Keycloak 24: linking of Keycloak-account with identity-provider does not work in different browsers ( as expected )

[Chr1st0ph]

Hello there,

I want to migrate from Keycloak 23.0.6 to 24.0.3, and ran into an issue with idp-account-linking.

The following scenario:

I register in Keycloak 24.0.3, and verify my email.
Now I want to additionally link this account to Google as identity-provider, and start the linking process. I receive an email with a link to confirm.

I have two scenarios now:

1. if I open the link of the email in the same browser which was used to start the linking-process, everything works fine: the original auth-session is found, and there is a required-action "VERIFY_EMAIL" in the auth-session which is used to pass the new validation in IdpEmailVerificationAuthenticator:84 ( if (user.isEmailVerified() && !isVerifyEmailActionSet(user, authSession)) {

2. I open the link in a second browser which does not share the original session, and the following occurs:
   the original auth-session is not found in LoginActionsService#handleActionToken; thus, the required-action "VERIFY_EMAIL" is not found, validation in IdpEmailVerificationAuthenticator:84 kicks in, and I am forwarded to the info-page with the message "Your email address has been verified already."

Thanks in advance for any insight for making it work like in KC 23.0.6 ( i.e. account-linking works in any scenario ).

[codespearhead]

It seems that the bug was introduced in #25711 . What's your suggestion for making it work in that case?

[Chr1st0ph]

@codespearhead Thank you for addressing my issue.

One "solution" might be to set the required-action "VERIFY_EMAIL" on the user-model ( like in MailSender#124 ) instead of the auth-session ( IdpEmailVerificationAuthenticator#150 ).

I tried it locally: if the email is already verified, and the required-action is set in the admin-console manually for my user, I can log in without being asked to verify the email again, and the account-linking works in a different browser as well.

But I cannot estimate if it would have side-effects on other use-cases.

[Chr1st0ph]

I guess there might be sort-order issues:

1. user registers but does not verify the email yet
2. user links the account to an identity-provider without confirming the email
3. user verifies the email
4. user wants to verify account-linking, but the required-action disappeared from user-model in step 3