keycloak/keycloak

External-Internal Token Exchange - User already Exists

Open

#47.250 aperta il 18 mar 2026

Vedi su GitHub
 (2 commenti) (5 reazioni) (0 assegnatari)Java (8346 fork)batch import
area/token-exchangehelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expirestatus/bumped-by-botteam/core-clients

Metriche repository

Star
 (34.398 star)
Metriche merge PR
 (Merge medio 6g 19h) (384 PR mergiate in 30 g)

Descrizione

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

Hello,

I tried to set up Token Exchange between Gitlab ID Token en Keycloak. The main goal is to populate the Keycloak Access Token with some informations coming from Gitlab. Like Which project/pipeline/job/user issues the access token.

This token will be then used to authenticate to third party services. And the service will receive both user information from Keycloak and pipeline info from Gitlab.

The thing is, my users never access Keycloak with Gitlab. It is not used as a IDP for authentication. So at first no user has federated identity with gitlab.

While doing the token exchange Keycloak always tries to create new user instead of « linking » them. I always have « User Already Exists » if the link is not done beforehands.

Do I miss something in my setup ?

thanks for your help !

Version

26

Regression

  • The issue is a regression

Expected behavior

It should be possible to create federated identity on a token exchange if the username/email already matches an existing user.

Actual behavior

Keycloak tries to create a new user and give the error « User already exists ».

How to Reproduce?

  • create user John in Keycloak and third party
  • set up a new IDP for third party
  • try token exchange (whiteout login from third party before)

Anything else?

No response

Guida contributor