Fix: deny the blocked user request

pkg/apiserver/authentication/authenticators/jwt/jwt.go

@@ -60,15 +60,19 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string
 		}, true, nil
 	}
 
-	u, err := t.userLister.Get(verified.User.GetName())
+	userInfo, err := t.userLister.Get(verified.User.GetName())
 	if err != nil {
 		return nil, false, err
 	}
 
+	// AuthLimitExceeded state should be ignored
+	if userInfo.Status.State == iamv1alpha2.UserDisabled {
+		return nil, false, auth.AccountIsNotActiveError
+	}
 	return &authenticator.Response{
 		User: &user.DefaultInfo{
-			Name:   u.GetName(),
-			Groups: append(u.Spec.Groups, user.AllAuthenticated),
+			Name:   userInfo.GetName(),
+			Groups: append(userInfo.Spec.Groups, user.AllAuthenticated),
 		},
 	}, true, nil
 }

pkg/kapis/oauth/handler.go

@@ -437,6 +437,9 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R
 	authenticated, provider, err := h.passwordAuthenticator.Authenticate(req.Request.Context(), username, password)
 	if err != nil {
 		switch err {
+		case auth.AccountIsNotActiveError:
+			response.WriteHeaderAndEntity(http.StatusBadRequest, oauth.NewInvalidGrant(err))
+			return
 		case auth.IncorrectPasswordError:
 			requestInfo, _ := request.RequestInfoFrom(req.Request.Context())
 			if err := h.loginRecorder.RecordLogin(username, iamv1alpha2.Token, provider, requestInfo.SourceIP, requestInfo.UserAgent, err); err != nil {