Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

We have several introduced Identity Providers (such as Azure, Google etc). By using "subject_issuer" in the request body params the Identity Provider was found by checking its values under "OpenID Connect settings -> Issuer". With Keycloak version 26 this is not possible because if the Identity Provider is not found by "Alias" it will not go and check if it can be found by "Issuer" values. This seems like a bug to me and it was introduced here: aeb1951#diff-e50012fcfff1448c1d9614fd769d6332e1fe6c4949af2efb50b71429851293d3R522

In locateExchangeExternalTokenByAlias method if Identity Provider is not found by Alias, idpModel variable will be null and IdentityBrokerService.getIdentityProviderFactory throws Nullpointer.

Respectively, the option to check also by Identity Provider Issuer values is never reached.

Version

26

Regression

• The issue is a regression

Expected behavior

Identity Providers should be found not only by Alias by also by Issuer values.

Actual behavior

Identity Providers option to search by Issuer values is never reached.

How to Reproduce?

Token exchange for Identity Provider

Anything else?

No response