In Keycloak's account-linking documentation, there's a code snippet:
KeycloakSecurityContext session = (KeycloakSecurityContext) httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName())
Why would the KeycloakSecurityContext be set in the httpServletRequest? Where does this code should run? In what context? Thanks.
As mentioned in the documentation this code can reside in a Java servlet. The server side application containing this servlet must be protected by a Keycloak OIDC adapter to get the logged-in user's security context in the request.
The user must be logged in already to invoke the account-linking. That's a prerequisite listed in the documentation:
The application must already be logged in as an existing user via the OIDC protocol
