This guide shows how to configure Keycloak to automatically link social/external identity provider accounts without requiring users to confirm the link each time.

Keycloak is a powerful tool, but sometimes I find it hard to find the proper documentation. So keeping track of this here: the authentication flows for linking accounts to brokers automatically without prompting the user for it. I required two options, auto linking with and without creating new accounts in Keycloak.

This allows new users to be created automatically in Keycloak and then log in with a linked account (which links automatically).

Create a new (Basic) flow with a practical name. Then create the following steps:

  • Create User If Unique (Requirement: Alternative)
  • Automatically Set Existing User (Requirement: Alternative)

NB This allows everybody that can create an account with the IdP to log in to the website using this IdP.

Detect existing user first login flow

This allows existing users to log in with a linked account (which links automatically).

Create a new (Basic) flow with a practical new. Then create the following steps:

  • Detect Existing Broker User (Requirement: Required)
  • Automatically Set Existing User (Requirement: Required)

NB This will not create users in Keycloak, so they have to be created via another way.

Set the login flow override for the IdP

To get the authentication flow set up in Keycloak go to Identity providers, select the one that should use the new flow, and look for the First login flow override field to specify the new flow.

See also

Notes

I saw that these authentication flow options have changed a lot over the years, so I suspect this documentation could be of short value. Hopefully the authorization flow configuration becomes a bit more intuitive in the future. Or maybe I’ll just understand it better in the future and I won’t need this document anymore.

My solution works for Keycloak 26.0.8