Add check to prevent deserialization issues when the context token is…

… not an AccessTokenResponse. Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
keycloak · Apr 26, 2024 · b80d1f1 · b80d1f1
1 parent 1c413df
commit b80d1f1
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@@ -19,6 +19,8 @@
 import org.jboss.logging.Logger;
 import org.jboss.resteasy.reactive.NoCache;
 import org.keycloak.authentication.authenticators.broker.IdpConfirmOverrideLinkAuthenticator;
+import org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken;
+import org.keycloak.broker.saml.SAMLIdentityProvider;
 import org.keycloak.http.HttpRequest;
 import org.keycloak.OAuthErrorException;
 import org.keycloak.authentication.AuthenticationProcessor;
@@ -119,7 +121,6 @@
 import java.util.Set;
 import java.util.UUID;
 import java.util.function.Consumer;
-import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -1100,7 +1101,7 @@ private void updateToken(BrokeredIdentityContext context, UserModel federatedUse
                 // like in OIDCIdentityProvider.exchangeStoredToken()
                 // we shouldn't override the refresh token if it is null in the context and not null in the DB
                 // as for google IDP it will be lost forever
-                if (federatedIdentityModel.getToken() != null) {
+                if (federatedIdentityModel.getToken() != null && ExchangeTokenToIdentityProviderToken.class.isInstance(context.getIdp())) {
                     AccessTokenResponse previousResponse = JsonSerialization.readValue(federatedIdentityModel.getToken(), AccessTokenResponse.class);
                     AccessTokenResponse newResponse = JsonSerialization.readValue(context.getToken(), AccessTokenResponse.class);