unique username for brokered user

services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java

@@ -39,6 +39,7 @@ import org.keycloak.models.OAuthClientModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
+import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.protocol.oidc.TokenManager;
 import org.keycloak.provider.ProviderFactory;
 import org.keycloak.services.managers.AppAuthManager;
@@ -488,7 +489,11 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
         String username = updatedIdentity.getUsername();
         if (this.realmModel.isRegistrationEmailAsUsername() && !Validation.isEmpty(updatedIdentity.getEmail())) {
             username = updatedIdentity.getEmail();
-        } 
+        } else if (username == null) {
+            username = updatedIdentity.getIdentityProviderId() + "." + updatedIdentity.getId();
+        } else {
+            username = updatedIdentity.getIdentityProviderId() + "." + updatedIdentity.getUsername();
+        }
         if (username != null) {
             username = username.trim();
         }

testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java

@@ -250,7 +250,7 @@ public abstract class AbstractIdentityProviderTest {
     }
 
     protected void doAssertFederatedUserNoEmail(UserModel federatedUser) {
-        assertEquals("test-user-noemail", federatedUser.getUsername());
+        assertEquals("kc-oidc-idp.test-user-noemail", federatedUser.getUsername());
         assertEquals(null, federatedUser.getEmail());
         assertEquals("Test", federatedUser.getFirstName());
         assertEquals("User", federatedUser.getLastName());
@@ -580,7 +580,7 @@ public abstract class AbstractIdentityProviderTest {
         FederatedIdentityModel federatedIdentityModel = federatedIdentities.iterator().next();
 
         assertEquals(getProviderId(), federatedIdentityModel.getIdentityProvider());
-        assertEquals(federatedUser.getUsername(), federatedIdentityModel.getUserName());
+        assertEquals(federatedUser.getUsername(), federatedIdentityModel.getIdentityProvider() + "." + federatedIdentityModel.getUserName());
 
         driver.navigate().to("http://localhost:8081/test-app/logout");
         driver.navigate().to("http://localhost:8081/test-app");

testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java

@@ -1,6 +1,7 @@
 package org.keycloak.testsuite.broker;
 
 import org.junit.ClassRule;
+import org.junit.Test;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.representations.AccessTokenResponse;
@@ -66,4 +67,29 @@ public class OIDCKeyCloakServerBrokerBasicTest extends AbstractIdentityProviderT
     protected String getProviderId() {
         return "kc-oidc-idp";
     }
+
+    @Test
+    public void testSuccessfulAuthentication() {
+        super.testSuccessfulAuthentication();
+    }
+
+    @Test
+    public void testSuccessfulAuthenticationWithoutUpdateProfile() {
+        super.testSuccessfulAuthenticationWithoutUpdateProfile();
+    }
+
+    @Test
+    public void testSuccessfulAuthenticationWithoutUpdateProfile_emailNotProvided_emailVerifyEnabled() {
+        super.testSuccessfulAuthenticationWithoutUpdateProfile_emailNotProvided_emailVerifyEnabled();
+    }
+
+    @Test
+    public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() {
+        super.testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername();
+    }
+
+    @Test
+    public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername_emailNotProvided() {
+        super.testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername_emailNotProvided();
+    }
 }

testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerBasicTest.java

@@ -69,7 +69,7 @@ public class SAMLKeyCloakServerBrokerBasicTest extends AbstractIdentityProviderT
 
     @Override
     protected void doAssertFederatedUserNoEmail(UserModel federatedUser) {
-        assertEquals("", federatedUser.getUsername());
+        assertEquals("kc-saml-idp-basic.", federatedUser.getUsername());
         assertEquals("", federatedUser.getEmail());
         assertEquals(null, federatedUser.getFirstName());
         assertEquals(null, federatedUser.getLastName());

testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerWithSignatureTest.java

@@ -68,7 +68,7 @@ public class SAMLKeyCloakServerBrokerWithSignatureTest extends AbstractIdentityP
 
     @Override
     protected void doAssertFederatedUserNoEmail(UserModel federatedUser) {
-        assertEquals("", federatedUser.getUsername());
+        assertEquals("kc-saml-signed-idp.", federatedUser.getUsername());
         assertEquals("", federatedUser.getEmail());
         assertEquals(null, federatedUser.getFirstName());
         assertEquals(null, federatedUser.getLastName());