The optional login_hint parameter in the OIDC login URL is accepted without any size validation. When supplied with a long value, it is:

• Reflected into the email/username field on the login form
• Stored in the authentication session 
• Serialized into the KC_RESTART cookie

If the resulting cookie exceeds the ~4096-byte browser limit, it is dropped or truncated by the browser. This breaks the login flow, resulting in:

• Blank 0-byte responses
• Intermittent redirect loops
• In some cases, HTTP 502 errors

This leads to unstable authentication behavior and increased backend load. The issue reflects uncontrolled input handling in a core login path, affecting reliability and availability.

See https://github.com/keycloak/keycloak/issues/40857 for the details.