Description

After reading the docs on Client Initiated Account Linking and trying to implement a custom account console on Keycloak version 24, I found out that this flow does not behave like other AIA in terms of returning action results to client applications. I believe we can make the status of the action more clear to clients so they can handle it like other actions.

Discussion

No response

Motivation

To make it clear for the client to handle the action result when being redirected back after linking IDP accounts.

Details

In this section of the docs:

After the account has been linked, the auth server will redirect back to the redirect_uri. If there is a problem servicing the link request, the auth server may or may not redirect back to the redirect_uri. The browser may just end up at an error page instead of being redirected back to the application. If there is an error condition and the auth server deems it safe enough to redirect back to the client app, an additional error query parameter will be appended to the redirect_uri.

It is not clear how the error query parameter looks like and how to handle it.

Also, if the action was success, there are also no indicators from the redirect URI that it was success. On the contrary, when other AIA's finish, they will add a kc_action_status query param into the redirect URI with three possible value: success, error or cancel, which make it clear for the clients to handle the action result.

I think we should enhance the ability of this flow by adapting the AIA mechanism to make it more robust.