From ea52cce7ff619ecd0afce31515e3cbd372ed4568 Mon Sep 17 00:00:00 2001 From: Robin Meese <39960884+robson90@users.noreply.github.com> Date: Tue, 24 Feb 2026 11:29:14 +0100 Subject: [PATCH] is-45151 added test for user is disabled while session is active Signed-off-by: Robin Meese <39960884+robson90@users.noreply.github.com> --- .../protocol/AuthorizationEndpointBase.java | 2 + .../forms/MultipleTabsLoginTest.java | 40 +++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java index 339cde6fb52..7bef721f0f1 100755 --- a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java +++ b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java @@ -190,7 +190,9 @@ public abstract class AuthorizationEndpointBase { if (user != null && !user.isEnabled()) { authSession = createNewAuthenticationSession(manager, client); + logger.error("DEBUG: Executing line 193 - backchannelLogout for disabled user"); AuthenticationManager.backchannelLogout(session, userSession, true); + throw new RuntimeException("HIT_LINE_193"); } else { String userSessionId = userSession.getId(); rootAuthSession = session.authenticationSessions().getRootAuthenticationSession(realm, userSessionId); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java index e0cb482e0ff..e8a73c5dc06 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java @@ -975,6 +975,46 @@ public class MultipleTabsLoginTest extends AbstractChangeImportedUserPasswordsTe } } + @Test + public void testLogoutInAnotherTabIfUserIsDisabled() { + try (BrowserTabUtil util = BrowserTabUtil.getInstanceAndSetEnv(driver)) { + // Given + String username = "disabled-test"; + UserRepresentation disabledUser = UserBuilder.create() + .username(username) + .email(String.format("%s@test.com", username)) + .enabled(true) + .build(); + var disabledUserId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), disabledUser, generatePassword(username), false); + getCleanup().addUserId(disabledUserId); + // User is enabled, User can Login + oauth.openLoginForm(); + String tab1WindowHandle = util.getActualWindowHandle(); + loginPage.login(username, getPassword(username)); + appPage.assertCurrent(); + String code = oauth.parseLoginResponse().getCode(); + AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code); + AccessToken accessToken = oauth.verifyToken(tokenResponse.getAccessToken()); + // User is successfully authenticated + + // Admin API disables User (could be any other method) + UserRepresentation user = ApiUtil.findUserByUsername(testRealm(), username); + user.setEnabled(false); + testRealm().users().get(user.getId()).update(user); + events.clear(); + + // seamless login in the second tab, user already authenticated + util.newTab(oauth.loginForm().build()); + oauth.openLoginForm(); + + assertThat(testRealm().users().get(user.getId()).getUserSessions(), Matchers.hasSize(0)); + events.expect(EventType.LOGOUT) + .user(userId) + .session(accessToken.getSessionId()) + .assertEvent(); + } + } + private void waitForAppPage(Runnable htmlUnitAction) { if (driver instanceof HtmlUnitDriver) { // authChecker.js javascript does not work with HtmlUnitDriver. So need to "refresh" the current browser tab by running the last action in order to simulate "already_logged_in"