keycloak
diff --git a/‎docs/documentation/topics/templates/document-attributes.adoc‎
Lines changed: 2 additions & 0 deletions b/‎docs/documentation/topics/templates/document-attributes.adoc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc‎
Lines changed: 10 additions & 0 deletions b/‎docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolFactory.java‎
Lines changed: 59 additions & 4 deletions b/‎services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolFactory.java‎
Lines changed: 59 additions & 4 deletions
diff --git a/‎services/src/main/java/org/keycloak/protocol/oidc/OIDCProviderConfig.java‎
Lines changed: 49 additions & 4 deletions b/‎services/src/main/java/org/keycloak/protocol/oidc/OIDCProviderConfig.java‎
Lines changed: 49 additions & 4 deletions
@@ -58,6 +58,8 @@
 :apidocs_link: https://www.keycloak.org/docs/{project_version}/api_documentation/
 :adminguide_email_name: Configuring email for a realm
 :adminguide_email_link: {adminguide_link}#_email
+:allproviderconfigguide_name: All provider configuration Guide
+:allproviderconfigguide_link: https://www.keycloak.org/server/all-provider-config
 :bootstrapadminrecovery_name: Admin Bootstrap and Recovery
 :bootstrapadminrecovery_link: https://www.keycloak.org/server/bootstrap-admin-recovery
 :client_certificate_lookup_link: https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
 
@@ -176,6 +176,16 @@ The input fields  in the login theme for OTP and recovery codes and have been op
 * The input mode is now `numeric`, which will ease the input on mobile devices.
 * The auto-complete is set to `one-time-code` to avoid interference with password managers.
 
+=== Maximum length of the parameters in the OIDC authentication request
+
+When the OIDC authentication request (or OAuth2 authorization request) is sent, there is now limit for the maximum length of every standard OIDC/OAuth2 parameter. The maximum length of each standard parameter is 4000 characters,
+which is very big number and can be lowered in the future releases. For now, it is kept big for the backwards compatibility. The only exception is the `login_hint` parameter, which is limited
+to the maximum length of 255 characters. This is aligned with the maximum length for the `username` and `email` attributes configured in the default user profile configuration.
+
+If you want to make those number higher or lower, you can start the server with the option `req-params-default-max-size` for the default maximum length of the standard
+OIDC/OAuth2 parameters or you can use something like `req-params-max-size` for one specific parameter. See the `login-protocol` provider configuration
+of the link:{allproviderconfigguide_link}[{allproviderconfigguide_name}] for more details.
+
 === UTF-8 management in the email sender
 
 Since this release, {project_name} adds a new option `allowutf8` for the realm SMTP configuration (*Allow UTF-8* field inside the *Email* tab in the *Realm settings* section of the Admin Console).
 
@@ -23,6 +23,7 @@
 import org.keycloak.common.constants.KerberosConstants;
 import org.keycloak.common.constants.ServiceAccountConstants;
 import org.keycloak.common.util.UriUtils;
+import org.keycloak.connections.httpclient.HttpClientProvider;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.ClientScopeModel;
@@ -47,18 +48,26 @@
 import org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper;
 import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper;
 import org.keycloak.protocol.oidc.mappers.SubMapper;
+import org.keycloak.provider.ProviderConfigProperty;
+import org.keycloak.provider.ProviderConfigurationBuilder;
 import org.keycloak.representations.IDToken;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.services.ServicesLogger;
 import org.keycloak.services.managers.AuthenticationManager;
 
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
 import static org.keycloak.models.ImpersonationSessionNote.IMPERSONATOR_ID;
 import static org.keycloak.models.ImpersonationSessionNote.IMPERSONATOR_USERNAME;
+import static org.keycloak.protocol.oidc.OIDCProviderConfig.DEFAULT_ADDITIONAL_REQ_PARAMS_FAIL_FAST;
+import static org.keycloak.protocol.oidc.OIDCProviderConfig.DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_NUMBER;
+import static org.keycloak.protocol.oidc.OIDCProviderConfig.DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_OVERALL_SIZE;
+import static org.keycloak.protocol.oidc.OIDCProviderConfig.DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_SIZE;
+import static org.keycloak.protocol.oidc.OIDCProviderConfig.DEFAULT_REQ_PARAMS_DEFAULT_MAX_SIZE;
 
 /**
  * @author <a href="mailto:[email protected]">Bill Burke</a>
@@ -115,10 +124,12 @@ public class OIDCLoginProtocolFactory extends AbstractLoginProtocolFactory {
     public static final String ROLES_SCOPE_CONSENT_TEXT = "${rolesScopeConsentText}";
     public static final String ORGANIZATION_SCOPE_CONSENT_TEXT = "${organizationScopeConsentText}";
 
