+
Skip to content

Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does #43269

New issue
New issue
Closed
bug
#43281
Closed
Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does#43269
bug
#43281
Assignees
thomasdarimont
Labels
area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugpriority/blockerHighest Priority. Has a deadline and it blocks other tasksrelease/26.4.1release/26.5.0team/core-clients
Milestone
26.5.0
@tnorimat

Description

@tnorimat
tnorimat
opened on Oct 7, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

When a client using private_key_jwt as its client authentication method send a token request without Client Assertion, Keycloak 26.4.0 returns a error response, but this response is different from the one by Keycloak 26.3.

Due to this issue, Keycloak 26.4.0 cannot pass OIDF conformance tests while Keycloak 26.3 can pass.

Version

26.4.0

Regression

  • The issue is a regression

Expected behavior

Keycloak 26.3.5 can pass this OIDF conformance test, therefore, the following token response from the token endpoint of Keycloak 26.3.5 is a right response:

response_status_code: 400 BAD_REQUEST
response_status_text: Bad Request
response_body:
{"error":"invalid_client","error_description":"Parameter client_assertion_type is missing"}

Actual behavior

Keycloak 26.4.0 cannot this OIDF conformance test. The token response from Keycloak 26.4.0 is as follows:

response_status_code: 400 BAD_REQUEST
response_status_text: Bad Request
response_body:
{"error":"unauthorized_client","error_description":"Unexpected error when authenticating client"}

How to Reproduce?

  1. As a client authentication method, private_key_jwt is set to a client.
  2. This client send a token request without Client Assertion (instead, adding client_id parameter) to a token endpoint of Keycloak.

Anything else?

The error response is changed, so it might be considered as breaking change.

Due to this issue Keycloak 26.4.0 cannot pass the following OIDF conformance testing:

  • FAPI 1.0 Advanced Final (w/ private_key_jwt as client authentication method)
  • FAPI 2.0 Security Profile Final (w/ private_key_jwt as client authentication method))
  • FAPI 2.0 Message Signing Final (w/ private_key_jwt as client authentication method)
  • FAPI 2.0 Security Profile Implementer’s Draft version 2 (w/ private_key_jwt as client authentication method)
  • FAPI 2.0 Message Signing Implementer’s Draft version 1 (w/ private_key_jwt as client authentication method)
  • FAPI-CIBA (w/ private_key_jwt as client authentication method)
  • UK Open Banking (w/ private_key_jwt as client authentication method)
  • Australia Consumer Data Right (w/ private_key_jwt as client authentication method)
  • Open Finance Brazil (w/ private_key_jwt as client authentication method)

Metadata

Metadata

Assignees

Labels

area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugpriority/blockerHighest Priority. Has a deadline and it blocks other tasksrelease/26.4.1release/26.5.0team/core-clients

Type

bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载