CIBA Authentication Error Response Returns 400 Instead of 403 for access_denied
#44,347 opened on 2025年11月20日
Repository metrics
- Stars
- (34,398 stars)
- PR merge metrics
- (平均マージ 6d 19h) (30d で 384 merged PRs)
説明
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
Description
According to the OpenID Connect CIBA specification (Section
7), when the authorization server encounters an
access_denied error during backchannel authentication, it should return HTTP status code 403 (Forbidden).
However, Keycloak currently returns 400 (Bad Request) for access_denied errors in CIBA flows, which is not compliant with the specification.
Specification Reference
- Authentication Error Response
If the request is invalid or unauthorized, the authorization server constructs the error response based on the error response defined in Section 5.2 of [RFC6749] with the following specific error codes:
- access_denied - The resource owner or authorization server denied the request. HTTP Status Code: 403
Impact
This non-compliance may cause issues for:
- OAuth 2.0 clients that rely on proper HTTP status codes for error handling
- API gateways or middleware that route based on status codes
- Monitoring systems that track errors by status code
- OpenID certification compliance
References
- https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_error_response
- https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
Version
26.2.5
Regression
- The issue is a regression
Expected behavior
When a CIBA authentication request is denied (e.g., user rejects the authentication request), the backchannel authentication endpoint should return:
- HTTP Status Code:
403 Forbidden - Response Body:
{
"error": "access_denied",
"error_description": "The resource owner or authorization server denied the request"
}
Actual behavior
Keycloak returns:
- HTTP Status Code: 400 Bad Request
- Response Body:
{
"error": "access_denied",
"error_description": "..."
}
How to Reproduce?
- Configure Keycloak with CIBA enabled
- Send a backchannel authentication request to the /auth/realms/{realm}/protocol/openid-connect/ext/ciba/auth endpoint
- Have the end-user deny/reject the authentication request
- Observe the HTTP status code returned (currently 400 instead of 403)
Anything else?
No response