Description

Using token exchange (external to internal), I've noticed that it always creates an user if he doesn't exist. I would like to prevent this.

Discussion

https://issues.redhat.com/browse/KEYCLOAK-19779?jql=text%20~%20%22token%20exchange%22 and https://lists.jboss.org/archives/list/[email protected]/thread/6OKTOR6EUZK4BLSMOB3IRKCKFRPUSXJI/#UBE2QU4OKMIEGRZIACHMTUSN3JVNXCWN

Motivation

I would like to use token exchange only for linked accounts. If an account has been linked, token exchange will succeed.
Otherwise, it fails and the client application can send the user to the login page. There, he must log in twice, to perform the linking between a Keycloak account and the identity provider account.

Details

I've customized the first broker login for the identity provider to force the account linking. It would be nice if the token exchange offered a similar setting.

Alternatively, policies could be the way to go. It's already possible to create user-based policies - which unfortunately only apply to the external token. It should be possible to create a policy that states, that token exchange is only possible for already existing users.