Fixing encoding of forwarded parameters

Closes #44125 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-12-17 04:24:48 -06:00 · 2025-11-14 11:33:05 -03:00
parent fd99aa6244
commit d4f9a09236
2 changed files with 20 additions and 13 deletions
--- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@@ -531,8 +531,6 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
            uriBuilder.queryParam(OAuth2Constants.PROMPT, prompt);
        }

-        setForwardParameters(authenticationSession, uriBuilder);
-
        if (getConfig().isPkceEnabled()) {
            String codeVerifier = PkceUtils.generateCodeVerifier();
            String codeChallengeMethod = getConfig().getPkceMethod();
@@ -544,26 +542,35 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
            uriBuilder.queryParam(OAuth2Constants.CODE_CHALLENGE_METHOD, codeChallengeMethod);
        }

+        appendForwardedParameters(authenticationSession, uriBuilder);
+
        return uriBuilder;
    }

-    private void setForwardParameters(AuthenticationSessionModel authenticationSession, UriBuilder uriBuilder) {
+    private void appendForwardedParameters(AuthenticationSessionModel authenticationSession, UriBuilder uriBuilder) {
        C config = getConfig();
        String forwardParameterConfig = config.getForwardParameters() != null ? config.getForwardParameters(): OAuth2Constants.ACR_VALUES;
+        List<String> parameterNames = List.of(forwardParameterConfig.split("\\s*,\\s*"));
+        StringBuilder query = new StringBuilder(uriBuilder.build().getRawQuery());

-        for (String forwardParameter: List.of(forwardParameterConfig.split("\\s*,\\s*"))) {
-            String name = AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + forwardParameter.trim();
-            String parameter = authenticationSession.getClientNote(name);
+        for (String name: parameterNames) {
+            String noteKey = AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + name.trim();
+            String value = authenticationSession.getClientNote(noteKey);

-            if (parameter == null) {
+            if (value == null) {
                // try a value set as a client note
-                parameter = authenticationSession.getClientNote(forwardParameter);
+                value = authenticationSession.getClientNote(name);
            }

-            if (parameter != null && !parameter.isEmpty()) {
-                uriBuilder.queryParam(forwardParameter, parameter);
+            if (value != null && !value.isEmpty()) {
+                if (!query.isEmpty()) {
+                    query.append("&");
+                }
+                query.append(name).append("=").append(URLEncoder.encode(value, StandardCharsets.UTF_8));
            }
        }
+
+        uriBuilder.replaceQuery(query.toString());
    }

    /**
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerParameterForwardTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerParameterForwardTest.java
@@ -51,11 +51,11 @@ public class KcOidcBrokerParameterForwardTest extends AbstractBrokerTest {
        oauth.clientId("broker-app");
        loginPage.open(bc.consumerRealmName());

-        String claimsValue = "{\"userinfo\":{\"http://itsme.services/v2/claim/BENationalNumber\":null}}";
+        String claimsValue = "{\"userinfo\":{\"http://itsme.services/v2/claim/BENationalNumber\":null,\"spaced_value\":\"with space\"}}";
        String urlEncodedClaims = URLEncoder.encode(claimsValue, StandardCharsets.UTF_8);
        String forwardedEncodedParam = "forwarded_encoded";
        String forwardedEncodedParamValue = "encoded value";
-        String forwardedEncodedParamvalueEncoded = URLEncoder.encode(forwardedEncodedParamValue, StandardCharsets.UTF_8);
+        String forwardedEncodedParamValueEncoded = URLEncoder.encode(forwardedEncodedParamValue, StandardCharsets.UTF_8);
        String queryString = "&" + FORWARDED_PARAMETER + "=" + FORWARDED_PARAMETER_VALUE + "&" + PARAMETER_NOT_FORWARDED + "=" + "value"
                + "&" + OAuth2Constants.ACR_VALUES + "=" + "phr"
                + "&" + OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims
@@ -77,7 +77,7 @@ public class KcOidcBrokerParameterForwardTest extends AbstractBrokerTest {
        assertThat(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims + " should be part of the url",
                driver.getCurrentUrl(), containsString(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims));
        assertThat(forwardedEncodedParam + "=" + forwardedEncodedParamValue +  "should be part of the url",
-                driver.getCurrentUrl(), containsString(forwardedEncodedParam + "=" + URLEncoder.encode(forwardedEncodedParamvalueEncoded, StandardCharsets.UTF_8)));
+                driver.getCurrentUrl(), containsString(forwardedEncodedParam + "=" + forwardedEncodedParamValueEncoded));
        assertThat("\"" + PARAMETER_NOT_SET + "\"" + " should NOT be part of the url",
                driver.getCurrentUrl(), not(containsString(PARAMETER_NOT_SET)));