mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2025-12-17 04:24:48 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fixing encoding of forwarded parameters

Browse Source 
Closes #44125

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor
2025-11-14 11:33:05 -03:00
parent fd99aa6244
commit d4f9a09236
2 changed files with 20 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
View File

@@ -531,8 +531,6 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
uriBuilder.queryParam(OAuth2Constants.PROMPT, prompt); uriBuilder.queryParam(OAuth2Constants.PROMPT, prompt);
} }
setForwardParameters(authenticationSession, uriBuilder);
if (getConfig().isPkceEnabled()) { if (getConfig().isPkceEnabled()) {
String codeVerifier = PkceUtils.generateCodeVerifier(); String codeVerifier = PkceUtils.generateCodeVerifier();
String codeChallengeMethod = getConfig().getPkceMethod(); String codeChallengeMethod = getConfig().getPkceMethod();
@@ -544,26 +542,35 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
uriBuilder.queryParam(OAuth2Constants.CODE_CHALLENGE_METHOD, codeChallengeMethod); uriBuilder.queryParam(OAuth2Constants.CODE_CHALLENGE_METHOD, codeChallengeMethod);
} }
appendForwardedParameters(authenticationSession, uriBuilder);
return uriBuilder; return uriBuilder;
} }
private void setForwardParameters(AuthenticationSessionModel authenticationSession, UriBuilder uriBuilder) { private void appendForwardedParameters(AuthenticationSessionModel authenticationSession, UriBuilder uriBuilder) {
C config = getConfig(); C config = getConfig();
String forwardParameterConfig = config.getForwardParameters() != null ? config.getForwardParameters(): OAuth2Constants.ACR_VALUES; String forwardParameterConfig = config.getForwardParameters() != null ? config.getForwardParameters(): OAuth2Constants.ACR_VALUES;
List<String> parameterNames = List.of(forwardParameterConfig.split("\\s*,\\s*"));
StringBuilder query = new StringBuilder(uriBuilder.build().getRawQuery());
for (String forwardParameter: List.of(forwardParameterConfig.split("\\s*,\\s*"))) { for (String name: parameterNames) {
String name = AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + forwardParameter.trim(); String noteKey = AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + name.trim();
String parameter = authenticationSession.getClientNote(name); String value = authenticationSession.getClientNote(noteKey);
if (parameter == null) { if (value == null) {
// try a value set as a client note // try a value set as a client note
parameter = authenticationSession.getClientNote(forwardParameter); value = authenticationSession.getClientNote(name);
} }
if (parameter != null && !parameter.isEmpty()) { if (value != null && !value.isEmpty()) {
uriBuilder.queryParam(forwardParameter, parameter); if (!query.isEmpty()) {
query.append("&");
}
query.append(name).append("=").append(URLEncoder.encode(value, StandardCharsets.UTF_8));
} }
} }
uriBuilder.replaceQuery(query.toString());
} }
/** /**

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerParameterForwardTest.java
View File

@@ -51,11 +51,11 @@ public class KcOidcBrokerParameterForwardTest extends AbstractBrokerTest {
oauth.clientId("broker-app"); oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName()); loginPage.open(bc.consumerRealmName());
String claimsValue = "{\"userinfo\":{\"http://itsme.services/v2/claim/BENationalNumber\":null}}"; String claimsValue = "{\"userinfo\":{\"http://itsme.services/v2/claim/BENationalNumber\":null,\"spaced_value\":\"with space\"}}";
String urlEncodedClaims = URLEncoder.encode(claimsValue, StandardCharsets.UTF_8); String urlEncodedClaims = URLEncoder.encode(claimsValue, StandardCharsets.UTF_8);
String forwardedEncodedParam = "forwarded_encoded"; String forwardedEncodedParam = "forwarded_encoded";
String forwardedEncodedParamValue = "encoded value"; String forwardedEncodedParamValue = "encoded value";
String forwardedEncodedParamvalueEncoded = URLEncoder.encode(forwardedEncodedParamValue, StandardCharsets.UTF_8); String forwardedEncodedParamValueEncoded = URLEncoder.encode(forwardedEncodedParamValue, StandardCharsets.UTF_8);
String queryString = "&" + FORWARDED_PARAMETER + "=" + FORWARDED_PARAMETER_VALUE + "&" + PARAMETER_NOT_FORWARDED + "=" + "value" String queryString = "&" + FORWARDED_PARAMETER + "=" + FORWARDED_PARAMETER_VALUE + "&" + PARAMETER_NOT_FORWARDED + "=" + "value"
+ "&" + OAuth2Constants.ACR_VALUES + "=" + "phr" + "&" + OAuth2Constants.ACR_VALUES + "=" + "phr"
+ "&" + OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims + "&" + OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims
@@ -77,7 +77,7 @@ public class KcOidcBrokerParameterForwardTest extends AbstractBrokerTest {
assertThat(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims + " should be part of the url", assertThat(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims + " should be part of the url",
driver.getCurrentUrl(), containsString(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims)); driver.getCurrentUrl(), containsString(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims));
assertThat(forwardedEncodedParam + "=" + forwardedEncodedParamValue + "should be part of the url", assertThat(forwardedEncodedParam + "=" + forwardedEncodedParamValue + "should be part of the url",
driver.getCurrentUrl(), containsString(forwardedEncodedParam + "=" + URLEncoder.encode(forwardedEncodedParamvalueEncoded, StandardCharsets.UTF_8))); driver.getCurrentUrl(), containsString(forwardedEncodedParam + "=" + forwardedEncodedParamValueEncoded));
assertThat("\"" + PARAMETER_NOT_SET + "\"" + " should NOT be part of the url", assertThat("\"" + PARAMETER_NOT_SET + "\"" + " should NOT be part of the url",
driver.getCurrentUrl(), not(containsString(PARAMETER_NOT_SET))); driver.getCurrentUrl(), not(containsString(PARAMETER_NOT_SET)));