8000 Identity provider with FORCE sync mode does not detect verified email change · Issue #39885 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Identity provider with FORCE sync mode does not detect verified email change #39885
New issue
New issue
Closed
#40006
Closed
Identity provider with FORCE sync mode does not detect verified email change#39885
#40006
Assignees
pedroigor
Labels
area/identity-brokeringkind/enhancementCategorizes a PR related to an enhancementpriority/importantMust be worked on very soonrelease/26.3.0team/core-iam
@kherock

Description

@kherock
kherock
opened on May 21, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting 85F2 issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering

Describe the bug

I have a scenario where users authenticate with an identity provider and have the option to skip verifying their email address for later. However, once they do, this email verification status is not detected by Keycloak because their email address technically did not change.

Version

26.2

Regression

  • The issue is a regression

Expected behavior

The user's "Email verified" toggle should be set to the state last reported by an IDP with "FORCE" sync mode set.

Actual behavior

The "Email verified" state is unchanged, only updating if the user's email address changes.

How to Reproduce?

  1. Connect a Keycloak realm to another IDP (such as another Keycloak realm) with an OIDC identity provider type. The IDP should have the "Trust email" setting toggled On.
  2. Sign into the Keycloak realm as a user with an unverified email address on the connected IDP
  3. Toggle the user's email verified state to true on the connected IDP
  4. Sign out, and sign into the realm again
  5. Observe that the user's email is still unverified on the Keycloak realm.

Anything else?

The change detection here needs to account for the state of the email_verified claim sent from the IDP!

keycloak/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java

Lines 1114 to 1125 in 6349528

private void setBasicUserAttributes(BrokeredIdentityContext context, UserModel federatedUser) {
setDiffAttrToConsumer(federatedUser.getEmail(), context.getEmail(), email -> setEmail(context, federatedUser, email), true);
setDiffAttrToConsumer(federatedUser.getFirstName(), context.getFirstName(), federatedUser::setFirstName, false);
setDiffAttrToConsumer(federatedUser.getLastName(), context.getLastName(), federatedUser::setLastName, false);
}
private void setDiffAttrToConsumer(String actualValue, String newValue, Consumer<String> consumer, boolean ignoreCase) {
String actualValueNotNull = Optional.ofNullable(actualValue).orElse("");
if (newValue != null && !(ignoreCase? newValue.equalsIgnoreCase(actualValueNotNull) : newValue.equals(actualValueNotNull))) {
consumer.accept(newValue);
}
}

Metadata

Metadata

Assignees

Labels

area/identity-brokeringkind/enhancementCategorizes a PR related to an enhancementpriority/importantMust be worked on very soonrelease/26.3.0team/core-iam

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0