upstream/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-02-03 20:39:33 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Make sure disabled organization is ignored when re-authenticating

Browse source 
Closes #45924

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2026-02-03 08:41:39 -03:00 committed by GitHub
parent 47408e8620
commit 072f547b71
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 26 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
services/src/main/java/org/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.java
View file

@ -203,10 +203,6 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
if (alias.isEmpty()) { if (alias.isEmpty()) {
organization = Organizations.resolveOrganization(session, user, domain); organization = Organizations.resolveOrganization(session, user, domain);
if (organization != null && isSSOAuthentication(authSession)) {
// make sure the organization selected by the user is available from the client session when running mappers and issuing tokens
authSession.setClientNote(OrganizationModel.ORGANIZATION_ATTRIBUTE, organization.getId());
}
} else { } else {
OrganizationProvider provider = getOrganizationProvider(); OrganizationProvider provider = getOrganizationProvider();
organization = provider.getByAlias(alias.get(0)); organization = provider.getByAlias(alias.get(0));

26
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/mapper/OrganizationOIDCProtocolMapperTest.java
View file

@ -380,6 +380,32 @@ public class OrganizationOIDCProtocolMapperTest extends AbstractOrganizationTest
oauth.scope("organization:" + orgB.getAlias()); oauth.scope("organization:" + orgB.getAlias());
oauth.openLoginForm(); oauth.openLoginForm();
assertTrue(driver.getCurrentUrl().contains("Invalid+scopes%3A+openid+organization")); assertTrue(driver.getCurrentUrl().contains("Invalid+scopes%3A+openid+organization"));
oauth.scope("organization:" + orgA.getAlias());
oauth.openLoginForm();
loginPage.loginUsername(member.getEmail());
loginPage.login(memberPassword);
response = assertSuccessfulCodeGrant();
assertThat(response.getScope(), containsString("organization"));
accessToken = oauth.verifyToken(response.getAccessToken());
organizations = (List<String>) accessToken.getOtherClaims().get(OAuth2Constants.ORGANIZATION);
assertThat(accessToken.getOtherClaims().keySet(), hasItem(OAuth2Constants.ORGANIZATION));
assertThat(organizations.contains(orgA.getAlias()), is(true));
assertThat(organizations.contains(orgB.getAlias()), is(false));
oauth.openLoginForm();
appPage.assertCurrent();
orgA.setEnabled(false);
testRealm().organizations().get(orgA.getId()).update(orgA).close();
oauth.openLoginForm();
assertTrue(driver.getCurrentUrl().contains("Invalid+scopes%3A+openid+organization"));
oauth.scope("");
oauth.openLoginForm();
appPage.assertCurrent();
response = assertSuccessfulCodeGrant();
assertThat(response.getScope(), not(containsString("organization")));
accessToken = oauth.verifyToken(response.getAccessToken());
assertThat(accessToken.getOtherClaims().keySet(), not(hasItem(OAuth2Constants.ORGANIZATION)));
} }
@Test @Test