Merge pull request #25012 from sberyozkin/oidc_restore_query_params

Always restore query params on OIDC redirect URIs

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java

@@ -481,7 +481,8 @@ private Uni<SecurityIdentity> performCodeFlow(IdentityProviderManager identityPr
             String restorePath = stateBean.getRestorePath();
             int userQueryIndex = restorePath.indexOf("?");
             if (userQueryIndex >= 0) {
-                userPath = restorePath.substring(0, userQueryIndex);
+                userPath = isRestorePath(configContext.oidcConfig.authentication) ? restorePath.substring(0, userQueryIndex)
+                        : null;
                 if (userQueryIndex + 1 < restorePath.length()) {
                     userQuery = restorePath.substring(userQueryIndex + 1);
                 }
@@ -691,8 +692,7 @@ private String generateCodeFlowState(RoutingContext context, TenantConfigContext
         String uuid = UUID.randomUUID().toString();
         String cookieValue = uuid;
 
-        Authentication auth = configContext.oidcConfig.getAuthentication();
-        boolean restorePath = auth.isRestorePathAfterRedirect() || !auth.redirectPath.isPresent();
+        boolean restorePath = isRestorePath(configContext.oidcConfig.getAuthentication());
         if (restorePath || pkceCodeVerifier != null) {
             CodeAuthenticationStateBean extraStateValue = new CodeAuthenticationStateBean();
             if (restorePath) {
@@ -711,11 +711,19 @@ private String generateCodeFlowState(RoutingContext context, TenantConfigContext
             if (!extraStateValue.isEmpty()) {
                 cookieValue += (COOKIE_DELIM + encodeExtraStateValue(extraStateValue, configContext));
             }
+        } else if (context.request().query() != null) {
+            CodeAuthenticationStateBean extraStateValue = new CodeAuthenticationStateBean();
+            extraStateValue.setRestorePath("?" + context.request().query());
+            cookieValue += (COOKIE_DELIM + encodeExtraStateValue(extraStateValue, configContext));
         }
         createCookie(context, configContext.oidcConfig, getStateCookieName(configContext.oidcConfig), cookieValue, 60 * 30);
         return uuid;
     }
 
+    private boolean isRestorePath(Authentication auth) {
+        return auth.isRestorePathAfterRedirect() || !auth.redirectPath.isPresent();
+    }
+
     private String encodeExtraStateValue(CodeAuthenticationStateBean extraStateValue, TenantConfigContext configContext) {
         if (extraStateValue.getCodeVerifier() != null) {
             JsonObject json = new JsonObject();

integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java

@@ -629,7 +629,7 @@ public void testIdTokenInjectionWithoutRestoredPathDifferentRoot() throws IOExce
         try (final WebClient webClient = createWebClient()) {
             HtmlPage page = webClient.getPage("http://localhost:8081/web-app2/callback-before-redirect?tenantId=tenant-2");
             assertNotNull(getStateCookieStateParam(webClient, "tenant-2"));
-            assertNull(getStateCookieSavedPath(webClient, "tenant-2"));
+            assertEquals("?tenantId=tenant-2", getStateCookieSavedPath(webClient, "tenant-2"));
 
             assertEquals("Sign in to quarkus", page.getTitleText());