GitHub user dosubot[bot] added a comment to the discussion: Using Keycloak as identity provider wihtout role mappings (manage roles inside superset - like google oauth2)
<!-- Answer --> This integrity error happens because Superset uses the email field as a unique key for users. When you log in via Keycloak (with federated Google), if the mapping in your `oauth_user_info` returns an email that already exists in the Superset DB but with a different internal id (like a new `sub` from Keycloak), Superset tries to create a new user and hits a duplicate email constraint, causing the error you see ([docs](https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx)). To fix this, you need to ensure that your `oauth_user_info` mapping matches the existing user records in Superset. If your users were created with Google OAuth2 and used the email as both username and email, you should keep that mapping consistent when switching to Keycloak. The `id` field (`sub`) is not used for user matching—Superset matches by username or email. If you already have users in Superset with `email = [email protected]`, make sure your Keycloak mapping returns the same value for both `username` and `email`. If you have duplicate/conflicting users (for example, one from Google and one from Keycloak with the same email), you may need to clean up the user table in the DB to remove the duplicate or update the mapping so Superset recognizes the user as the same person ([docs](https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx)). In summary: keep your claim mapping for username and email consistent across all IdPs, and audit your user table for duplicates if you’ve switched providers or changed mappings. This will prevent Superset from trying to create a new user with an existing email and avoid the integrity error. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/0e7b3bd2-1dbf-48d0-a8f0-1d7514f74667?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/0e7b3bd2-1dbf-48d0-a8f0-1d7514f74667?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/0e7b3bd2-1dbf-48d0-a8f0-1d7514f74667?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/0e7b3bd2-1dbf-48d0-a8f0-1d7514f74667?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/0e7b3bd2-1dbf-48d0-a8f0-1d7514f74667?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/0e7b3bd2-1dbf-48d0-a8f0-1d7514f74667?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/0e7b3bd2-1dbf-48d0-a8f0-1d7514f74667?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=This%20integrity%20error%20happens%20because%20Superset%20uses%20the%20email%20field%20as%20a%20unique%20key%20for%20users.%20When%20you%20log%20in%20via%20Keycloak%20%28with%20federated%20Google%29%2C%20if%20the%20mapping%20in%20your%20%60oauth_user_info%60%20returns%20an%20email%20that%20already%20exists%20in%20the%20Superset%20DB%20but%20with%20a%20different%20internal%20id%20%28like%20a%20new%20%60sub%60%20from%20Keycloak%29%2C%20Superset%20tries%20to%20create%20a%20new%20user%20and%20hits%20a%20duplicate%20email%20constraint%2C%20causing%20the%20error%20you%20see%C2%A0%28%5Bdocs%5D%28https%3A//github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx%29%29.%0A%0ATo%20fix%20this%2C%20you%20need%20to%20ensure%20that%20 your%20%60oauth_user_info%60%20mapping%20matches%20the%20existing%20user%20records%20in%20Superset.%20If%20your%20users%20were%20created%20with%20Google%20OAuth2%20and%20used%20the%20email%20as%20both%20username%20and%20email%2C%20you%20should%20keep%20that%20mapping%20consistent%20when%20switching%20to%20Keycloak.%20The%20%60id%60%20field%20%28%60sub%60%29%20is%20not%20used%20for%20user%20matching%E2%80%94Superset%20matches%20by%20username%20or%20email.%0A%0AIf%20you%20already%20have%20users%20in%20Superset%20with%20%60email%20%3D%20xxxxx%40yyyy.com%60%2C%20make%20sure%20your%20Keycloak%20mapping%20returns%20the%20same%20value%20for%20both%20%60username%60%20and%20%60email%60.%20If%20you%20have%20duplicate/conflicting%20users%20%28for%20example%2C%20one%20from%20Google%20and%20one%20from%20Keycloak%20with%20the%20same%20email%29%2C%20you%20may%20need%20to%20clean%20up%20the%20user%20table%20in%20the%20DB%20to%20remove%20the%20duplicate%20or%20update%20the%20mapping%20so%20Superset% 20recognizes%20the%20user%20as%20the%20same%20person%C2%A0%28%5Bdocs%5D%28https%3A//github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx%29%29.%0A%0AIn%20summary%3A%20keep%20your%20claim%20mapping%20for%20username%20and%20email%20consistent%20across%20all%20IdPs%2C%20and%20audit%20your%20user%20table%20for%20duplicates%20if%20you%E2%80%99ve%20switched%20providers%20or%20changed%20mappings.%20This%20will%20prevent%20Superset%20from%20trying%20to%20create%20a%20new%20user%20with%20an%20existing%20email%20and%20avoid%20the%20integrity%20error.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36242) GitHub link: https://github.com/apache/superset/discussions/36242#discussioncomment-15065501 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
