IQSS
SPA login shows “Account not linked” for builtin users on demo/qa (Chrome and Safari); JSF login works
Summary
On demo.dataverse.org and qa.dataverse.org logging in as a builtin user succeeds in the legacy JSF UI, but when navigating to the SPA and clicking Login, the SPA routes to an “account not linked” flow and then fails. This reproduces for me in Chrome (including Incognito) and in Safari. Ellen previously observed that Safari worked for her, but I am not able to reproduce success in Safari.
This may point to Keycloak/OIDC configuration differences between environments and/or SPA vs JSF login paths.
Slack context: https://iqss.slack.com/archives/C06FWJ0FV2R/p1759505592837599 (plus today’s thread in dv-core-spa)
Environments
- Demo: affected for me in Chrome and Safari (both fail with account-not-linked → failure)
- QA: reportedly OK for Ellen; I previously hit SPA login trouble on QA but unclear if it’s the same signature
- JSF (both envs): builtin login succeeds
Date observed: Oct 8, 2025
Browsers tested (macOS):
| Browser | Version (approx) | Demo | QA |
|---|---|---|---|
| Chrome | 141.x (Incognito too) | ❌ Fails: “account not linked” → failure | ✅ Works for Ellen |
| Safari | Latest | ❌ Fails for me; Ellen previously reported success | — |
Example user(s):
- demo: QAadmin (builtin) reproduced by Omer
- other builtin users impacted per Ellen
Steps to Reproduce (Demo)
- Log in to JSF on demo.dataverse.org with a builtin user (login succeeds).
- Navigate to the SPA (/spa) and click Login.
- SPA redirects into an “account not linked” step; completing it fails.
- Reproduces for me in Chrome (incl. Incognito) and Safari.
Expected Behavior
- After successful JSF login (or direct SPA login), SPA should recognize the session/OIDC principal and proceed to the authenticated SPA state without a failing “account not linked” detour.
Actual Behavior
- SPA presents “account not linked” flow on demo and completing the flow fails (Chrome and Safari for me).
- QA SPA works for Ellen.
