keycloak/keycloak

External-Internal Token Exchange - User already Exists

Open

#47.250 aberto em 18 de mar. de 2026

Ver no GitHub
 (2 comments) (5 reactions) (0 assignees)Java (8.346 forks)batch import
area/token-exchangehelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expirestatus/bumped-by-botteam/core-clients

Métricas do repositório

Stars
 (34.398 stars)
Métricas de merge de PR
 (Mesclagem média 6d 19h) (384 fundiu PRs em 30d)

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

Hello,

I tried to set up Token Exchange between Gitlab ID Token en Keycloak. The main goal is to populate the Keycloak Access Token with some informations coming from Gitlab. Like Which project/pipeline/job/user issues the access token.

This token will be then used to authenticate to third party services. And the service will receive both user information from Keycloak and pipeline info from Gitlab.

The thing is, my users never access Keycloak with Gitlab. It is not used as a IDP for authentication. So at first no user has federated identity with gitlab.

While doing the token exchange Keycloak always tries to create new user instead of « linking » them. I always have « User Already Exists » if the link is not done beforehands.

Do I miss something in my setup ?

thanks for your help !

Version

26

Regression

  • The issue is a regression

Expected behavior

It should be possible to create federated identity on a token exchange if the username/email already matches an existing user.

Actual behavior

Keycloak tries to create a new user and give the error « User already exists ».

How to Reproduce?

  • create user John in Keycloak and third party
  • set up a new IDP for third party
  • try token exchange (whiteout login from third party before)

Anything else?

No response

Guia do colaborador