Merge pull request #1195 from mposolda/master

When revoke consent from admin console, logout clientSessions similarly ...

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -157,6 +157,22 @@ public class AuthenticationManager {
 
     }
 
+    // Logout all clientSessions of this user and client
+    public static void backchannelUserFromClient(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, UriInfo uriInfo, HttpHeaders headers) {
+        String clientId = client.getId();
+
+        List<UserSessionModel> userSessions = session.sessions().getUserSessions(realm, user);
+        for (UserSessionModel userSession : userSessions) {
+            List<ClientSessionModel> clientSessions = userSession.getClientSessions();
+            for (ClientSessionModel clientSession : clientSessions) {
+                if (clientSession.getClient().getId().equals(clientId)) {
+                    AuthenticationManager.backchannelLogoutClientSession(session, realm, clientSession, userSession, uriInfo, headers);
+                    TokenManager.dettachClientSession(session.sessions(), realm, clientSession);
+                }
+            }
+        }
+    }
+
     public static Response browserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers) {
         if (userSession == null) return null;
         UserModel user = userSession.getUser();

services/src/main/java/org/keycloak/services/resources/AccountService.java

@@ -517,16 +517,7 @@ public class AccountService {
         user.revokeConsentForClient(client.getId());
 
         // Logout clientSessions for this user and client
-        List<UserSessionModel> userSessions = session.sessions().getUserSessions(realm, user);
+        AuthenticationManager.backchannelUserFromClient(session, realm, user, client, uriInfo, headers);
-        for (UserSessionModel userSession : userSessions) {
-            List<ClientSessionModel> clientSessions = userSession.getClientSessions();
-            for (ClientSessionModel clientSession : clientSessions) {
-                if (clientSession.getClient().getId().equals(clientId)) {
-                    AuthenticationManager.backchannelLogoutClientSession(session, realm, clientSession, userSession, uriInfo, headers);
-                    TokenManager.dettachClientSession(session.sessions(), realm, clientSession);
-                }
-            }
-        }
 
         event.event(EventType.REVOKE_GRANT).client(auth.getClient()).user(auth.getUser()).detail(Details.REVOKED_CLIENT, client.getClientId()).success();
         setReferrerOnPage();

services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java

@@ -77,8 +77,6 @@ public class UsersResource {
 
     private RealmAuth auth;
     
-    private TokenManager tokenManager;
-    
     @Context
     protected ClientConnection clientConnection;
 
@@ -94,7 +92,6 @@ public class UsersResource {
     public UsersResource(RealmModel realm, RealmAuth auth, TokenManager tokenManager) {
         this.auth = auth;
         this.realm = realm;
-        this.tokenManager = tokenManager;
 
         auth.init(RealmAuth.Resource.USER);
     }
@@ -357,7 +354,10 @@ public class UsersResource {
 
         ClientModel client = realm.getClientByClientId(clientId);
         boolean revoked = user.revokeConsentForClient(client.getId());
-        if (!revoked) {
+        if (revoked) {
+            // Logout clientSessions for this user and client
+            AuthenticationManager.backchannelUserFromClient(session, realm, user, client, uriInfo, headers);
+        } else {
             throw new NotFoundException("Consent not found for user " + username + " and client " + clientId);
         }
     }