Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-7823

Keycloak returns wrong HTTP status during SPNEGO authentication

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.4.1.CR1, 4.0.0.Final, 4.1.0.Final
    • Fix Version/s: 4.2.0.Final
    • Component/s: Services
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      When Kerberos authentication is set to "Required", Keycloak returns wrong HTTP status during SPNEGO authentication.

      Expected behavior
      As far as I know, a typical steps of SPNEGO authentication is following:
      1. Client web browser does HTTP Get for resource.
      2. Keycloak returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate".
      ...

      Actual behavior
      1. Client web browser does HTTP Get for resource.
      2. Keycloak returns HTTP 400 (Bad request) status and the following header: "WWW-Authenticate: Negotiate".
      3. Browser displays error page saying "Kerberos is not set up. You cannot login."

      Supposed cause
      I suppose, this behavior was introduced in pull request #4687 (see diff).

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                flipp5b Daniil Filippov
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: