Merge pull request #2038 from DuendeSoftware/ka-dscs-fix-7.2

Add null-check for client before coordinating session lifecycle
2026-05-24 09:28:24 +00:00 · 2025-06-04 13:03:02 -04:00 · 2025-06-04 13:03:02 -04:00 · dcf95c080f
commit dcf95c080f
parent 97927d9219 463518332e
2 changed files with 49 additions and 7 deletions
--- a/identity-server/src/IdentityServer/Services/Default/DefaultSessionCoordinationService.cs
+++ b/identity-server/src/IdentityServer/Services/Default/DefaultSessionCoordinationService.cs
@ -137,14 +137,17 @@ public class DefaultSessionCoordinationService : ISessionCoordinationService
        {
            var client = await ClientStore.FindClientByIdAsync(clientId); // i don't think we care if it's an enabled client at this point

-            var shouldCoordinate =
-                client.CoordinateLifetimeWithUserSession == true ||
-                (Options.Authentication.CoordinateClientLifetimesWithUserSession && client.CoordinateLifetimeWithUserSession != false);
-
-            if (shouldCoordinate)
+            if (client != null)
            {
-                // this implies they should also be contacted for backchannel logout below
-                clientsToCoordinate.Add(clientId);
+                var shouldCoordinate =
+                    client.CoordinateLifetimeWithUserSession == true ||
+                    (Options.Authentication.CoordinateClientLifetimesWithUserSession && client.CoordinateLifetimeWithUserSession != false);
+
+                if (shouldCoordinate)
+                {
+                    // this implies they should also be contacted for backchannel logout below
+                    clientsToCoordinate.Add(clientId);
+                }
            }
        }

--- a/identity-server/test/IdentityServer.UnitTests/Services/Default/DefaultSessionCoordinationServiceTests.cs
+++ b/identity-server/test/IdentityServer.UnitTests/Services/Default/DefaultSessionCoordinationServiceTests.cs
@ -0,0 +1,39 @@
+using System.Threading.Tasks;
+using Duende.IdentityServer.Configuration;
+using Duende.IdentityServer.Models;
+using Duende.IdentityServer.Services;
+using Duende.IdentityServer.Stores;
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using UnitTests.Endpoints.EndSession;
+using Xunit;
+
+namespace UnitTests.Services.Default;
+
+public class DefaultSessionCoordinationServiceTests
+{
+    public DefaultSessionCoordinationService Service;
+
+    [Fact]
+    public async Task Handles_missing_client_null_reference()
+    {
+        var stubBackChannelLogoutClient = new StubBackChannelLogoutClient();
+        Service = new DefaultSessionCoordinationService(
+            new IdentityServerOptions(),
+            new InMemoryPersistedGrantStore(),
+            new InMemoryClientStore([]),
+            stubBackChannelLogoutClient,
+            new NullLogger<DefaultSessionCoordinationService>());
+        
+        await Service.ProcessExpirationAsync(new UserSession
+        {
+            ClientIds = ["not_found"],
+            SessionId = "1",
+            SubjectId = "1"
+        });
+        
+        stubBackChannelLogoutClient
+            .SendLogoutsWasCalled
+            .ShouldBeFalse();
+    }
+}