diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
index 1a6f60b1ca..fb404d0116 100755
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@@ -474,6 +474,10 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
                         return corsResponse(badRequest("User [" + authResult.getUser().getId() + "] is not associated with identity provider [" + providerId + "]."), clientModel);
                     }
 
+                    if (identity.getToken() == null) {
+                        return corsResponse(notFound("No token stored for user [" + authResult.getUser().getId() + "] with associated identity provider [" + providerId + "]."), clientModel);
+                    }
+
                     this.event.success();
 
                     return corsResponse(identityProvider.retrieveToken(session, identity), clientModel);
@@ -1224,6 +1228,11 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
         return ErrorResponse.error(message, Response.Status.FORBIDDEN);
     }
 
+    private Response notFound(String message) {
+        fireErrorEvent(message);
+        return ErrorResponse.error(message, Response.Status.NOT_FOUND);
+    }
+
     public static IdentityProvider getIdentityProvider(KeycloakSession session, RealmModel realm, String alias) {
         IdentityProviderModel identityProviderModel = realm.getIdentityProviderByAlias(alias);