keycloak/keycloak

Unexpected HTTP/1.x request (HTTP/2 mismatch) when enabling Kerberos (SPNEGO)

Open

#45.863 geöffnet am 29. Jan. 2026

Auf GitHub ansehen
 (1 Kommentar) (2 Reaktionen) (0 zugewiesene Personen)Java (8.346 Forks)batch import
area/authenticationhelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expireteam/core-authnteam/core-clients

Repository-Metriken

Stars
 (34.398 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 6T 19h) (384 gemergte PRs in 30 T)

Beschreibung

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

Hello,

Environment

Keycloak 26.4.5 : Deployed on kubernetes and Keycloak behind Traefik Browsers: Chrome / Firefox (behavior differs per browser)

Observed behaviour

Enabling Kerberos in the browser authentication flow triggers the issue.

Keycloak log example:

ERROR io.vertx.core.net.impl.ConnectionBase Unexpected HTTP/1.x request: GET /realms/XXXX/account io.netty.handler.codec.http2.Http2Exception: Unexpected HTTP/1.x request: GET /favicon.ico

Workaround tested

QUARKUS_HTTP_HTTP2=false (disable HTTP/2 on Keycloak) — problem disappears.

Version

26.4.5

Regression

  • The issue is a regression

Expected behavior

No mismatch protocol

Actual behavior

When I enable Kerberos (SPNEGO) in the browser authentication flow, Keycloak logs an HTTP/2/HTTP1.x protocol mismatch (Vert.x / Netty: "Unexpected HTTP/1.x request"). Setting QUARKUS_HTTP_HTTP2=false on Keycloak removes the issue.

How to Reproduce?

  • Ensure Keycloak is reachable only via Traefik.
  • Enable Kerberos (SPNEGO) in the browser authentication flow (Account / Browser flow).
  • From a browser perform a full login using the Kerberos/SPNEGO flow.
  • Trigger the problematic sequence by invoking the flow that uses Negotiate. Observe several 401/Negotiate exchanges between browser and server.
  • During/after the Kerberos exchanges, reload the page or request a protected Keycloak resource.
  • Observe failures: some requests return 500 and Keycloak logs the Http2Exception "Unexpected HTTP/1.x request".

Anything else?

No response

Contributor Guide