Remove client-initiated account linking legacy endpoints

Description

With addition of #35446 in 26.3, we deprecated client-initiated account linking endpoint. This is a follow-up to remove the client-initiated account linking in some follow-up major release. Things to remove:

IdentityBrokerService.clientInitiatedAccountLinking as well as clientInitiatedAccountLinkingPreflight and maybe some private methods used only by that stuff
Endpoint LinkedAccountsResource.buildLinkedAccountURI from account REST API (This one may need to stay possibly, but at least could be kept deprecated and links updated. Also should be ensured that it would stay only in account V1 (if we have versioning for account REST APIs))
Automated tests using this. Maybe it is only KcOidcBrokerIdpLinkActionTest.testAccountLinkingSuccess_legacyClientInitiatedAccountLinking
Some stuff like BrokerUtil.createClientInitiatedLinkURI (Maybe whole class if there is nothing else added to that class in the meantime)

Some stuff in IdentityBrokerService could be simplified further. For example this snippet can be likely removed as it exists just for the purpose of legacy client-initiated account linking :

keycloak/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java

Lines 1029 to 1045 in 025b2ba

    
           if (!Boolean.parseBoolean(authSession.getAuthNote(IdpLinkAction.KC_ACTION_LINKING_IDENTITY_PROVIDER))) { 
        
               // Legacy client-initiated account linking 
        
               // In legacy client-initiated account linking, the userSession should exists before linking was started, however it might be expired during the time when user is authenticating to the IDP 
        
               if (userSession == null) { 
        
                   return redirectToErrorWhenLinkingFailed(authSession, Messages.BROKER_LINKING_SESSION_EXPIRED); 
        
               } 
        
               AuthenticationManager.setClientScopesInSession(session, authSession); 
        
               TokenManager.attachAuthenticationSession(session, userSession, authSession); 
        
               this.event.user(authenticatedUser) 
        
                       .detail(Details.USERNAME, authenticatedUser.getUsername()) 
        
                       .detail(Details.IDENTITY_PROVIDER, newModel.getIdentityProvider()) 
        
                       .detail(Details.IDENTITY_PROVIDER_USERNAME, newModel.getUserName()) 
        
                       .success(); 
        
           }

Similarly this snippet:

keycloak/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java

Lines 1065 to 1068 in 025b2ba

    
           } else { 
        
               // Legacy client-initiated account linking 
        
               redirect = UriBuilder.fromUri(authSession.getRedirectUri()).build(); 
        
           }

Maybe note KC_ACTION_LINKING_IDENTITY_PROVIDER could be removed altogether as there is other note used to tracking this, which is checked during IDP linking: LINKING_IDENTITY_PROVIDER

Internal-to-external token exchange V1 has support for the parameter account-linking-url, which is described here https://www.keycloak.org/securing-apps/token-exchange#_internal_external_making_request . We should either:
- remove this parameter (which means removing the method AbstractIdentityProvider.getLinkingUrl() )
- update this to use new kc_action based URL (will likely require some small update in this part of token exchange docs).
- Remove it entirely if we remove also internal-to-external token exchange (As we may deprecate it in Keycloak 26.3.0 or Keycloak 26.4.0 and then remove this stuff entirely in Keycloak 27.). Then this will be likely handled as dedicated issue for removing internal-to-external token exchange
Documentation should be updated (Release notes, upgrading guide, Server development guide section about legacy client-initiated account linking)

Discussion

No response

Motivation

No response

Details

No response

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Description

Discussion

Motivation

Details

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	if (!Boolean.parseBoolean(authSession.getAuthNote(IdpLinkAction.KC_ACTION_LINKING_IDENTITY_PROVIDER))) {
	// Legacy client-initiated account linking

	// In legacy client-initiated account linking, the userSession should exists before linking was started, however it might be expired during the time when user is authenticating to the IDP
	if (userSession == null) {
	return redirectToErrorWhenLinkingFailed(authSession, Messages.BROKER_LINKING_SESSION_EXPIRED);
	}

	AuthenticationManager.setClientScopesInSession(session, authSession);
	TokenManager.attachAuthenticationSession(session, userSession, authSession);

	this.event.user(authenticatedUser)
	.detail(Details.USERNAME, authenticatedUser.getUsername())
	.detail(Details.IDENTITY_PROVIDER, newModel.getIdentityProvider())
	.detail(Details.IDENTITY_PROVIDER_USERNAME, newModel.getUserName())
	.success();
	}

	} else {
	// Legacy client-initiated account linking
	redirect = UriBuilder.fromUri(authSession.getRedirectUri()).build();
	}

Description

Description

Discussion

Motivation

Details

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions