Encode URL in OIDC cookie

Fix #31802
quarkusio · Aug 22, 2024 · 3ffa6ec · 3ffa6ec
1 parent c75c0f4
commit 3ffa6ec
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
@@ -4,6 +4,8 @@
 import static io.quarkus.oidc.runtime.OidcIdentityProvider.REFRESH_TOKEN_GRANT_RESPONSE;
 
 import java.net.URI;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.security.PrivateKey;
 import java.security.SecureRandom;
@@ -940,7 +942,7 @@ private CodeAuthenticationStateBean getCodeAuthenticationBean(String[] parsedSta
             Authentication authentication = configContext.oidcConfig.authentication;
             boolean pkceRequired = authentication.pkceRequired.orElse(false);
             if (!pkceRequired && !authentication.nonceRequired) {
-                bean.setRestorePath(parsedStateCookieValue[1]);
+                bean.setRestorePath(URLDecoder.decode(parsedStateCookieValue[1], StandardCharsets.UTF_8));
                 return bean;
             }
 
@@ -1177,7 +1179,7 @@ private String encodeExtraStateValue(CodeAuthenticationStateBean extraStateValue
                 throw new AuthenticationCompletionException(ex);
             }
         } else {
-            return extraStateValue.getRestorePath();
+            return URLEncoder.encode(extraStateValue.getRestorePath(), StandardCharsets.UTF_8);
         }
 
     }

diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java
@@ -11,6 +11,7 @@
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.time.Duration;
 import java.util.Base64;
@@ -1561,12 +1562,12 @@ private String getStateCookieStateParam(Cookie stateCookie) {
 
     private String getStateCookieSavedPath(WebClient webClient, String tenantId) {
         String[] parts = getStateCookie(webClient, tenantId).getValue().split("\\|");
-        return parts.length == 2 ? parts[1] : null;
+        return parts.length == 2 ? URLDecoder.decode(parts[1], StandardCharsets.UTF_8) : null;
     }
 
     private String getStateCookieSavedPath(Cookie stateCookie) {
         String[] parts = stateCookie.getValue().split("\\|");
-        return parts.length == 2 ? parts[1] : null;
+        return parts.length == 2 ? URLDecoder.decode(parts[1], StandardCharsets.UTF_8) : null;
     }
 
     private Cookie getSessionCookie(WebClient webClient, String tenantId) {