diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
index c67b19533d..8d57b2c81c 100755
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@@ -143,7 +143,7 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
     ;
 
     protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) {
-        return UriBuilder.fromPath(getConfig().getAuthorizationUrl())
+        return UriBuilder.fromUri(getConfig().getAuthorizationUrl())
                 .queryParam(OAUTH2_PARAMETER_SCOPE, getConfig().getDefaultScope())
                 .queryParam(OAUTH2_PARAMETER_STATE, request.getState())
                 .queryParam(OAUTH2_PARAMETER_RESPONSE_TYPE, "code")
diff --git a/core/src/main/java/org/keycloak/util/ObjectUtil.java b/core/src/main/java/org/keycloak/util/ObjectUtil.java
new file mode 100644
index 0000000000..23a6bef345
--- /dev/null
+++ b/core/src/main/java/org/keycloak/util/ObjectUtil.java
@@ -0,0 +1,27 @@
+package org.keycloak.util;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class ObjectUtil {
+
+    private ObjectUtil() {}
+
+    /**
+     *
+     * @param str1
+     * @param str2
+     * @return true if both strings are null or equal
+     */
+    public static boolean isEqualOrNull(Object str1, Object str2) {
+        if (str1 == null && str2 == null) {
+            return true;
+        }
+
+        if ((str1 != null && str2 == null) || (str1 == null && str2 != null)) {
+            return false;
+        }
+
+        return str1.equals(str2);
+    }
+}
diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
index 4e05ad5926..1cfae3f57a 100755
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@@ -50,6 +50,7 @@ import org.keycloak.services.resources.flows.Flows;
 import org.keycloak.services.resources.flows.Urls;
 import org.keycloak.services.validation.Validation;
 import org.keycloak.social.SocialIdentityProvider;
+import org.keycloak.util.ObjectUtil;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
@@ -342,12 +343,15 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
     private void updateFederatedIdentity(FederatedIdentity updatedIdentity, UserModel federatedUser) {
         FederatedIdentityModel federatedIdentityModel = this.session.users().getFederatedIdentity(federatedUser, updatedIdentity.getIdentityProviderId(), this.realmModel);
 
-        federatedIdentityModel.setToken(updatedIdentity.getToken());
+        // Skip DB write if tokens are null or equal
+        if (!ObjectUtil.isEqualOrNull(updatedIdentity.getToken(), federatedIdentityModel.getToken())) {
+            federatedIdentityModel.setToken(updatedIdentity.getToken());
 
-        this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel);
+            this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel);
 
-        if (isDebugEnabled()) {
-            LOGGER.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, updatedIdentity.getIdentityProviderId());
+            if (isDebugEnabled()) {
+                LOGGER.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, updatedIdentity.getIdentityProviderId());
+            }
         }
     }