Intermittent IDENTITY_PROVIDER_FIRST_LOGIN_ERROR with invalid_user_credentials during First Broker Login (Microsoft OIDC IdP) #44501
Unanswered
rijo-armada
asked this question in
Q&A
Replies: 1 comment
-
|
hi, did you find a solution for this problem? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi all,
I’m seeing an intermittent issue with Keycloak’s First Broker Login flow when using a Microsoft Entra ID (Azure AD) OIDC identity provider, and I’m trying to understand what exactly triggers:
keycloak version: 26.0.2
IDENTITY_PROVIDER_FIRST_LOGIN_ERROR
with error="invalid_user_credentials"
even though users never type any credentials into Keycloak.
I’ll describe the setup and behavior below.
Login / SSO Flow
Our application uses the following SSO flow:
User opens our application and enters their email address.
The app redirects to Keycloak (client=login) with kc_idp_hint set to our Microsoft IdP.
Keycloak redirects the user to Microsoft for authentication.
User successfully authenticates at Microsoft.
Microsoft redirects back to Keycloak.
Keycloak runs the First Broker Login flow (since this is an IdP login).
On success, Keycloak redirects back to the application with an authorization code, and the app exchanges it for tokens from Keycloak.
For almost all users, this works fine.
For a small subset of users, in rare cases, we see the following in the Keycloak logs when they attempt to log in via SSO:
2025-11-26 04:56:34,386 WARN [org.keycloak.services] (executor-thread-5016) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1082)
at org.keycloak.services.resources.LoginActionsService$1.authenticateOnly(LoginActionsService.java:919)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:912)
at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:380)
at org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:951)
at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:823)
...
From the user’s perspective, they:
Successfully log in at Microsoft
Then are bounced back and see a failure message instead of being logged into the applicationWhat I’m trying to figure out is:
Why this only happens for some users, and
Why deleting the user sometimes temporarily fixes it and sometimes doesn’t. ?.
I am also pasting the current First Broker Login Flow I have configured
Beta Was this translation helpful? Give feedback.
All reactions