On a new instance, I setup OIDC with Keycloak, and I cannot login. Is there any package that I should use to debug ?
I tried to increase the log level of com.atlassian.plugins.authentication.sso but I did not have any information more than this log :
2026-02-09 12:44:58,794+0000 http-nio-8080-exec-7 url: /plugins/servlet/oidc/callback ERROR anonymous 764x1018142x1 zch5oj 10.244.208.192,10.252.0.20 /plugins/servlet/oidc/callback [c.a.p.a.s.web.filt2026-02-09 12:44:58,794+0000 http-nio-8080-exec-7 url: /plugins/servlet/oidc/callback ERROR anonymous 764x1018142x1 zch5oj 10.244.208.192,10.252.0.20 /plugins/servlet/oidc/callback [c.a.p.a.s.web.filter.ErrorHandlingFilter] [UUID: 3bc669a0-302f-451e-aa69-b2aba297cd01] Unknown state in response
com.atlassian.plugins.authentication.sso.web.usercontext.AuthenticationFailedException: Unknown state in response
at com.atlassian.plugins.authentication.sso.web.oidc.OidcConsumerServlet.lambda$doGet$0(OidcConsumerServlet.java:113)
at java.base/java.util.Optional.orElseThrow(Optional.java:403)
at com.atlassian.plugins.authentication.sso.web.oidc.OidcConsumerServlet.doGet(OidcConsumerServlet.java:113)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:529)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:49)
at com.atlassian.jira.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
... 48 filtered
Increasing the HTTP log, I was able to trace the error :
10.252.0.34 o917x1031183x1 - [09/Feb/2026:15:17:39 +0000] "GET https://demo-jirasm-dev.cloud.example.com/plugins/servlet/oidc/callback HTTP/1.1" 400 893 0.0350 - "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0" "lzi0s5"
___ Request _____________________________________________________
Request URL Parameters :
state=PAlmhPP9hjvfC2mTfBTSONA5WvhMrkq4W6GhWlaB7kM
session_state=b6cb0f41-9690-4a55-afb0-68828ba77e91
iss=https://keycloak.example.com/realms/development
code=b1d11c5a-a784-492a-8de5-1a2f563d7ea0.b6cb0f41-9690-4a55-afb0-68828ba77e91.0716fd7e-e11f-4683-a389-d9bdb5972e17
Request HTTP Headers :
host=demo-jirasm-dev.cloud.example.com
x-request-id=f56eea5ed2794d0c40e9e33a7f03b0d7
x-real-ip=aa.bb.cc.dd
x-forwarded-for=aa.bb.cc.dd
x-forwarded-host=demo-jirasm-dev.cloud.example.com
x-forwarded-port=80
x-forwarded-proto=http
x-forwarded-scheme=http
x-scheme=http
x-original-forwarded-for=ee.ff.gg.hh
user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language=en-US,en;q=0.9
accept-encoding=gzip, deflate, br, zstd
cookie=apt.uid=AP-YFGMCGUNNIFB-2-1761236851856-64929651.0.2.6b933aba-006b-4c12-b4b5-a0ddc2adfcf4; _ga_0C4M1PWYZ7=GS2.1.s1768898063$o12$g0$t1768898064$j59$l0$h0; _ga=GA1.1.1889413738.1761236852; _ga_T11SF3WXX2=GS2.1.s1768898064$o12$g0$t1768898064$j60$l0$h0; _ga_K2SPJK2C73=GS2.1.s1768898064$o12$g0$t1768898064$j60$l0$h0
upgrade-insecure-requests=1
sec-fetch-dest=document
sec-fetch-mode=navigate
sec-fetch-site=cross-site
priority=u=0, i
Request Cookies :
apt.uid=AP-YFGMCGUNNIFB-2-1761236851856-64929651.0.2.6b933aba-006b-4c12-b4b5-a0ddc2adfcf4 path:null domain:null version:0 maxAge:-1
_ga_0C4M1PWYZ7=GS2.1.s1768898063$o12$g0$t1768898064$j59$l0$h0 path:null domain:null version:0 maxAge:-1
_ga=GA1.1.1889413738.1761236852 path:null domain:null version:0 maxAge:-1
_ga_T11SF3WXX2=GS2.1.s1768898064$o12$g0$t1768898064$j60$l0$h0 path:null domain:null version:0 maxAge:-1
