Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
identity-brokering
Describe the bug
Up until Keycloak 26.1 if an external identity provider returned an error during step up authentication (i.e. user is already logged in but needs to increase the LoA via the external idp), Keycloak routed back to the browser flow where we could handle the error, show something to the user etc.
Now Keycloak redirects to the caller (redirect_uri) and provides an error.
Version
26.1.2
Regression
- The issue is a regression
Expected behavior
External IDP errors can be handled in the flow rather then returning directly to the client
Actual behavior
Keycloak redirects to the client without us being able to handle the error
How to Reproduce?
The easiest way to reproduce this should be a custom browser flow without Cookie Authenticator (to simulate step up authentication even if user is already logged in, without setting up actual step up authentication / custom authenticator handling higher requested LoA) and a single external IDP configured in the realm.
Then log in normally and trigger the login again after you are already logged in. Select the external IDP to authenticate and trigger an error there.
Anything else?
This bug has been introduced by #35728 which removed the client-id check from checkAccountManagementFailedLinking