KEYCLOAK-2547 NPE in TokenEndpoint and InfinispanUserSessionProvider

model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java

@@ -270,7 +270,9 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
     @Override
     public void removeUserSession(RealmModel realm, UserSessionModel session) {
         UserSessionEntity entity = getUserSessionEntity(session, false);
-        removeUserSession(realm, entity, false);
+        if (entity != null) {
+            removeUserSession(realm, entity, false);
+        }
     }
 
     @Override
@@ -553,7 +555,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
             return ((UserSessionAdapter) userSession).getEntity();
         } else {
             Cache<String, SessionEntity> cache = getCache(offline);
-            return (UserSessionEntity) cache.get(userSession.getId());
+            return cache != null ? (UserSessionEntity) cache.get(userSession.getId()) : null;
         }
     }
 
@@ -578,7 +580,9 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
     @Override
     public void removeOfflineUserSession(RealmModel realm, UserSessionModel userSession) {
         UserSessionEntity userSessionEntity = getUserSessionEntity(userSession, true);
-        removeUserSession(realm, userSessionEntity, true);
+        if (userSessionEntity != null) {
+            removeUserSession(realm, userSessionEntity, true);
+        }
     }
 
     @Override

services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java

@@ -222,6 +222,22 @@ public class TokenEndpoint {
 
         accessCode.setAction(null);
         UserSessionModel userSession = clientSession.getUserSession();
+
+        if (userSession == null) {
+            event.error(Errors.USER_SESSION_NOT_FOUND);
+            throw new ErrorResponseException("invalid_grant", "User session not found", Response.Status.BAD_REQUEST);
+        }
+
+        UserModel user = userSession.getUser();
+        if (user == null) {
+            event.error(Errors.USER_NOT_FOUND);
+            throw new ErrorResponseException("invalid_grant", "User not found", Response.Status.BAD_REQUEST);
+        }
+        if (!user.isEnabled()) {
+            event.error(Errors.USER_DISABLED);
+            throw new ErrorResponseException("invalid_grant", "User disabled", Response.Status.BAD_REQUEST);
+        }
+
         event.user(userSession.getUser());
         event.session(userSession.getId());
 
@@ -241,17 +257,6 @@ public class TokenEndpoint {
             throw new ErrorResponseException("invalid_grant", "Client not allowed to exchange code", Response.Status.BAD_REQUEST);
         }
 
-        UserModel user = session.users().getUserById(userSession.getUser().getId(), realm);
-        if (user == null) {
-            event.error(Errors.USER_NOT_FOUND);
-            throw new ErrorResponseException("invalid_grant", "User not found", Response.Status.BAD_REQUEST);
-        }
-
-        if (!user.isEnabled()) {
-            event.error(Errors.USER_DISABLED);
-            throw new ErrorResponseException("invalid_grant", "User disabled", Response.Status.BAD_REQUEST);
-        }
-
         if (!AuthenticationManager.isSessionValid(realm, userSession)) {
             event.error(Errors.USER_SESSION_NOT_FOUND);
             throw new ErrorResponseException("invalid_grant", "Session not active", Response.Status.BAD_REQUEST);