All pubic brokers are shown during authentication rather than only those associated with the current organization

Closes #31246

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

services/src/main/java/org/keycloak/organization/forms/login/freemarker/model/OrganizationAwareIdentityProviderBean.java

@@ -74,6 +74,12 @@ public class OrganizationAwareIdentityProviderBean extends IdentityProviderBean
             return false;
         }
 
+        OrganizationModel organization = (OrganizationModel) session.getAttribute(OrganizationModel.class.getName());
+
+        if (organization != null && !organization.getId().equals(model.getOrganizationId())) {
+            return false;
+        }
+
         return Boolean.parseBoolean(model.getConfig().getOrDefault(OrganizationModel.BROKER_PUBLIC, Boolean.FALSE.toString()));
     }
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/broker/AbstractBrokerSelfRegistrationTest.java

@@ -432,6 +432,35 @@ public abstract class AbstractBrokerSelfRegistrationTest extends AbstractOrganiz
         Assert.assertTrue(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
     }
 
+    @Test
+    public void testOnlyShowBrokersAssociatedWithResolvedOrganization() {
+        String org0Name = "org-0";
+        OrganizationResource org0 = testRealm().organizations().get(createOrganization(org0Name).getId());
+        IdentityProviderRepresentation org0Broker = org0.identityProviders().getIdentityProviders().get(0);
+        org0Broker.getConfig().remove(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE);
+        org0Broker.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
+        testRealm().identityProviders().get(org0Broker.getAlias()).update(org0Broker);
+        String org1Name = "org-1";
+        OrganizationResource org1 = testRealm().organizations().get(createOrganization(org1Name).getId());
+        IdentityProviderRepresentation org1Broker = org1.identityProviders().getIdentityProviders().get(0);
+        org1Broker.getConfig().remove(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE);
+        org1Broker.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
+        testRealm().identityProviders().get(org1Broker.getAlias()).update(org1Broker);
+
+        oauth.clientId("broker-app");
+        loginPage.open(bc.consumerRealmName());
+        loginPage.loginUsername("user@org-0.org");
+        Assert.assertTrue(driver.getPageSource().contains("Your email domain matches the " + org0Name + " organization but you don't have an account yet."));
+        Assert.assertTrue(loginPage.isSocialButtonPresent(org0Broker.getAlias()));
+        Assert.assertFalse(loginPage.isSocialButtonPresent(org1Broker.getAlias()));
+
+        loginPage.open(bc.consumerRealmName());
+        loginPage.loginUsername("user@org-1.org");
+        Assert.assertTrue(driver.getPageSource().contains("Your email domain matches the " + org1Name + " organization but you don't have an account yet."));
+        Assert.assertTrue(loginPage.isSocialButtonPresent(org1Broker.getAlias()));
+        Assert.assertFalse(loginPage.isSocialButtonPresent(org0Broker.getAlias()));
+    }
+
     @Test
     public void testLoginUsingBrokerWithoutDomain() {
         OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());