-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: 3.4.1.CR1, 4.0.0.Final, 4.1.0.Final
-
Fix Version/s: 4.2.0.Final
-
Component/s: None
-
Labels:None
-
Docs QE Status:NEW
-
QE Status:NEW
When Kerberos authentication is set to "Required", Keycloak returns wrong HTTP status during SPNEGO authentication.
Expected behavior
As far as I know, a typical steps of SPNEGO authentication is following:
1. Client web browser does HTTP Get for resource.
2. Keycloak returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate".
...
Actual behavior
1. Client web browser does HTTP Get for resource.
2. Keycloak returns HTTP 400 (Bad request) status and the following header: "WWW-Authenticate: Negotiate".
3. Browser displays error page saying "Kerberos is not set up. You cannot login."
Supposed cause
I suppose, this behavior was introduced in pull request #4687 (see diff).