Fix NPE in JWT authenticators (#44941)

Closes #44940

Signed-off-by: stianst <stianst@gmail.com>

services/src/main/java/org/keycloak/authentication/authenticators/client/FederatedJWTClientAuthenticator.java

@@ -23,6 +23,7 @@ import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.provider.EnvironmentDependentProviderFactory;
 import org.keycloak.provider.ProviderConfigProperty;
 import org.keycloak.provider.ProviderConfigurationBuilder;
+import org.keycloak.representations.JsonWebToken;
 import org.keycloak.services.resources.IdentityBrokerService;
 
 import org.jboss.logging.Logger;
@@ -79,13 +80,14 @@ public class FederatedJWTClientAuthenticator extends AbstractClientAuthenticator
             context.attempted();
 
             ClientAssertionState clientAssertionState = context.getState(ClientAssertionState.class, ClientAssertionState.supplier());
-
             if (clientAssertionState == null || clientAssertionState.getClientAssertionType() == null) {
                 return;
             }
 
+            JsonWebToken jwt = clientAssertionState.getToken();
+
             // Ignore for self-signed client assertions
-            if (Objects.equals(clientAssertionState.getToken().getIssuer(), clientAssertionState.getToken().getSubject())) {
+            if (jwt != null && Objects.equals(jwt.getIssuer(), jwt.getSubject())) {
                 return;
             }
 

services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java

@@ -68,13 +68,15 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
             ClientAssertionState clientAssertionState = context.getState(ClientAssertionState.class, ClientAssertionState.supplier());
             JsonWebToken jwt = clientAssertionState.getToken();
 
-            // Ignore for client assertions signed by third-parties
+            if (jwt != null) {
-            if (!Objects.equals(jwt.getIssuer(), jwt.getSubject())) {
+                // Ignore for client assertions signed by third-parties
-                return;
+                if (!Objects.equals(jwt.getIssuer(), jwt.getSubject())) {
-            }
+                    return;
+                }
 
-            if (clientAssertionState.getClient() == null) {
+                if (clientAssertionState.getClient() == null) {
-                clientAssertionState.setClient(context.getRealm().getClientByClientId(jwt.getSubject()));
+                    clientAssertionState.setClient(context.getRealm().getClientByClientId(jwt.getSubject()));
+                }
             }
 
             JWTClientValidator validator = new JWTClientValidator(context, this::verifySignature, getId());

services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientSecretAuthenticator.java

@@ -59,13 +59,15 @@ public class JWTClientSecretAuthenticator extends AbstractClientAuthenticator {
             ClientAssertionState clientAssertionState = context.getState(ClientAssertionState.class, ClientAssertionState.supplier());
             JsonWebToken jwt = clientAssertionState.getToken();
 
-            // Ignore for client assertions signed by third-parties
+            if (jwt != null) {
-            if (!Objects.equals(jwt.getIssuer(), jwt.getSubject())) {
+                // Ignore for client assertions signed by third-parties
-                return;
+                if (!Objects.equals(jwt.getIssuer(), jwt.getSubject())) {
-            }
+                    return;
+                }
 
-            if (clientAssertionState.getClient() == null) {
+                if (clientAssertionState.getClient() == null) {
-                clientAssertionState.setClient(context.getRealm().getClientByClientId(jwt.getSubject()));
+                    clientAssertionState.setClient(context.getRealm().getClientByClientId(jwt.getSubject()));
+                }
             }
 
             JWTClientValidator validator = new JWTClientValidator(context, this::verifySignature, getId());