KEYCLOAK-7961 Avoid sending back-channel logout requests to disabled clients

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -389,6 +389,10 @@ public class AuthenticationManager {
             return true;
         }
 
+        if (!client.isEnabled()) {
+            return false;
+        }
+
         try {
             setClientLogoutAction(logoutAuthSession, client.getId(), AuthenticationSessionModel.Action.LOGGING_OUT);
 

services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java

@@ -215,6 +215,11 @@ public class ResourceAdminManager {
 
 
     protected GlobalRequestResult logoutClient(RealmModel realm, ClientModel resource, int notBefore) {
+
+        if (!resource.isEnabled()) {
+            return new GlobalRequestResult();
+        }
+
         List<String> mgmtUrls = getAllManagementUrls(resource);
         if (mgmtUrls.isEmpty()) {
             logger.debug("No management URL or no registered cluster nodes for the client " + resource.getClientId());