URL encode forwarded parameters

Closes #41755 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-12-21 06:20:05 -06:00 · 2025-08-14 09:52:08 -03:00
parent b7aaf80433
commit b97aad0938
2 changed files with 17 additions and 6 deletions
--- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@@ -96,6 +96,8 @@ import jakarta.ws.rs.core.UriBuilder;
 import jakarta.ws.rs.core.UriInfo;
 import java.io.IOException;
 import java.net.URI;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collections;
@@ -554,7 +556,7 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
            }

            if (parameter != null && !parameter.isEmpty()) {
-                uriBuilder.queryParam(forwardParameter, parameter);
+                uriBuilder.queryParam(forwardParameter, URLEncoder.encode(parameter, StandardCharsets.UTF_8));
            }
        }
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerParameterForwardTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerParameterForwardTest.java
@@ -8,6 +8,8 @@ import static org.keycloak.testsuite.broker.BrokerTestConstants.IDP_OIDC_PROVIDE
 import static org.keycloak.testsuite.broker.BrokerTestTools.createIdentityProvider;
 import static org.keycloak.testsuite.broker.BrokerTestTools.waitForPage;

+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
 import java.util.List;
 import java.util.Map;

@@ -38,7 +40,7 @@ public class KcOidcBrokerParameterForwardTest extends AbstractBrokerTest {
            IdentityProviderRepresentation idp = createIdentityProvider(IDP_OIDC_ALIAS, IDP_OIDC_PROVIDER_ID);
            Map<String, String> config = idp.getConfig();
            applyDefaultConfiguration(config, syncMode);
-            config.put("forwardParameters", FORWARDED_PARAMETER +", " + PARAMETER_NOT_SET + ", " + OAuth2Constants.ACR_VALUES + ", " + OIDCLoginProtocol.CLAIMS_PARAM);
+            config.put("forwardParameters", FORWARDED_PARAMETER +", " + PARAMETER_NOT_SET + ", " + OAuth2Constants.ACR_VALUES + ", " + OIDCLoginProtocol.CLAIMS_PARAM + ",forwarded_encoded");
            return idp;
        }
    }
@@ -48,9 +50,15 @@ public class KcOidcBrokerParameterForwardTest extends AbstractBrokerTest {
        oauth.clientId("broker-app");
        loginPage.open(bc.consumerRealmName());

+        String claimsValue = "{\"userinfo\":{\"http://itsme.services/v2/claim/BENationalNumber\":null}}";
+        String urlEncodedClaims = URLEncoder.encode(claimsValue, StandardCharsets.UTF_8);
+        String forwardedEncodedParam = "forwarded_encoded";
+        String forwardedEncodedParamValue = "encoded value";
+        String forwardedEncodedParamvalueEncoded = URLEncoder.encode(forwardedEncodedParamValue, StandardCharsets.UTF_8);
        String queryString = "&" + FORWARDED_PARAMETER + "=" + FORWARDED_PARAMETER_VALUE + "&" + PARAMETER_NOT_FORWARDED + "=" + "value"
                + "&" + OAuth2Constants.ACR_VALUES + "=" + "phr"
-                + "&" + OIDCLoginProtocol.CLAIMS_PARAM + "=" + "myclaims";
+                + "&" + OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims
+                + "&" + forwardedEncodedParam + "=" + forwardedEncodedParamValue;
        driver.navigate().to(driver.getCurrentUrl() + queryString);

        log.debug("Clicking social " + bc.getIDPAlias());
@@ -65,9 +73,10 @@ public class KcOidcBrokerParameterForwardTest extends AbstractBrokerTest {
                driver.getCurrentUrl(), containsString(FORWARDED_PARAMETER + "=" + FORWARDED_PARAMETER_VALUE));
        assertThat(OAuth2Constants.ACR_VALUES + "=" + "phr" + " should be part of the url",
                driver.getCurrentUrl(), containsString(OAuth2Constants.ACR_VALUES + "=" + "phr"));
-        assertThat(OIDCLoginProtocol.CLAIMS_PARAM + "=" + "myclaims" + " should be part of the url",
-                driver.getCurrentUrl(), containsString(OIDCLoginProtocol.CLAIMS_PARAM + "=" + "myclaims"));
-
+        assertThat(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims + " should be part of the url",
+                driver.getCurrentUrl(), containsString(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims));
+        assertThat(forwardedEncodedParam + "=" + forwardedEncodedParamValue +  "should be part of the url",
+                driver.getCurrentUrl(), containsString(forwardedEncodedParam + "=" + URLEncoder.encode(forwardedEncodedParamvalueEncoded, StandardCharsets.UTF_8)));
        assertThat("\"" + PARAMETER_NOT_SET + "\"" + " should NOT be part of the url",
                driver.getCurrentUrl(), not(containsString(PARAMETER_NOT_SET)));