Make sure disabled organization is ignored when re-authenticating

Closes #45924 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-02-03 20:39:33 -05:00 · 2026-02-03 08:41:39 -03:00 · 2026-02-03 08:41:39 -03:00 · 072f547b71
commit 072f547b71
parent 47408e8620
2 changed files with 26 additions and 4 deletions
--- a/services/src/main/java/org/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.java
+++ b/services/src/main/java/org/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.java
@ -203,10 +203,6 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {

        if (alias.isEmpty()) {
            organization = Organizations.resolveOrganization(session, user, domain);
-            if (organization != null && isSSOAuthentication(authSession)) {
-                // make sure the organization selected by the user is available from the client session when running mappers and issuing tokens
-                authSession.setClientNote(OrganizationModel.ORGANIZATION_ATTRIBUTE, organization.getId());
-            }
        } else {
            OrganizationProvider provider = getOrganizationProvider();
            organization = provider.getByAlias(alias.get(0));
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/mapper/OrganizationOIDCProtocolMapperTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/mapper/OrganizationOIDCProtocolMapperTest.java
@ -380,6 +380,32 @@ public class OrganizationOIDCProtocolMapperTest extends AbstractOrganizationTest
        oauth.scope("organization:" + orgB.getAlias());
        oauth.openLoginForm();
        assertTrue(driver.getCurrentUrl().contains("Invalid+scopes%3A+openid+organization"));
+
+        oauth.scope("organization:" + orgA.getAlias());
+        oauth.openLoginForm();
+        loginPage.loginUsername(member.getEmail());
+        loginPage.login(memberPassword);
+        response = assertSuccessfulCodeGrant();
+        assertThat(response.getScope(), containsString("organization"));
+        accessToken = oauth.verifyToken(response.getAccessToken());
+        organizations = (List<String>) accessToken.getOtherClaims().get(OAuth2Constants.ORGANIZATION);
+        assertThat(accessToken.getOtherClaims().keySet(), hasItem(OAuth2Constants.ORGANIZATION));
+        assertThat(organizations.contains(orgA.getAlias()), is(true));
+        assertThat(organizations.contains(orgB.getAlias()), is(false));
+        oauth.openLoginForm();
+        appPage.assertCurrent();
+        orgA.setEnabled(false);
+        testRealm().organizations().get(orgA.getId()).update(orgA).close();
+        oauth.openLoginForm();
+        assertTrue(driver.getCurrentUrl().contains("Invalid+scopes%3A+openid+organization"));
+
+        oauth.scope("");
+        oauth.openLoginForm();
+        appPage.assertCurrent();
+        response = assertSuccessfulCodeGrant();
+        assertThat(response.getScope(), not(containsString("organization")));
+        accessToken = oauth.verifyToken(response.getAccessToken());
+        assertThat(accessToken.getOtherClaims().keySet(), not(hasItem(OAuth2Constants.ORGANIZATION)));
    }

    @Test