Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering

Describe the bug

Problem

uriBuilder.queryParam() already performs URL encoding.

Manually applying URLEncoder.encode(parameter, StandardCharsets.UTF_8) before calling it results in double encoding, where:

space → "+" → "%2B"

Affected method:

uriBuilder.queryParam(forwardParameter, URLEncoder.encode(parameter, StandardCharsets.UTF_8));

Reference (line of code):
https://github.com/keycloak/keycloak/blob/39964befefc41eec3330fcf5c94f5e1ea498d075/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java#L562

Related commit that introduced the issue:
https://github.com/keycloak/keycloak/issues/41755

Take note : It was working in version 26.0

Version

26.4

Regression

[x] The issue is a regression

Expected behavior

The URI component should only be encoded once.

Actual behavior

The URI component are encoded twice.

How to Reproduce?

Create an Identity Provider and add a forwarded query parameter, use a query parameter such as acr_values. You will notice that something like hello world turns into hello%2Bworld when it should be either +or %20.

Anything else?

Reference (line of code):
https://github.com/keycloak/keycloak/blob/39964befefc41eec3330fcf5c94f5e1ea498d075/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java#L562

Related commit that introduced the issue:
https://github.com/keycloak/keycloak/issues/41755