diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java index 6c7ea3fae4..e6001eb48c 100755 --- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java +++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java @@ -45,6 +45,7 @@ import org.keycloak.models.AccountRoles; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.ClientModel; +import org.keycloak.models.ClientSessionContext; import org.keycloak.models.Constants; import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.IdentityProviderMapperModel; @@ -80,6 +81,7 @@ import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.account.AccountFormService; import org.keycloak.services.util.BrowserHistoryHelper; import org.keycloak.services.util.CacheControlUtil; +import org.keycloak.services.util.DefaultClientSessionContext; import org.keycloak.services.validation.Validation; import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.sessions.RootAuthenticationSessionModel; @@ -262,7 +264,10 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal ClientModel accountService = this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); if (!accountService.getId().equals(client.getId())) { RoleModel manageAccountRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT); - Set userAccountRoles = cookieResult.getUser().getClientRoleMappings(accountService); + + // Ensure user has role and client has "role scope" for this role + ClientSessionContext ctx = DefaultClientSessionContext.fromClientSessionScopeParameter(clientSession); + Set userAccountRoles = ctx.getRoles(); if (!userAccountRoles.contains(manageAccountRole)) { RoleModel linkRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT_LINKS); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest.java index a837f8f99f..6cbf62d56f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest.java @@ -205,7 +205,6 @@ public class ClientInitiatedAccountLinkTest extends AbstractServletsAdapterTest @Test - @Ignore("KEYCLOAK-7562") public void testErrorConditions() throws Exception { RealmResource realm = adminClient.realms().realm(CHILD_IDP);