keycloak · keshavprashantdeshpande · Jul 4, 2025 · Jul 8, 2025
@@ -24,6 +24,7 @@
 
 import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
+import org.keycloak.authentication.AuthenticationFlowException;
 import org.keycloak.authentication.AuthenticationProcessor;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
@@ -111,7 +112,16 @@ public Response process(Context context) {
                 .setSession(session)
                 .setUriInfo(session.getContext().getUri())
                 .setRequest(request);
-        Response challenge = processor.authenticateOnly();
+        Response challenge = null;
+        try {
+            challenge = processor.authenticateOnly();
+        } catch (AuthenticationFlowException afe) {
+            new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, false);
+            String errorMessage = "Cannot find user (Unknown user)";
+            event.detail(Details.REASON, errorMessage);
+            event.error(Errors.USER_NOT_FOUND);
+            throw new CorsErrorResponseException(cors, afe.getError().name(), errorMessage, Response.Status.BAD_REQUEST);
+        }
         if (challenge != null) {
             // Remove authentication session as "Resource Owner Password Credentials Grant" is single-request scoped authentication
             new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, false);

@@ -32,6 +32,7 @@
 import org.keycloak.OAuthErrorException;
 import org.keycloak.admin.client.resource.ClientResource;
 import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.authentication.AuthenticationFlowError;
 import org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator;
 import org.keycloak.common.Profile;
 import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
@@ -775,6 +776,27 @@ public void grantAccessTokenNoRefreshToken() throws Exception {
         assertNull(response.getRefreshToken());
     }
 
+    @Test
+    public void grantAccessTokenServiceAccountUserOfOtherClient() throws Exception {
+        ClientManager.realm(adminClient.realm("test")).clientId("resource-owner").setServiceAccountsEnabled(true);
+        oauth.client("resource-owner-refresh", "secret");
+        AccessTokenResponse response = oauth.doPasswordGrantRequest("service-account-resource-owner", "password");
+
+        assertEquals(400, response.getStatusCode());
+        assertEquals(AuthenticationFlowError.UNKNOWN_USER.name(), response.getError());
+        assertEquals("Cannot find user (Unknown user)", response.getErrorDescription());
+        events.expectLogin()
+                .client("resource-owner-refresh")
+                .user((String) null)
+                .session((String) null)
+                .detail(Details.REASON, "Cannot find user (Unknown user)")
+                .error(Errors.USER_NOT_FOUND)
+                .clearDetails()
+                .assertEvent();
+
+        ClientManager.realm(adminClient.realm("test")).clientId("resource-owner").setServiceAccountsEnabled(false);
+    }
+
     private int getAuthenticationSessionsCount() {
         return testingClient.testing().cache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME).size();
     }