Apple Identity Provider callback is not idempotent #117
Description
Keycloak Version
26.4.2
Extension Version
1.16
Describe the bug
We are seeing recurring Apple login failures caused by duplicate creation of FederatedIdentityEntity for the same (user, identityProvider) pair. The error originates during the Apple callback handling in AppleIdentityProviderEndpoint.authResponse(...) and ends as org.keycloak.models.ModelDuplicateException: Duplicate resource error.
This appears to be triggered when the same Apple callback (state) is processed more than once (refresh/back button, network retry, or reverse-proxy/LB retry). This is not user-controllable and should be handled defensively by the backend.
Expected behavior
The Apple callback handling should be idempotent:
A given state must be processed only once.
If the federated identity link already exists, the flow should continue successfully (or update existing data), but must not attempt to persist a duplicate.
Duplicate callbacks should not cause login failure.
Keycloak Logs (turn log-level to DEBUG)
org.keycloak.models.ModelDuplicateException: Duplicate resource error
at org.keycloak.connections.jpa.support.EntityManagerProxy.convert(EntityManagerProxy.java:146)
at jdk.proxy2.$Proxy62.persist(Unknown Source)
at org.keycloak.models.jpa.JpaUserProvider.addFederatedIdentity(JpaUserProvider.java:779)
at org.keycloak.storage.UserStorageManager.addFederatedIdentity(UserStorageManager.java:918)
at org.keycloak.models.cache.infinispan.UserCacheSession.addFederatedIdentity(UserCacheSession.java:749)
at org.keycloak.services.resources.IdentityBrokerService.afterFirstBrokerLogin(IdentityBrokerService.java:890)
at org.keycloak.services.resources.IdentityBrokerService.afterPostBrokerLoginFlowSuccess(IdentityBrokerService.java:816)
at org.keycloak.services.resources.IdentityBrokerService.finishOrRedirectToPostBrokerLogin(IdentityBrokerService.java:671)
at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:84)
at at.klausbetz.provider.AppleIdentityProviderEndpoint.authResponse(AppleIdentityProviderEndpoint.java:29)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:183)
Caused by: jakarta.persistence.EntityExistsException: A different object with the same identifier value was already associated with this persistence context for entity
[org.keycloak.models.jpa.entities.FederatedIdentityEntity with id
'FederatedIdentityEntity.Key [user=<uuid>, identityProvider=apple]']
Caused by: org.hibernate.NonUniqueObjectException: A different object with the same identifier value was already associated with this persistence context for entity
[org.keycloak.models.jpa.entities.FederatedIdentityEntity with id
'FederatedIdentityEntity.Key [user=<uuid>, identityProvider=apple]']