upstream/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-06-08 16:42:13 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 16

Merge ea52cce7ff into 94dcc24a8d

Browse source
This commit is contained in:
Robin Meese 2026-05-23 22:47:47 +00:00 committed by GitHub
commit 9210f8ab59
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 42 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java
View file

@ -190,7 +190,9 @@ public abstract class AuthorizationEndpointBase {
if (user != null && !user.isEnabled()) {
authSession = createNewAuthenticationSession(manager, client);
logger.error("DEBUG: Executing line 193 - backchannelLogout for disabled user");
AuthenticationManager.backchannelLogout(session, userSession, true);
throw new RuntimeException("HIT_LINE_193");
} else {
String userSessionId = userSession.getId();
rootAuthSession = session.authenticationSessions().getRootAuthenticationSession(realm, userSessionId);

40
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java
View file

@ -1065,6 +1065,46 @@ public class MultipleTabsLoginTest extends AbstractChangeImportedUserPasswordsTe
}
}
@Test
public void testLogoutInAnotherTabIfUserIsDisabled() {
try (BrowserTabUtil util = BrowserTabUtil.getInstanceAndSetEnv(driver)) {
// Given
String username = "disabled-test";
UserRepresentation disabledUser = UserBuilder.create()
.username(username)
.email(String.format("%s@test.com", username))
.enabled(true)
.build();
var disabledUserId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), disabledUser, generatePassword(username), false);
getCleanup().addUserId(disabledUserId);
// User is enabled, User can Login
oauth.openLoginForm();
String tab1WindowHandle = util.getActualWindowHandle();
loginPage.login(username, getPassword(username));
appPage.assertCurrent();
String code = oauth.parseLoginResponse().getCode();
AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code);
AccessToken accessToken = oauth.verifyToken(tokenResponse.getAccessToken());
// User is successfully authenticated
// Admin API disables User (could be any other method)
UserRepresentation user = ApiUtil.findUserByUsername(testRealm(), username);
user.setEnabled(false);
testRealm().users().get(user.getId()).update(user);
events.clear();
// seamless login in the second tab, user already authenticated
util.newTab(oauth.loginForm().build());
oauth.openLoginForm();
assertThat(testRealm().users().get(user.getId()).getUserSessions(), Matchers.hasSize(0));
events.expect(EventType.LOGOUT)
.user(userId)
.session(accessToken.getSessionId())
.assertEvent();
}
}
private void waitForAppPage(Runnable htmlUnitAction) {
if (driver instanceof HtmlUnitDriver) {
// authChecker.js javascript does not work with HtmlUnitDriver. So need to "refresh" the current browser tab by running the last action in order to simulate "already_logged_in"