diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
index 6746d9d..e6a2175 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
@@ -444,8 +444,10 @@ public class SamlProtocol implements LoginProtocol {
@Override
public Response consentDenied(ClientSessionModel clientSession) {
if ("true".equals(clientSession.getClient().getAttribute(SAML_IDP_INITIATED_LOGIN))) {
+ session.sessions().removeClientSession(realm, clientSession);
return ErrorPage.error(session, Messages.CONSENT_DENIED);
} else {
+ session.sessions().removeClientSession(realm, clientSession);
return getErrorResponse(clientSession, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
}
}
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
index 8748079..bfdffad 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
@@ -148,6 +148,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
UriBuilder redirectUri = UriBuilder.fromUri(redirect).queryParam(OAuth2Constants.ERROR, "access_denied");
if (state != null)
redirectUri.queryParam(OAuth2Constants.STATE, state);
+ session.sessions().removeClientSession(realm, clientSession);
Response.ResponseBuilder location = Response.status(302).location(redirectUri.build());
return location.build();
}
