From b97aad0938c4295137bf926e44d1623fa09ad0f3 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Thu, 14 Aug 2025 09:52:08 -0300 Subject: [PATCH] URL encode forwarded parameters Closes #41755 Signed-off-by: Pedro Igor --- .../oidc/AbstractOAuth2IdentityProvider.java | 4 +++- .../KcOidcBrokerParameterForwardTest.java | 19 ++++++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java index 67a13658d7e..7a07697a3ca 100755 --- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java +++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java @@ -96,6 +96,8 @@ import jakarta.ws.rs.core.UriBuilder; import jakarta.ws.rs.core.UriInfo; import java.io.IOException; import java.net.URI; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Collections; @@ -554,7 +556,7 @@ public abstract class AbstractOAuth2IdentityProvider config = idp.getConfig(); applyDefaultConfiguration(config, syncMode); - config.put("forwardParameters", FORWARDED_PARAMETER +", " + PARAMETER_NOT_SET + ", " + OAuth2Constants.ACR_VALUES + ", " + OIDCLoginProtocol.CLAIMS_PARAM); + config.put("forwardParameters", FORWARDED_PARAMETER +", " + PARAMETER_NOT_SET + ", " + OAuth2Constants.ACR_VALUES + ", " + OIDCLoginProtocol.CLAIMS_PARAM + ",forwarded_encoded"); return idp; } } @@ -48,9 +50,15 @@ public class KcOidcBrokerParameterForwardTest extends AbstractBrokerTest { oauth.clientId("broker-app"); loginPage.open(bc.consumerRealmName()); + String claimsValue = "{\"userinfo\":{\"http://itsme.services/v2/claim/BENationalNumber\":null}}"; + String urlEncodedClaims = URLEncoder.encode(claimsValue, StandardCharsets.UTF_8); + String forwardedEncodedParam = "forwarded_encoded"; + String forwardedEncodedParamValue = "encoded value"; + String forwardedEncodedParamvalueEncoded = URLEncoder.encode(forwardedEncodedParamValue, StandardCharsets.UTF_8); String queryString = "&" + FORWARDED_PARAMETER + "=" + FORWARDED_PARAMETER_VALUE + "&" + PARAMETER_NOT_FORWARDED + "=" + "value" + "&" + OAuth2Constants.ACR_VALUES + "=" + "phr" - + "&" + OIDCLoginProtocol.CLAIMS_PARAM + "=" + "myclaims"; + + "&" + OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims + + "&" + forwardedEncodedParam + "=" + forwardedEncodedParamValue; driver.navigate().to(driver.getCurrentUrl() + queryString); log.debug("Clicking social " + bc.getIDPAlias()); @@ -65,9 +73,10 @@ public class KcOidcBrokerParameterForwardTest extends AbstractBrokerTest { driver.getCurrentUrl(), containsString(FORWARDED_PARAMETER + "=" + FORWARDED_PARAMETER_VALUE)); assertThat(OAuth2Constants.ACR_VALUES + "=" + "phr" + " should be part of the url", driver.getCurrentUrl(), containsString(OAuth2Constants.ACR_VALUES + "=" + "phr")); - assertThat(OIDCLoginProtocol.CLAIMS_PARAM + "=" + "myclaims" + " should be part of the url", - driver.getCurrentUrl(), containsString(OIDCLoginProtocol.CLAIMS_PARAM + "=" + "myclaims")); - + assertThat(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims + " should be part of the url", + driver.getCurrentUrl(), containsString(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims)); + assertThat(forwardedEncodedParam + "=" + forwardedEncodedParamValue + "should be part of the url", + driver.getCurrentUrl(), containsString(forwardedEncodedParam + "=" + URLEncoder.encode(forwardedEncodedParamvalueEncoded, StandardCharsets.UTF_8))); assertThat("\"" + PARAMETER_NOT_SET + "\"" + " should NOT be part of the url", driver.getCurrentUrl(), not(containsString(PARAMETER_NOT_SET)));