Merge eed591f0b9 into 94dcc24a8d

2026-05-28 04:13:22 -04:00 · 2026-05-25 05:32:29 +09:00 · 2026-05-25 05:32:29 +09:00 · 59a3a70eed
commit 59a3a70eed
parent 94dcc24a8d eed591f0b9
1 changed files with 21 additions and 0 deletions
--- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@ -324,6 +324,27 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
        }

        if (Booleans.isTrue(getConfig().isStoreToken())) {
+            // Fix: Check token expiration and refresh if needed before returning the token
+            // This addresses the issue where external IDP tokens are not refreshed automatically
+            FederatedIdentityModel model = session.users().getFederatedIdentity(session.getContext().getRealm(), user, getConfig().getAlias());
+            if (model != null && model.getToken() != null && model.getToken().startsWith("{")) {
+                try {
+                    OAuthResponse previousResponse = JsonSerialization.readValue(model.getToken(), OAuthResponse.class);
+                    Long exp = previousResponse.getAccessTokenExpiration();
+                    if (needsRefresh(exp) && previousResponse.getRefreshToken() != null) {
+                        OAuthResponse newResponse = refreshToken(previousResponse, session);
+                        if (newResponse.getExpiresIn() != null && newResponse.getExpiresIn() > 0) {
+                            long accessTokenExpiration = Time.currentTime() + newResponse.getExpiresIn();
+                            newResponse.setAccessTokenExpiration(accessTokenExpiration);
+                        }
+                        model.setToken(JsonSerialization.writeValueAsString(newResponse));
+                        session.users().updateFederatedIdentity(session.getContext().getRealm(), user, model);
+                    }
+                } catch (IOException e) {
+                    logger.warnf(e, "Unable to refresh token for user %s and provider %s", user.getId(), getConfig().getAlias());
+                    // Continue with existing token if refresh fails
+                }
+            }
            response = exchangeStoredToken(uriInfo, null, null, userSession, user);
        }