL inside the identity provider configuration uses the realm's frontend URL
  2. Logging into a client (in my case the KC account console) works as normal

Actual behavior

The user is redirected back to the login form instead of the client. Upon attempting again, the user is faced with an internal server error ("an internal server error has occurred").

How to Reproduce?

  1. Create a new realm
  2. Set the realm's frontend URL to be different from the master realm's
  3. Create an identity provider 3a. Here we can see the redirect URL not using the realm's frontend URL, but the master realm's
  4. Open the URL for the realm's account console (using the realm's frontend url)
  5. Try to sign in using the identity provider 5a. We're now redirected back to the login form instead of the client
  6. Click the identity provider login button again 6a. We're now seeing said internal server error

Anything else?

No response

Guida contributor