keycloak/keycloak

CIBA Authentication Error Response Returns 400 Instead of 403 for access_denied

Open

#44,347 opened on 2025年11月20日

GitHub で見る
 (1 comment) (1 reaction) (0 assignees)Java (8,346 forks)batch import
area/oidchelp wantedkind/bugpriority/normalstatus/auto-bumpteam/core-clients

Repository metrics

Stars
 (34,398 stars)
PR merge metrics
 (平均マージ 6d 19h) (30d で 384 merged PRs)

説明

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

Description

According to the OpenID Connect CIBA specification (Section 7), when the authorization server encounters an access_denied error during backchannel authentication, it should return HTTP status code 403 (Forbidden).

However, Keycloak currently returns 400 (Bad Request) for access_denied errors in CIBA flows, which is not compliant with the specification.

Specification Reference

From https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_error_response:

  1. Authentication Error Response

If the request is invalid or unauthorized, the authorization server constructs the error response based on the error response defined in Section 5.2 of [RFC6749] with the following specific error codes:

  • access_denied - The resource owner or authorization server denied the request. HTTP Status Code: 403

Impact

This non-compliance may cause issues for:

  1. OAuth 2.0 clients that rely on proper HTTP status codes for error handling
  2. API gateways or middleware that route based on status codes
  3. Monitoring systems that track errors by status code
  4. OpenID certification compliance

References


Version

26.2.5

Regression

  • The issue is a regression

Expected behavior

When a CIBA authentication request is denied (e.g., user rejects the authentication request), the backchannel authentication endpoint should return:

  • HTTP Status Code: 403 Forbidden
  • Response Body:
 {
   "error": "access_denied",
   "error_description": "The resource owner or authorization server denied the request"
 }

Actual behavior

Keycloak returns:

  • HTTP Status Code: 400 Bad Request
  • Response Body:
  {
    "error": "access_denied",
    "error_description": "..."
  }

How to Reproduce?

  1. Configure Keycloak with CIBA enabled
  2. Send a backchannel authentication request to the /auth/realms/{realm}/protocol/openid-connect/ext/ciba/auth endpoint
  3. Have the end-user deny/reject the authentication request
  4. Observe the HTTP status code returned (currently 400 instead of 403)

Anything else?

No response

コントリビューターガイド