[keycloak-user] Encoded URL does not work as redirect_uri

Schaar, Andrew Andrew.Schaar at bluestembrands.com
Thu Mar 14 10:56:08 EDT 2019 

Hello,

We just upgraded from 3.4.2.Final to 4.8.3.Final. After doing so, users can no longer reach the login page when redirect_uri has an encoded space.
This happens at RedirectUtils.java:182 when constructing a new URI from the redirect_uri parameter. The issue seems to stem from the fact that when retrieving query parameters, they are decoded. Do you have any suggestions on a work around beyond changing the urls on our website?

To reproduce, create a new realm named ‘my-realm’
Create a public client named ‘web-client’
Add valid redirect url: http://localhost:8888/*
Navigate to the following in a browser: http://localhost:8888/auth/realms/my-realm/protocol/openid-connect/auth?response_type=code&client_id=web-client&redirect_uri=http://localhost:8888/some%20category

Stack trace:
14:47:36,092 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-9) Uncaught server error: java.lang.IllegalArgumentException: Invalid URL syntax: Illegal character in path at index 26: http://localhost:8888/some category
   at org.keycloak.protocol.oidc.utils.RedirectUtils.normalizeUrl(RedirectUtils.java:185)
   at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:83)
   at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:52)
   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkRedirectUri(AuthorizationEndpoint.java:371)
   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:120)
   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:108)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:498)
   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
   at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
   at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
   at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
   at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
   at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
   at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
   at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
   at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
   at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
   at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
   at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
   at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
   at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
   at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
   at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
   at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
   at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
   at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
   at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
   at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
   at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
   at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
   at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
   at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
   at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
   at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
   at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
   at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
   at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
   at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
   at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
   at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
   at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
   at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
   at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
   at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
   at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
   at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
   at java.lang.Thread.run(Thread.java:748)

Thank you!
Andrew Schaar

More information about the keycloak-user mailing list