keycloak/keycloak

Identity provider broker callback returns HTTP 502 for client-side input validation failures (missing state, missing code)

Open

#49257 opened on May 22, 2026

View on GitHub
 (2 comments) (2 reactions) (1 assignee)Java (34,398 stars) (8,346 forks)batch import
area/identity-brokeringhelp wantedkind/bugpriority/lowstatus/auto-bumpstatus/auto-expireteam/core-iam

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering

Describe the bug

When the OAuth2 broker callback endpoint (/realms/{realm}/broker/{alias}/endpoint) receives a request with a missing or unverifiable state parameter, or with neither code nor error present, Keycloak responds with HTTP 502 Bad Gateway.

Per RFC 9110, 502 means "the server, while acting as a gateway or proxy, received an invalid response from an inbound server". That is not what's happening here — Keycloak hasn't talked to the upstream IdP yet (or in the missing-state case, has no way to know which IdP to talk to). The failure is input validation on the incoming request from the user agent, which should be a 4xx (e.g. 400 Bad Request).

Affected code

services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java

private Response errorIdentityProviderLogin(String message) {
    event.event(EventType.IDENTITY_PROVIDER_LOGIN);
    event.error(Errors.IDENTITY_PROVIDER_LOGIN_FAILURE);
    return ErrorPage.error(session, null, Response.Status.BAD_GATEWAY, message);
}

This helper is called from six sites inside Endpoint.authResponse(...). The six sites split into two semantic groups:

Line Trigger Cause Correct status
716 state == null Client-side / user-agent 400 Bad Request
739 No code and no error in callback Client-side / user-agent 400 Bad Request
752 Token endpoint returned non-2xx Upstream IdP failure 502 (correct)
772 IdentityBrokerException with message code Usually upstream 502 (defensible)
775 Generic IdentityBrokerException Usually upstream 502 (defensible)
778 Generic Exception Unknown, could be either 500 Internal Server Error

The single helper conflates different failure modes under one status code.

Version

26.5.6

Regression

  • The issue is a regression

Expected behavior

  • Input validation failures should return 400 Bad Request.
  • Upstream-IdP failures should continue to return 502 Bad Gateway.
  • Unexpected/unhandled exceptions should return 500 Internal Server Error.

Actual behavior

  • Input validation failures return 502 Bad Gateway.

How to Reproduce?

  1. Configure any OIDC identity provider in a realm (alias = google, for example).
  2. Issue a request directly to the broker callback endpoint without going through the login flow:
  curl -i "https://<keycloak-host>/realms/<realm>/broker/<alias>/endpoint?code=foo"

Keycloak's broker callback receives the request, finds no valid state cookie/parameter binding, and returns:

  HTTP/1.1 502 Bad Gateway

Anything else?

No response

Contributor guide

Tech stack
java
Domain
backendsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaHTTP status codesKeycloak overview
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
The issue is in services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java, specifically the errorIdentityProviderLogin method which always returns 502. You need to split the error handling: for input validation errors (lines 716, 739) return 400, for upstream errors (lines 752, 772, 775) return 502, and for unexpected exceptions (line 778) return 500. Modify the method to accept a status code parameter or create separate methods. Also update the call sites accordingly and add a test.