Fix OIDC IDP broker basic auth encoding

rpjicond · 1orony · ahus1 · pedroigor · commit 489d10157af9 · 2025-10-21T14:55:31.000-03:00
Ensures that the client_id and client_secret are URL-encoded before being Base64-encoded for the Basic Auth header, following RFC 6749. This fixes authentication failures when the client_id contains special characters. Closes #26374 Closes #43022 Signed-off-by: rpjicond <ronaldopaulino32@hotmail.com> Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: rpjicond <ronaldopaulino32@hotmail.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
@@ -1436,7 +1436,7 @@ removeMappingConfirm_one=Are you sure you want to remove this role?
 oidcSettings=OpenID Connect settings
 oAuthSettings=OAuth2 settings
 otpPolicyDigitsHelp=How many digits should the OTP have?
-clientAuthentications.client_secret_post=Client secret sent as post
+clientAuthentications.client_secret_post=Client secret sent in the request body
 prompts.select_account=Select account
 defaultACRValues=Default ACR Values
 minimumACRValue=Minimum ACR Value
@@ -2769,7 +2769,8 @@ authenticationFlow=Authentication flow
 leaveGroup_other=Leave groups?
 deleteClientPolicySuccess=Client policy deleted
 mapperTypeCertificateLdapMapper=certificate-ldap-mapper
-clientAuthentications.client_secret_basic=Client secret sent as basic auth
+clientAuthentications.client_secret_basic=Client secret sent as HTTP Basic authentication
+clientAuthentications.client_secret_basic_unencoded=Client secret sent as HTTP Basic authentication without URL encoding (deprecated)
 started=Started
 filteredByClaimHelp=If true, ID tokens issued by the identity provider must have a specific claim. Otherwise, the user can not authenticate through this broker.
 mapperTypeCertificateLdapMapperHelp=Used to map single attribute which contains a certificate from LDAP user to attribute of UserModel in Keycloak database
diff --git a/js/apps/admin-ui/src/identity-providers/add/OIDCAuthentication.tsx b/js/apps/admin-ui/src/identity-providers/add/OIDCAuthentication.tsx
@@ -10,6 +10,7 @@ import { TextField } from "../component/TextField";
 const clientAuthentications = [
   "client_secret_post",
   "client_secret_basic",
+  "client_secret_basic_unencoded",
   "client_secret_jwt",
   "private_key_jwt",
 ];
diff --git a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@@ -622,6 +622,11 @@ public SimpleHttpRequest authenticateTokenRequest(final SimpleHttpRequest tokenR
         } else {
             try (VaultStringSecret vaultStringSecret = session.vault().getStringSecret(getConfig().getClientSecret())) {
                 if (getConfig().isBasicAuthentication()) {
+                    String clientSecret = vaultStringSecret.get().orElse(getConfig().getClientSecret());
+                    String header = org.keycloak.util.BasicAuthHelper.RFC6749.createHeader(getConfig().getClientId(), clientSecret);
+                    return tokenRequest.header(HttpHeaders.AUTHORIZATION, header);
+                }
+                if (getConfig().isBasicAuthenticationUnencoded()) {
                     return tokenRequest.authBasic(getConfig().getClientId(), vaultStringSecret.get().orElse(getConfig().getClientSecret()));
                 }
                 return tokenRequest
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java b/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java
@@ -125,6 +125,10 @@ public boolean isBasicAuthentication(){
         return getClientAuthMethod().equals(OIDCLoginProtocol.CLIENT_SECRET_BASIC);
     }
 
+    public boolean isBasicAuthenticationUnencoded(){
+        return getClientAuthMethod().equals(OIDCLoginProtocol.CLIENT_SECRET_BASIC_UNENCODED);
+    }
+
     public boolean isUiLocales() {
         return Boolean.valueOf(getConfig().get("uiLocales"));
     }
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
@@ -119,6 +119,12 @@ public class OIDCLoginProtocol implements LoginProtocol {
     public static final String PRIVATE_KEY_JWT = "private_key_jwt";
     public static final String TLS_CLIENT_AUTH = "tls_client_auth";
 
