Skip to content

NPE during external-internal token exchange in case that user exists #40104

New issue
New issue
Closed
#40105
Closed
NPE during external-internal token exchange in case that user exists#40104
#40105
Assignees
mposolda
Labels
area/token-exchangekind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.0team/core-clients
@mposolda

Description

@mposolda
mposolda
opened on May 30, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

During external-internal token exchange, there is NPE. It happens just when user already exists in the consumer realm and is linked with the IDP, which issued the exchanged token.

We do not test this yet in our testsuite as existing tests for external-internal token exchange tests the scenario when user does not yet exists in the consumer realm and is created by external-internal token exchange request.

This issue looks as a regression of 7cc055f8a6e4574ff0b0057c570c

Whole stacktrace:

java.lang.NullPointerException: Cannot invoke "org.keycloak.sessions.AuthenticationSessionModel.getAuthNote(String)" because "authSession" is null
	at org.keycloak.broker.provider.AbstractIdentityProvider.updateEmail(AbstractIdentityProvider.java:179)
	at org.keycloak.broker.provider.AbstractIdentityProvider.updateBrokeredUser(AbstractIdentityProvider.java:174)
	at org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider.importUserFromExternalIdentity(AbstractTokenExchangeProvider.java:413)
	at org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider.exchangeExternalToken(AbstractTokenExchangeProvider.java:297)
	at org.keycloak.protocol.oidc.tokenexchange.V1TokenExchangeProvider.tokenExchange(V1TokenExchangeProvider.java:103)
	at org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider.exchange(AbstractTokenExchangeProvider.java:114)
	at org.keycloak.protocol.oidc.grants.TokenExchangeGrantType.process(TokenExchangeGrantType.java:92)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:151)

Version

Keycloak main from 2025-05-30 (after commit 7cc055f )

Regression

  • The issue is a regression

Expected behavior

External-internal token-exchange works for existing users

Actual behavior

External-internal token-exchange does not work for existing users and throws NPE

How to Reproduce?

  • Make sure there is Keycloak user linked to some IDP
  • Send external-token exchange request with the subject_token as the token from the IDP

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/token-exchangekind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.0team/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions