Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

When a client using private_key_jwt as its client authentication method sends a CIBA backchannel authentication request without Client Assertion, Keycloak 26.4.0 returns a error response, but this response is different from the one by Keycloak 26.3.

Due to this issue, Keycloak 26.4.0 cannot pass OIDF conformance tests while Keycloak 26.3 can pass.

Version

26.4.0

Regression

• The issue is a regression

Expected behavior

Keycloak 26.3.5 can pass this OIDF conformance test, therefore, the following token response from the token endpoint of Keycloak 26.3.5 is a right response:

response_status_code: 401 UNAUTHORIZED
response_status_text: Unauthorized
response_body:
{"error":"invalid_client","error_description":"Parameter client_assertion_type is missing"}

Actual behavior

Keycloak 26.4.0 cannot this OIDF conformance test. The token response from Keycloak 26.4.0 is as follows:

response_status_code: 401 UNAUTHORIZED
response_status_text: Unauthorized
response_body:
{"error":"unauthorized_client","error_description":"Unexpected error when authenticating client"}

How to Reproduce?

1. As a client authentication method, private_key_jwt is set to a client.
2. This client sends a CIBA’s backchannel authentication request without Client Assertion (instead, adding client_id parameter) to a CIBA’s backchannel authentication endpoint of Keycloak.

Anything else?

The error response is changed, so it might be considered as breaking change.

Due to this issue Keycloak 26.4.0 cannot pass the following OIDF conformance testing:

• FAPI-CIBA (w/ private_key_jwt as client authentication method)