diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
index 4856c02..36f2d0c 100755
--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -414,10 +414,6 @@ public class AuthenticationManager {
return AuthenticationStatus.INVALID_USER;
}
- if (!user.isEnabled()) {
- return AuthenticationStatus.ACCOUNT_DISABLED;
- }
-
Set<String> types = new HashSet<String>();
for (RequiredCredentialModel credential : realm.getRequiredCredentials()) {
@@ -453,6 +449,10 @@ public class AuthenticationManager {
return AuthenticationStatus.INVALID_CREDENTIALS;
}
+ if (!user.isEnabled()) {
+ return AuthenticationStatus.ACCOUNT_DISABLED;
+ }
+
if (user.isTotp() && totp == null) {
return AuthenticationStatus.MISSING_TOTP;
}
@@ -471,6 +471,9 @@ public class AuthenticationManager {
if (!session.users().validCredentials(realm, user, UserCredentialModel.secret(secret))) {
return AuthenticationStatus.INVALID_CREDENTIALS;
}
+ if (!user.isEnabled()) {
+ return AuthenticationStatus.ACCOUNT_DISABLED;
+ }
if (!user.getRequiredActions().isEmpty()) {
return AuthenticationStatus.ACTIONS_REQUIRED;
} else {
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java
index 0bb825f..3741c30 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java
@@ -119,6 +119,62 @@ public class LoginTest {
}
@Test
+ public void loginInvalidPasswordDisabledUser() {
+ keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
+ @Override
+ public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+ session.users().getUserByUsername("login-test", appRealm).setEnabled(false);
+ }
+ });
+
+ try {
+ loginPage.open();
+ loginPage.login("login-test", "invalid");
+
+ loginPage.assertCurrent();
+
+ Assert.assertEquals("Invalid username or password.", loginPage.getError());
+
+ events.expectLogin().user(userId).session((String) null).error("invalid_user_credentials").detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).assertEvent();
+ } finally {
+ keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
+ @Override
+ public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+ session.users().getUserByUsername("login-test", appRealm).setEnabled(true);
+ }
+ });
+ }
+ }
+
+ @Test
+ public void loginDisabledUser() {
+ keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
+ @Override
+ public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+ session.users().getUserByUsername("login-test", appRealm).setEnabled(false);
+ }
+ });
+
+ try {
+ loginPage.open();
+ loginPage.login("login-test", "password");
+
+ loginPage.assertCurrent();
+
+ Assert.assertEquals("Account is disabled, contact admin", loginPage.getError());
+
+ events.expectLogin().user(userId).session((String) null).error("user_disabled").detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).assertEvent();
+ } finally {
+ keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
+ @Override
+ public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
+ session.users().getUserByUsername("login-test", appRealm).setEnabled(true);
+ }
+ });
+ }
+ }
+
+ @Test
public void loginInvalidUsername() {
loginPage.open();
loginPage.login("invalid", "password");
