Skip to content

Commit 5d67183

Browse files
pedroigorpedroigor
authored
Fixing encoding of forwarded parameters
Closes #44125 Signed-off-by: Pedro Igor <[email protected]>
1 parent 51dbd6f commit 5d67183

File tree

2 files changed

+20
-13
lines changed

2 files changed

+20
-13
lines changed

services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -528,8 +528,6 @@ protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) {
528528
uriBuilder.queryParam(OAuth2Constants.PROMPT, prompt);
529529
}
530530

531-
setForwardParameters(authenticationSession, uriBuilder);
532-
533531
if (getConfig().isPkceEnabled()) {
534532
String codeVerifier = PkceUtils.generateCodeVerifier();
535533
String codeChallengeMethod = getConfig().getPkceMethod();
@@ -541,26 +539,35 @@ protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) {
541539
uriBuilder.queryParam(OAuth2Constants.CODE_CHALLENGE_METHOD, codeChallengeMethod);
542540
}
543541

542+
appendForwardedParameters(authenticationSession, uriBuilder);
543+
544544
return uriBuilder;
545545
}
546546

547-
private void setForwardParameters(AuthenticationSessionModel authenticationSession, UriBuilder uriBuilder) {
547+
private void appendForwardedParameters(AuthenticationSessionModel authenticationSession, UriBuilder uriBuilder) {
548548
C config = getConfig();
549549
String forwardParameterConfig = config.getForwardParameters() != null ? config.getForwardParameters(): OAuth2Constants.ACR_VALUES;
550+
List<String> parameterNames = List.of(forwardParameterConfig.split("\\s*,\\s*"));
551+
StringBuilder query = new StringBuilder(uriBuilder.build().getRawQuery());
550552

551-
for (String forwardParameter: List.of(forwardParameterConfig.split("\\s*,\\s*"))) {
552-
String name = AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + forwardParameter.trim();
553-
String parameter = authenticationSession.getClientNote(name);
553+
for (String name: parameterNames) {
554+
String noteKey = AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + name.trim();
555+
String value = authenticationSession.getClientNote(noteKey);
554556

555-
if (parameter == null) {
557+
if (value == null) {
556558
// try a value set as a client note
557-
parameter = authenticationSession.getClientNote(forwardParameter);
559+
value = authenticationSession.getClientNote(name);
558560
}
559561

560-
if (parameter != null && !parameter.isEmpty()) {
561-
uriBuilder.queryParam(forwardParameter, URLEncoder.encode(parameter, StandardCharsets.UTF_8));
562+
if (value != null && !value.isEmpty()) {
563+
if (!query.isEmpty()) {
564+
query.append("&");
565+
}
566+
query.append(name).append("=").append(URLEncoder.encode(value, StandardCharsets.UTF_8));
562567
}
563568
}
569+
570+
uriBuilder.replaceQuery(query.toString());
564571
}
565572

566573
/**

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerParameterForwardTest.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -50,11 +50,11 @@ protected void loginUser() {
5050
oauth.clientId("broker-app");
5151
loginPage.open(bc.consumerRealmName());
5252

53-
String claimsValue = "{\"userinfo\":{\"http://itsme.services/v2/claim/BENationalNumber\":null}}";
53+
String claimsValue = "{\"userinfo\":{\"http://itsme.services/v2/claim/BENationalNumber\":null,\"spaced_value\":\"with space\"}}";
5454
String urlEncodedClaims = URLEncoder.encode(claimsValue, StandardCharsets.UTF_8);
5555
String forwardedEncodedParam = "forwarded_encoded";
5656
String forwardedEncodedParamValue = "encoded value";
57-
String forwardedEncodedParamvalueEncoded = URLEncoder.encode(forwardedEncodedParamValue, StandardCharsets.UTF_8);
57+
String forwardedEncodedParamValueEncoded = URLEncoder.encode(forwardedEncodedParamValue, StandardCharsets.UTF_8);
5858
String queryString = "&" + FORWARDED_PARAMETER + "=" + FORWARDED_PARAMETER_VALUE + "&" + PARAMETER_NOT_FORWARDED + "=" + "value"
5959
+ "&" + OAuth2Constants.ACR_VALUES + "=" + "phr"
6060
+ "&" + OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims
@@ -76,7 +76,7 @@ protected void loginUser() {
7676
assertThat(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims + " should be part of the url",
7777
driver.getCurrentUrl(), containsString(OIDCLoginProtocol.CLAIMS_PARAM + "=" + urlEncodedClaims));
7878
assertThat(forwardedEncodedParam + "=" + forwardedEncodedParamValue + "should be part of the url",
79-
driver.getCurrentUrl(), containsString(forwardedEncodedParam + "=" + URLEncoder.encode(forwardedEncodedParamvalueEncoded, StandardCharsets.UTF_8)));
79+
driver.getCurrentUrl(), containsString(forwardedEncodedParam + "=" + forwardedEncodedParamValueEncoded));
8080
assertThat("\"" + PARAMETER_NOT_SET + "\"" + " should NOT be part of the url",
8181
driver.getCurrentUrl(), not(containsString(PARAMETER_NOT_SET)));
8282

0 commit comments

Comments
 (0)