Fix NPE if user not exists

Check "userSession.getId().equals(clientUser.getId())" fails if getUserFromToken return non existed user. It is happens when AccessToken.subject relates to non existed user. Closes #16297
2023-01-04 09:29:19 +00:00 · 2023-01-04 09:29:19 +00:00 · d900540034
commit d900540034
parent 665dec19c0
2 changed files with 5 additions and 5 deletions
--- a/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
+++ b/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
@ -234,6 +234,9 @@ public class KeycloakIdentity implements Identity {
            }

            UserModel userSession = getUserFromToken();
+            if (userSession == null) {
+                throw new IllegalArgumentException("User from token not found");
+            }

            this.resourceServer = clientUser != null && userSession.getId().equals(clientUser.getId());

--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@ -356,13 +356,10 @@ public class TokenManager {

        // Fallback to lookup user based on username (preferred_username claim)
        if (token.getPreferredUsername() != null) {
-            user = session.users().getUserByUsername(realm, token.getPreferredUsername());
-            if (user != null) {
-                return user;
-            }
+            return session.users().getUserByUsername(realm, token.getPreferredUsername());
        }

-        return user;
+        return null;
    }