-    public static final String CONFIG_OIDC_REQ_PARAMS_MAX_NUMBER = "add-req-params-max-number";
-    public static final String CONFIG_OIDC_REQ_PARAMS_MAX_SIZE = "add-req-params-max-size";
-    public static final String CONFIG_OIDC_REQ_PARAMS_MAX_OVERALL_SIZE = "add-req-params-max-overall-size";
-    public static final String CONFIG_OIDC_REQ_PARAMS_FAIL_FAST = "add-req-params-fail-fast";
+    public static final String CONFIG_OIDC_REQ_PARAMS_DEFAULT_MAX_SIZE = "req-params-default-max-size";
+    public static final String CONFIG_OIDC_REQ_PARAMS_MAX_SIZE_PREFIX = "req-params-max-size";
+    public static final String CONFIG_OIDC_ADD_REQ_PARAMS_MAX_NUMBER = "add-req-params-max-number";
+    public static final String CONFIG_OIDC_ADD_REQ_PARAMS_MAX_SIZE = "add-req-params-max-size";
+    public static final String CONFIG_OIDC_ADD_REQ_PARAMS_MAX_OVERALL_SIZE = "add-req-params-max-overall-size";
+    public static final String CONFIG_OIDC_ADD_REQ_PARAMS_FAIL_FAST = "add-req-params-fail-fast";
 
     /**
      * @deprecated To be removed in Keycloak 27
@@ -554,4 +565,48 @@ public void setupClientDefaults(ClientRepresentation rep, ClientModel newClient)
     public int order() {
         return UI_ORDER;
     }
+
+    @Override
+    public List<ProviderConfigProperty> getConfigMetadata() {
+        return ProviderConfigurationBuilder.create()
+                .property()
+                    .name(CONFIG_OIDC_REQ_PARAMS_DEFAULT_MAX_SIZE)
+                    .type("int")
+                    .helpText("Maximum default length of the standard OIDC parameter sent to the OIDC authentication request. This applies to most of the standard parameters like for example 'state', 'nonce' etc." +
+                            " The exception is 'login_hint' parameter, which has maximum length of 255 characters.")
+                    .defaultValue(DEFAULT_REQ_PARAMS_DEFAULT_MAX_SIZE)
+                    .add()
+                .property()
+                    .name(CONFIG_OIDC_REQ_PARAMS_MAX_SIZE_PREFIX + "--" + OIDCLoginProtocol.LOGIN_HINT_PARAM)
+                    .type("int")
+                    .helpText("Maximum length of the standard OIDC authentication request parameter overriden for the specified parameter. Useful if some standard OIDC parameter should have different limit than '" + CONFIG_OIDC_REQ_PARAMS_DEFAULT_MAX_SIZE +
+                            "'. It is needed to add the name of the parameter after this prefix into the configuration. In this example, the '" + OIDCLoginProtocol.LOGIN_HINT_PARAM + "' parameter is used, but this format is supported for any known standard OIDC/OAuth2 parameter.")
+                    .add()
+                .property()
+                    .name(CONFIG_OIDC_ADD_REQ_PARAMS_MAX_NUMBER)
+                    .type("int")
+                    .helpText("Maximum number of additional request parameters sent to the OIDC authentication request. As 'additional request parameter' is meant some custom parameter not directly treated as standard OIDC/OAuth2 protocol parameter. Additional parameters might be useful for example to add custom claims to the OIDC token (in case that also particular protocol mappers are configured).")
+                    .defaultValue(DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_NUMBER)
+                    .add()
+                .property()
+                    .name(CONFIG_OIDC_ADD_REQ_PARAMS_MAX_SIZE)
+                    .type("int")
+                    .helpText("Maximum size of single additional request parameter value See '" + CONFIG_OIDC_ADD_REQ_PARAMS_MAX_NUMBER + "' for more details about additional request parameters")
+                    .defaultValue(DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_SIZE)
+                    .add()
+                .property()
+                    .name(CONFIG_OIDC_ADD_REQ_PARAMS_MAX_OVERALL_SIZE)
+                    .type("int")
+                    .helpText("Maximum size of all additional request parameters values together. See '" + CONFIG_OIDC_ADD_REQ_PARAMS_MAX_NUMBER + "' for more details about additional request parameters")
+                    .defaultValue(DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_OVERALL_SIZE)
+                    .add()
+                .property()
+                    .name(CONFIG_OIDC_ADD_REQ_PARAMS_FAIL_FAST)
+                    .type("boolean")
+                    .helpText("Whether the fail-fast strategy should be enforced in case if the limit for some standard OIDC parameter or additional OIDC parameter is not met for the parameters sent to the OIDC authentication request." +
+                            " If false, then all additional request parameters to not meet the configuration are silently ignored. If true, an exception will be raised and OIDC authentication request will not be allowed.")
+                    .defaultValue(DEFAULT_ADDITIONAL_REQ_PARAMS_FAIL_FAST)
+                    .add()
+                .build();
+    }
 }
@@ -1,12 +1,32 @@
 package org.keycloak.protocol.oidc;
 
+import java.util.Map;
+
 import org.keycloak.Config;
 
 /**
  * @author <a href="mailto:[email protected]">Patrick Weiner</a>
  */
 public class OIDCProviderConfig {
 
