Open
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
identity-brokering
Describe the bug
The forced sync of the user's email address does not work if the email address was removed on a connected IDP after the first login.
Version
26.2.3
Regression
- The issue is a regression
Expected behavior
The user's email address should be set to the last reported value by an IDP with "FORCE" sync mode set even it is empty.
Actual behavior
The email address of a user is still present after setting it to blank on a connected IDP.
How to Reproduce?
- Connect a Keycloak realm to another IDP (such as another Keycloak realm) with an OIDC identity provider type.
- Sign into the Keycloak realm as a user with a stored email address on the connected IDP
- Delete the user's email address on the connected IDP
- Sign out, and sign into the realm again
- Observe that the user's email is still present on the Keycloak realm.
Anything else?
No response