Mark user session for removal when the user bound to cannot be resolved

Closes #40398 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-01-10 15:32:05 -03:30 · 2025-07-10 15:37:18 -03:00 · 2025-07-10 15:37:18 -03:00 · 88069cd5fb
commit 88069cd5fb
parent 173471a1c9
2 changed files with 6 additions and 0 deletions
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/PersistentUserSessionProvider.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/PersistentUserSessionProvider.java
@ -585,6 +585,8 @@ public class PersistentUserSessionProvider implements UserSessionProvider, Sessi
        user = session.users().getUserById(realm, entity.getUser());

        if (user == null) {
+            // mark the user session for removal when the user bound to the session can not be resolved
+            removeUserSession(realm, wrap(realm, entity, offline, null));
            return null;
        }

--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
@ -411,6 +411,10 @@ public class LogoutEndpoint {
            try {
                userSession = session.sessions().getUserSession(realm, userSessionIdFromIdToken);

+                if (userSession == null) {
+                    userSession = session.sessions().getOfflineUserSession(realm, userSessionIdFromIdToken);
+                }
+
                if (userSession == null) {
                    event.event(EventType.LOGOUT);
                    event.error(Errors.SESSION_EXPIRED);