User validation in JWT Authorization Grant (#346)

Fixes CVE-2026-1609

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
Co-authored-by: Giuseppe Graziano <g.graziano94@gmail.com>

Author: stianst

docs/guides/securing-apps/jwt-authorization-grant.adoc

@@ -40,6 +40,8 @@ The exact processing that {project_name} performs over the assertion is the foll
 . Other claims like `nbf` (not before), `iat` (issued at) and `jti` (JWT ID) can be present and should be validated in that case.
 . The JWT should be signed and its signature should be verified with the keys associated to the identity provider in {project_name}.
 
+NOTE: Brute force protection is not applied to the JWT Authorization Grant for temporarily locked users, since this grant type does not perform user credential-based authentication but relies on an assertion issued by an external identity provider, and therefore cannot be compromised by brute force attacks on credentials of {project_name} user.
+
 == Configuration
 
 Only confidential clients can request a JWT authorization grant. In order to allow a client to send such a grant, the client should be configured accordingly. Using the admin console, **clients** -> select your client -> **Settings** tab -> **Capability config** section.

services/src/main/java/org/keycloak/protocol/oidc/grants/JWTAuthorizationGrantType.java

@@ -111,6 +111,12 @@ public Response process(Context context) {
             if (user == null) {
                 throw new RuntimeException("User not found");
             }
+            if (!user.isEnabled()) {
+                throw new RuntimeException("User is not enabled");
+            }
+            if (user.getRequiredActionsStream().findAny().isPresent()) {
+                throw new RuntimeException("Account is not fully set up");
+            }
             event.user(user);
             event.detail(Details.USERNAME, user.getUsername());
 

tests/base/src/test/java/org/keycloak/tests/oauth/AbstractJWTAuthorizationGrantTest.java

@@ -1,5 +1,6 @@
 package org.keycloak.tests.oauth;
 
+import java.util.Collections;
 import java.util.List;
 
 import org.keycloak.OAuth2Constants;
@@ -11,6 +12,7 @@
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.IDToken;
 import org.keycloak.representations.JsonWebToken;
+import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testframework.events.EventAssertion;
 import org.keycloak.testframework.oauth.OAuthIdentityProvider;
 import org.keycloak.testsuite.util.oauth.AccessTokenResponse;
@@ -309,4 +311,33 @@ public void testDisabledIdentityProvider() {
         AccessTokenResponse response = oAuthClient.jwtAuthorizationGrantRequest(jwt).send();
         assertFailure("Identity Provider is not enabled", response, events.poll());
     }
+
+    @Test
+    public void testUserDisabled() {
+        UserRepresentation userRep = user.admin().toRepresentation();
+        userRep.setEnabled(false);
+        user.admin().update(userRep);
+
+        String jwt = getIdentityProvider().encodeToken(createDefaultAuthorizationGrantToken());
+        AccessTokenResponse response = oAuthClient.jwtAuthorizationGrantRequest(jwt).send();
+        assertFailure("User is not enabled", response, events.poll());
+
+        userRep.setEnabled(true);
+        user.admin().update(userRep);
+    }
+
+    @Test
+    public void testUserWithRequiredAction() {
+        UserRepresentation userRep = user.admin().toRepresentation();
+        userRep.setRequiredActions(Collections.singletonList("UPDATE_PASSWORD"));
+        user.admin().update(userRep);
+
+        String jwt = getIdentityProvider().encodeToken(createDefaultAuthorizationGrantToken());
+        AccessTokenResponse response = oAuthClient.jwtAuthorizationGrantRequest(jwt).send();
+        assertFailure("Account is not fully set up", response, events.poll());
+
+        userRep = user.admin().toRepresentation();
+        userRep.setRequiredActions(Collections.emptyList());
+        user.admin().update(userRep);
+    }
 }