-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
identity-brokering
Describe the bug
To follow up these issues https://github.com/keycloak/keycloak/issues/41670, https://github.com/keycloak/keycloak/issues/41459, I've now configured on the brokered OP the claims parameter as a forwarded query parameter.
Unfortunately, the claims parameter is not handled properly when Keycloak tries to forward this specific parameter to the brokered OP.
An org.keycloak.broker.provider.IdentityBrokerException is thrown by the method performLogin in the class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.
Version
26.x
Regression
[ ] The issue is a regression
Expected behavior
The claims query parameter should be url encoded by Keycloak beforehand when it is forwarded to the brokered OP.
Actual behavior
The claims query parameter does not seems to be url encoded by Keycloak when it is forwarded to the brokered OP.
How to Reproduce?
Please find hereby an example of an Initial Authorisation Request sent to Keycloak.
The {{claims }} query params unencoded value is the following:
{"userinfo":{"http://itsme.services/v2/claim/BENationalNumber":null,"http://itsme.services/v2/claim/BEeidSn":null,"http://itsme.services/v2/claim/claim_citizenship":null,"http://itsme.services/v2/claim/claim_citizenship_as_iso":null,"http://itsme.services/v2/claim/place_of_birth":null,"http://itsme.services/v2/claim/validityTo":null,"http://itsme.services/v2/claim/IDDocumentSN":null,"http://itsme.services/v2/claim/IDDocumentType":null,"http://itsme.services/v2/claim/IDIssuingCountry":null,"http://itsme.services/v2/claim/issuance_locality":null}}
When Keycloak tries now to forward this claims query parameter to the brokered identity provider, I now get an exception thrown by Keycloak...
2025-08-08 09:47:58,403 ERROR [org.keycloak.services.resources.IdentityBrokerService] (executor-thread-41) couldNotSendAuthenticationRequestMessage: org.keycloak.broker.provider.IdentityBrokerException: Could not create authentication request.
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.performLogin(AbstractOAuth2IdentityProvider.java:142)
at org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:396)
at org.keycloak.services.resources.IdentityBrokerService$quarkusrestinvoker$performLogin_639fa76256feb47da66621dcdd20f8de386404c5.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:638)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654)
at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: jakarta.ws.rs.core.UriBuilderException: failed to create URI
at org.jboss.resteasy.reactive.common.jaxrs.UriBuilderImpl.buildFromValues(UriBuilderImpl.java:753)
at org.jboss.resteasy.reactive.common.jaxrs.UriBuilderImpl.build(UriBuilderImpl.java:741)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.performLogin(AbstractOAuth2IdentityProvider.java:138)
... 14 more
Caused by: java.net.URISyntaxException: Illegal character in query at index 480: https://identity-acc.connective.eu/connect/authorize?scope=openid+profile+address+phone+email+eid&state=UEmUJ8Yo4jbX_TFkTCURfOLsjMdRIZsYE-SbMRKRDrI.iod5iHReEm0.409s1MQFQ7S9xNah1VwgZQ.eyJydSI6Imh0dHBzOi8vd3d3Lmdvb2dsZS5jb20iLCJydCI6ImNvZGUiLCJzdCI6Inhjb2l2anV5d2tka2h2dXMifQ&response_type=code&client_id=96cab3f5-611f-433c-a3e5-bc032601c0d1&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Fconnective%2Fbroker%2Fidentity%2Fendpoint&ui_locales=fr&acr_values=idp%3Aitsme&claims={"userinfo":{"http://itsme.services/v2/claim/BENationalNumber":null,"http://itsme.services/v2/claim/BEeidSn":null,"http://itsme.services/v2/claim/claim_citizenship":null,"http://itsme.services/v2/claim/claim_citizenship_as_iso":null,"http://itsme.services/v2/claim/place_of_birth":null,"http://itsme.services/v2/claim/validityTo":null,"http://itsme.services/v2/claim/IDDocumentSN":null,"http://itsme.services/v2/claim/IDDocumentType":null,"http://itsme.services/v2/claim/IDIssuingCountry":null,"http://itsme.services/v2/claim/issuance_locality":null}}&code_challenge=khQ3ZZadn78fLMHa9iWG2G7cKa-XpLF0SsHLIgSt4kw&code_challenge_method=S256&nonce=w66wZZEhJEjKqcb53dwiog
at java.base/java.net.URI$Parser.fail(URI.java:2976)
at java.base/java.net.URI$Parser.checkChars(URI.java:3147)
at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3235)
at java.base/java.net.URI$Parser.parse(URI.java:3177)
at java.base/java.net.URI.<init>(URI.java:623)
at org.jboss.resteasy.reactive.common.jaxrs.UriBuilderImpl.buildFromValues(UriBuilderImpl.java:748)
... 16 more
Anything else?
No response
- links to
