Handle auth-session cleanup when client is missing or disabled (#46878)

Fixes #46738 Signed-off-by: Oluwatobi Mustapha <oluwatobimustapha539@gmail.com>
2026-05-28 04:13:22 -04:00 · 2026-03-09 15:41:33 +01:00 · 2026-03-09 15:41:33 +01:00 · db44c8a38c
commit db44c8a38c
parent 18e1100d15
2 changed files with 39 additions and 2 deletions
--- a/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java
+++ b/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java
@ -261,7 +261,7 @@ public class SessionCodeChecks {
            event.error(Errors.CLIENT_NOT_FOUND);
            session.getProvider(LoginFormsProvider.class).setDetachedAuthSession();
            response = ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.UNKNOWN_LOGIN_REQUESTER);
-            clientCode.removeExpiredClientSession();
+            removeAuthenticationSession(authSession);
            return false;
        }

@ -272,7 +272,7 @@ public class SessionCodeChecks {
            event.error(Errors.CLIENT_DISABLED);
            session.getProvider(LoginFormsProvider.class).setDetachedAuthSession();
            response = ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.LOGIN_REQUESTER_NOT_ENABLED);
-            clientCode.removeExpiredClientSession();
+            removeAuthenticationSession(authSession);
            return false;
        }

@ -513,6 +513,13 @@ public class SessionCodeChecks {
        return event;
    }

+    private void removeAuthenticationSession(AuthenticationSessionModel authSession) {
+        ClientSessionCode<AuthenticationSessionModel> codeToRemove = clientCode != null
+                ? clientCode
+                : new ClientSessionCode<>(session, realm, authSession);
+        codeToRemove.removeExpiredClientSession();
+    }
+
    protected boolean checkClientDisabled(ClientModel client) {
        return !client.isEnabled();
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java
@ -909,6 +909,36 @@ public class LoginTest extends AbstractChangeImportedUserPasswordsTest {
        errorPage.assertCurrent();
    }

+    @Test
+    public void loginWithClientDisabledInActiveAuthenticationSession() {
+        ClientResource clientResource = findClientByClientId(adminClient.realm("test"), "test-app");
+        ClientRepresentation clientRepresentation = clientResource.toRepresentation();
+        boolean wasEnabled = clientRepresentation.isEnabled();
+
+        try {
+            oauth.clientId("test-app");
+            oauth.openLoginForm();
+            loginPage.assertCurrent();
+
+            clientRepresentation.setEnabled(false);
+            clientResource.update(clientRepresentation);
+
+            loginPage.login("test-user@localhost", getPassword("test-user@localhost"));
+
+            errorPage.assertCurrent();
+            assertEquals("Login requester not enabled", errorPage.getError());
+            events.expect(EventType.LOGIN)
+                    .client("test-app")
+                    .user((String) null)
+                    .session((String) null)
+                    .error(Errors.CLIENT_DISABLED)
+                    .assertEvent();
+        } finally {
+            clientRepresentation.setEnabled(wasEnabled);
+            clientResource.update(clientRepresentation);
+        }
+    }
+
    @Test
    public void openLoginFormWithDifferentApplication() throws Exception {
        oauth.clientId("root-url-client");