Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authorization-services

Describe the bug

When a login request is made without response_type parameter, the checker.checkResponseType() function in AuthorizationEndpoint.java at line 158 returns a redirectErrorToClient with QueryRedirectUriBuilder as the response mode.
In this scenario, the "invalid request" error is redirected to client without including a "Cache-Control" header. Consequently, when using CloudFront with default cache settings, since the "Cache-Control" header is absent, the response is cached. Subsequent requests to the login endpoint then receive the same "invalid request" response.
This presents a problem because the login endpoint is dynamic content and needs to respond in real-time. Similar to token refresh or user info endpoints, it should include a no-cache annotation to prevent caching.

Version

21.1

Regression

• The issue is a regression

Expected behavior

When a login request is made without response_type parameter, redirectErrorToClient with QueryRedirectUriBuilder as the response mode should redirect "invalid request" error and a cache-control header with no-cache value should be added to response headers.

Actual behavior

When a login request is made without response_type parameter, redirectErrorToClient with QueryRedirectUriBuilder as the response mode redirect "invalid request" error to client and no cache-control header. so when using CloudFront with default cache settings, Subsequent requests to the login endpoint then receive the same "invalid request" response.

How to Reproduce?

Add caching policy to cloud front for keycloak server. (Default TTL: Set to your preferred value (e.g., 600 seconds).)
make a (code grant) login request with preferred client_id without response_type parameter.
then make login request with response_type parameter provided.

Anything else?

No response