keycloak

mirror of https://github.com/keycloak/keycloak.git synced 2026-04-15 22:09:46 -04:00

History

martinkrcka 953cd2681b when the realm session limit is exceeded and behavior is set to Termi… (#48064 ) * when the realm session limit is exceeded and behavior is set to Terminate oldest session, the authenticator calls handleLimitExceeded(userSessionsForClient, userClientLimit) first. if the user has fewer existing sessions for the current client than userClientLimit - 1, getNumberOfSessionsThatNeedToBeLoggedOut() returns a negative value and Stream.limit(negative) throws IllegalArgumentException, producing a 500 on every login to that client. This change ensures that getNumberOfSessionsThatNeedToBeLoggedOut returns 0 if the calculated value is negative. The dependent execution steps remain unchanged. A result of 0 sessions to be purged from the current client triggers the removal of the oldest sessions across all clients. also added a regression test in UserSessionLimitsTest that reproduces the scenario: realm limit=2, client limit=3, two logins on client-a to saturate the realm, then login on client-b (0 existing client sessions). Fixes #48040 --------- Signed-off-by: Martin Krcka <martin.krcka@adesso.de> Signed-off-by: Martin Bartoš <mabartos@redhat.com> Co-authored-by: Mateen Anjum <mateenali66@gmail.com> Co-authored-by: Martin Bartoš <mabartos@redhat.com>	2026-04-15 15:56:46 +02:00
..
src	when the realm session limit is exceeded and behavior is set to Termi… (#48064 )	2026-04-15 15:56:46 +02:00
pom.xml	Add support for filtering on SCIM endpoints	2026-02-27 12:20:01 -03:00

when the realm session limit is exceeded and behavior is set to Termi… (#48064 )

* when the realm session limit is exceeded and behavior is set to Terminate oldest session, the authenticator calls
handleLimitExceeded(userSessionsForClient, userClientLimit) first.

if the user has fewer existing sessions for the current client than userClientLimit - 1, getNumberOfSessionsThatNeedToBeLoggedOut() returns a negative value and Stream.limit(negative) throws
IllegalArgumentException, producing a 500 on every login to that client.

This change ensures that getNumberOfSessionsThatNeedToBeLoggedOut returns 0 if the calculated value is negative.
The dependent execution steps remain unchanged.
A result of 0 sessions to be purged from the current client triggers the removal of the oldest sessions across all clients.

also added a regression test in UserSessionLimitsTest that reproduces the scenario: realm limit=2, client limit=3, two logins on client-a to saturate the realm, then login on client-b (0 existing client sessions).

Fixes #48040

---------

Signed-off-by: Martin Krcka <martin.krcka@adesso.de>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Mateen Anjum <mateenali66@gmail.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>

2026-04-15 15:56:46 +02:00

src

when the realm session limit is exceeded and behavior is set to Termi… (#48064 )

2026-04-15 15:56:46 +02:00

pom.xml

Add support for filtering on SCIM endpoints

2026-02-27 12:20:01 -03:00