_ga_K2SPJK2C73=GS2.1.s1768898064$o12$g0$t1768898064$j60$l0$h0 path:null domain:null version:0 maxAge:-1
Request Attributes :
com.atlassian.jira.web.filters.pagebuilder.PageBuilderFilter_alreadyfiltered=true
com.opensymphony.sitemesh.APPLIED_ONCE=true
com.atlassian.jira.web.filters.accesslog.AccessLogFilter_already_filtered=true
atlassian.core.seraph.original.url=/plugins/servlet/oidc/callback?state=PAlmhPP9hjvfC2mTfBTSONA5WvhMrkq4W6GhWlaB7kM&session_state=b6cb0f41-9690-4a55-afb0-68828ba77e91&iss=https%3A%2F%2Fkeycloak.example.com%2Frealms%2Fdevelopment&code=b1d11c5a-a784-492a-8de5-1a2f563d7ea0.b6cb0f41-9690-4a55-afb0-68828ba77e91.0716fd7e-e11f-4683-a389-d9bdb5972e17
com.atlassian.labs.botkiller.BotKillerFilter=true
com.atlassian.gzipfilter.GzipFilter_already_filtered=true
com.newrelic.agent.TRANSACTION_NAME=/plugins/servlet/oidc/*
jira.request.assession.id=lzi0s5
com.atlassian.jira.security.xsrf.XsrfTokenAdditionRequestFilter_already_filtered=true
page.builder=com.atlassian.jira.web.pagebuilder.DefaultPageBuilder@6a5c00fe
jira.request.id=917x1031183x1
sanitized.query=?state=PAlmhPP9hjvfC2mTfBTSONA5WvhMrkq4W6GhWlaB7kM&session_state=b6cb0f41-9690-4a55-afb0-68828ba77e91&iss=https%3A%2F%2Fkeycloak.example.com%2Frealms%2Fdevelopment&code=b1d11c5a-a784-492a-8de5-1a2f563d7ea0.b6cb0f41-9690-4a55-afb0-68828ba77e91.0716fd7e-e11f-4683-a389-d9bdb5972e17
sitemesh.secondaryStorageLimit=-1
jira.xsrf.set.cookie.pending=BMUS-OFAA-5DJ8-XOAE_127e2a6b47835892ca51f684f3085f1417ef097c_lout
jira.request.start.millis=1770650259012
jira.webwork.cleanup=false
com.atlassian.jira.web.filters.johnson.JiraJohnson503Filter_already_filtered=true
com.atlassian.jira.web.filters.JiraFirstFilter_alreadyfiltered=true
com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter=true
B3-TraceId=55aab8e3fa4624
loginfilter.already.filtered=true
com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter=true
com.atlassian.core.filters.HeaderSanitisingFilter_already_filtered=true
com.atlassian.jira.web.filters.JiraPostEncodingFilter_alreadyfiltered=true
os_securityfilter_already_filtered=true
com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter=true
Request Data (0 bytes).
___ Response ____________________________________________________
Response HTTP Headers :
X-AUSERNAME=anonymous
Referrer-Policy=origin-when-cross-origin
Response Data (total 893 bytes) :
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><meta name="decorator" content="atl.general"/><parameter name="show-main-header" value="false"/><title>We had trouble logging you in.</title><script></script></head><body class=""><!-- For a normal page, omit all 'aui-page-' classes here --><div class="without-upper-space aui-page-panel content-body aui"><div class="aui-page-panel-inner"><section id="error-section" class="aui-page-panel-content"><img id="error-img" src="/s/k3lm0w/10040002/1bqcfwe/5.1.14/_/download/resources/com.atlassian.plugins.authentication.atlassian-authentication-plugin:templates/error" width="75" alt="Error"/><h2>We can't log you in right now</h2><p>Please contact your administrator. Give them this error identifier:</p><p><span id="error-uuid">312f978e-257d-46bc-955d-d2a852c81fe2</p></section></div></div></body></html></span>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.