From 88069cd5fb2a30c8a388040b0aebef0b38641604 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Thu, 10 Jul 2025 15:37:18 -0300 Subject: [PATCH] Mark user session for removal when the user bound to cannot be resolved Closes #40398 Signed-off-by: Pedro Igor --- .../sessions/infinispan/PersistentUserSessionProvider.java | 2 ++ .../org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/PersistentUserSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/PersistentUserSessionProvider.java index 1615f90e10f..fbbffcfe380 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/PersistentUserSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/PersistentUserSessionProvider.java @@ -585,6 +585,8 @@ public class PersistentUserSessionProvider implements UserSessionProvider, Sessi user = session.users().getUserById(realm, entity.getUser()); if (user == null) { + // mark the user session for removal when the user bound to the session can not be resolved + removeUserSession(realm, wrap(realm, entity, offline, null)); return null; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java index adbbc0e4075..3ec1f21f95d 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java @@ -411,6 +411,10 @@ public class LogoutEndpoint { try { userSession = session.sessions().getUserSession(realm, userSessionIdFromIdToken); + if (userSession == null) { + userSession = session.sessions().getOfflineUserSession(realm, userSessionIdFromIdToken); + } + if (userSession == null) { event.event(EventType.LOGOUT); event.error(Errors.SESSION_EXPIRED);