+    /**
+     * This is just for legacy setups which expect an unencoded, non-RFC6749 compliant client secret send from Keycloak to an IdP.
+     */
+    @Deprecated(since = "26.5")
+    public static final String CLIENT_SECRET_BASIC_UNENCODED = "client_secret_basic_unencoded";
+
     // https://tools.ietf.org/html/rfc7636#section-4.3
     public static final String CODE_CHALLENGE_PARAM = "code_challenge";
     public static final String CODE_CHALLENGE_METHOD_PARAM = "code_challenge_method";
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerColonAliasClientSecretBasicAuthTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerColonAliasClientSecretBasicAuthTest.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright 2025 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.broker;
+
+import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
+import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.IdentityProviderSyncMode;
+import org.keycloak.protocol.oidc.OIDCLoginProtocol;
+import org.keycloak.representations.idm.IdentityProviderRepresentation;
+
+import java.util.Map;
+
+import static org.keycloak.broker.oidc.OAuth2IdentityProviderConfig.TOKEN_ENDPOINT_URL;
+import static org.keycloak.testsuite.broker.BrokerTestConstants.*;
+import static org.keycloak.testsuite.broker.BrokerTestTools.*;
+
+public class KcOidcBrokerColonAliasClientSecretBasicAuthTest extends AbstractBrokerTest {
+
+    @Override
+    protected BrokerConfiguration getBrokerConfiguration() {
+        return new KcOidcBrokerColonAliasClientSecretBasicAuthTest.KcOidcBrokerColonAliasConfigurationWithBasicAuthAuthentication();
+    }
+
+    private class KcOidcBrokerColonAliasConfigurationWithBasicAuthAuthentication extends KcOidcBrokerConfiguration {
+
+        public final static String CLIENT_ID_COLON = "https://kc-dev.general.gr/staging/realms/general";
+
+        @Override
+        public IdentityProviderRepresentation setUpIdentityProvider(IdentityProviderSyncMode syncMode) {
+            IdentityProviderRepresentation idp = createIdentityProvider(IDP_OIDC_ALIAS, IDP_OIDC_PROVIDER_ID);
+            Map<String, String> config = idp.getConfig();
+            applyDefaultConfiguration(config, syncMode);
+            config.put("clientAuthMethod", OIDCLoginProtocol.CLIENT_SECRET_BASIC);
+            return idp;
+        }
+
+        @Override
+        protected void applyDefaultConfiguration(final Map<String, String> config, IdentityProviderSyncMode syncMode) {
+            config.put(IdentityProviderModel.SYNC_MODE, syncMode.toString());
+            config.put("clientId", CLIENT_ID_COLON);
+            config.put("clientSecret", CLIENT_SECRET);
+            config.put("prompt", "login");
+            config.put("loginHint", "true");
+            config.put(OIDCIdentityProviderConfig.ISSUER, getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME);
+            config.put("authorizationUrl", getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/auth");
+            config.put(TOKEN_ENDPOINT_URL, getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/token");
+            config.put("logoutUrl", getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/logout");
+            config.put("userInfoUrl", getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/userinfo");
+            config.put("defaultScope", "email profile");
+            config.put("backchannelSupported", "true");
+            config.put(OIDCIdentityProviderConfig.JWKS_URL,
+                    getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/certs");
+            config.put(OIDCIdentityProviderConfig.USE_JWKS_URL, "true");
+            config.put(OIDCIdentityProviderConfig.VALIDATE_SIGNATURE, "true");
+        }
+
+        @Override
+        public String getIDPClientIdInProviderRealm() {
+            return CLIENT_ID_COLON;
+        }
+
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -125,6 +125,10 @@ public boolean isBasicAuthentication(){`
`125`	`125`	`return getClientAuthMethod().equals(OIDCLoginProtocol.CLIENT_SECRET_BASIC);`
`126`	`126`	`}`
`127`	`127`
	`128`	`+ public boolean isBasicAuthenticationUnencoded(){`
	`129`	`+ return getClientAuthMethod().equals(OIDCLoginProtocol.CLIENT_SECRET_BASIC_UNENCODED);`
	`130`	`+ }`
	`131`	`+`
`128`	`132`	`public boolean isUiLocales() {`
`129`	`133`	`return Boolean.valueOf(getConfig().get("uiLocales"));`
`130`	`134`	`}`