+    private final Config.Scope config;
+
+    /**
+     * Maximum default length of the standard OIDC parameter sent to the OIDC authentication request.
+     */
+    public static final int DEFAULT_REQ_PARAMS_DEFAULT_MAX_SIZE = 4000;
+
+    private final int reqParamsDefaultMaxSize;
+
+    /**
+     * Overriden values for maximum sizes of specified standard OIDC parameters. The value for the specified parameter can be still overriden
+     * by administrator in the configuration of the {@link OIDCLoginProtocolFactory}. In case that value is not overriden in the configuration or in this map,
+     * then the value specified by the {@link OIDCLoginProtocolFactory#CONFIG_OIDC_REQ_PARAMS_DEFAULT_MAX_SIZE} is used
+     */
+    private Map<String, Integer> DEFAULT_MAX_PARAMS_SIZES = Map.of(
+            OIDCLoginProtocol.LOGIN_HINT_PARAM, 255 // Aligned with user-profile configuration for username and email
+    );
+
     /**
      * Default value for {@link #additionalReqParamsMaxNumber} if case no configuration property is set.
      */
@@ -62,10 +82,13 @@ public class OIDCProviderConfig {
 
 
     public OIDCProviderConfig(Config.Scope config) {
-        this.additionalReqParamsMaxNumber = config.getInt(OIDCLoginProtocolFactory.CONFIG_OIDC_REQ_PARAMS_MAX_NUMBER, DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_NUMBER);
-        this.additionalReqParamsMaxSize = config.getInt(OIDCLoginProtocolFactory.CONFIG_OIDC_REQ_PARAMS_MAX_SIZE, DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_SIZE);
-        this.additionalReqParamsMaxOverallSize = config.getInt(OIDCLoginProtocolFactory.CONFIG_OIDC_REQ_PARAMS_MAX_OVERALL_SIZE, DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_OVERALL_SIZE);
-        this.additionalReqParamsFailFast = config.getBoolean(OIDCLoginProtocolFactory.CONFIG_OIDC_REQ_PARAMS_FAIL_FAST, DEFAULT_ADDITIONAL_REQ_PARAMS_FAIL_FAST);
+        this.config = config;
+
+        this.reqParamsDefaultMaxSize = config.getInt(OIDCLoginProtocolFactory.CONFIG_OIDC_REQ_PARAMS_DEFAULT_MAX_SIZE, DEFAULT_REQ_PARAMS_DEFAULT_MAX_SIZE);
+        this.additionalReqParamsMaxNumber = config.getInt(OIDCLoginProtocolFactory.CONFIG_OIDC_ADD_REQ_PARAMS_MAX_NUMBER, DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_NUMBER);
+        this.additionalReqParamsMaxSize = config.getInt(OIDCLoginProtocolFactory.CONFIG_OIDC_ADD_REQ_PARAMS_MAX_SIZE, DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_SIZE);
+        this.additionalReqParamsMaxOverallSize = config.getInt(OIDCLoginProtocolFactory.CONFIG_OIDC_ADD_REQ_PARAMS_MAX_OVERALL_SIZE, DEFAULT_ADDITIONAL_REQ_PARAMS_MAX_OVERALL_SIZE);
+        this.additionalReqParamsFailFast = config.getBoolean(OIDCLoginProtocolFactory.CONFIG_OIDC_ADD_REQ_PARAMS_FAIL_FAST, DEFAULT_ADDITIONAL_REQ_PARAMS_FAIL_FAST);
 
         this.allowMultipleAudiencesForJwtClientAuthentication = config.getBoolean(OIDCLoginProtocolFactory.CONFIG_OIDC_ALLOW_MULTIPLE_AUDIENCES_FOR_JWT_CLIENT_AUTHENTICATION, DEFAULT_ALLOW_MULTIPLE_AUDIENCES_FOR_JWT_CLIENT_AUTHENTICATION);
     }
@@ -89,4 +112,26 @@ public int getAdditionalReqParamsMaxOverallSize() {
     public boolean isAllowMultipleAudiencesForJwtClientAuthentication() {
         return allowMultipleAudiencesForJwtClientAuthentication;
     }
+
+    /**
+     * @param paramName Parameter name. Expected to be one of the known OIDC parameters
+     *
+     * @return maximum length for the specified OIDC parameter
+     */
+    public int getMaxLengthForTheParameter(String paramName) {
+        // Configured value for the particular OIDC parameter
+        Integer paramMaxSize = config.getInt(OIDCLoginProtocolFactory.CONFIG_OIDC_REQ_PARAMS_MAX_SIZE_PREFIX + "--" + paramName);
+
+        // Stick to default. See if we have default value overriden
+        if (paramMaxSize == null) {
+            paramMaxSize = DEFAULT_MAX_PARAMS_SIZES.get(paramName);
+        }
+
+        // Fallback to default for all standard OIDC parameters
+        if (paramMaxSize == null) {
+            paramMaxSize = reqParamsDefaultMaxSize;
+        }
+
+        return paramMaxSize;
+    }
 }