Skip to content

openid-connect flow is missing response type on language change #41292

New issue
New issue
Closed
bug
#43325
Closed
openid-connect flow is missing response type on language change#41292
bug
#43325
Assignees
mposolda
Labels
area/authenticationIndicates an issue on Authentication areahelp wantedkind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.2.10release/26.4.1release/26.5.0status/bumped-by-botteam/core-clients
@CarlRivard

Description

@CarlRivard
CarlRivard
opened on Jul 21, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

We’re encountering an issue when two tabs are open:

In the first tab, the user is correctly authenticated with Client A.

In the second tab, additional validation is required to authenticate with Client B, which is expected behavior.

However, due to the multiple open tabs, Keycloak treats the second authentication as part of the OpenID Connect flow. When we try to change the language during this flow, Keycloak throws the following error:

2025-07-18 12:37:24,378 ERROR [org.keycloak.services] (executor-thread-165) KC-SERVICES0092: Missing parameter: response_type

The issue seems to be with the locale URL provided by Keycloak. Initially, it includes the correct response_type parameter, as shown here:

http://localhost:8080/realms/sqin/protocol/openid-connect/auth?client_id=some_client&redirect_uri=some_redirect_uri&response_type=code&scope=openid[...]

However, a subsequent redirection happens to another URL, and this second request is missing the response_type parameter:

http://localhost:8080/realms/sqin/protocol/openid-connect/auth?client_id=some_client&tab_id=oyan_6PBsJI&client_data=some_token&execution=89232e7c-cf9b-41d7-bbaf-48f5edbda730&kc_locale=en

Please note that when performing a regular login (login-actions) on a single tab without another client authenticated, Client B locale translation works as expected.

Version

26.1.3

Regression

  • The issue is a regression

Expected behavior

The response_type should be passed inside the locale redirection url in the openid-connect authorization flow.

Actual behavior

The response_type is not included inside the locale redirection url, which is throwing errors and cancelling the translation.

How to Reproduce?

Create client A and client B.

  • Add a different level of authentication (ACR) validation to client B, using a flow step that prevents SSO from automatically logging into client B after the user logs into client A.
  • Log in to client A.
  • Start the authentication flow for client B in a second tab. You will see the validation step in the OpenID Connect flow.
  • Try changing the language during the validation step in client B.

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/authenticationIndicates an issue on Authentication areahelp wantedkind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.2.10release/26.4.1release/26.5.0status/bumped-by-botteam/core-clients

Type

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions