diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java index 2470e8e40c19f..9765a21554df2 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java @@ -481,7 +481,8 @@ private Uni performCodeFlow(IdentityProviderManager identityPr String restorePath = stateBean.getRestorePath(); int userQueryIndex = restorePath.indexOf("?"); if (userQueryIndex >= 0) { - userPath = restorePath.substring(0, userQueryIndex); + userPath = isRestorePath(configContext.oidcConfig.authentication) ? restorePath.substring(0, userQueryIndex) + : null; if (userQueryIndex + 1 < restorePath.length()) { userQuery = restorePath.substring(userQueryIndex + 1); } @@ -691,8 +692,7 @@ private String generateCodeFlowState(RoutingContext context, TenantConfigContext String uuid = UUID.randomUUID().toString(); String cookieValue = uuid; - Authentication auth = configContext.oidcConfig.getAuthentication(); - boolean restorePath = auth.isRestorePathAfterRedirect() || !auth.redirectPath.isPresent(); + boolean restorePath = isRestorePath(configContext.oidcConfig.getAuthentication()); if (restorePath || pkceCodeVerifier != null) { CodeAuthenticationStateBean extraStateValue = new CodeAuthenticationStateBean(); if (restorePath) { @@ -711,11 +711,19 @@ private String generateCodeFlowState(RoutingContext context, TenantConfigContext if (!extraStateValue.isEmpty()) { cookieValue += (COOKIE_DELIM + encodeExtraStateValue(extraStateValue, configContext)); } + } else if (context.request().query() != null) { + CodeAuthenticationStateBean extraStateValue = new CodeAuthenticationStateBean(); + extraStateValue.setRestorePath("?" + context.request().query()); + cookieValue += (COOKIE_DELIM + encodeExtraStateValue(extraStateValue, configContext)); } createCookie(context, configContext.oidcConfig, getStateCookieName(configContext.oidcConfig), cookieValue, 60 * 30); return uuid; } + private boolean isRestorePath(Authentication auth) { + return auth.isRestorePathAfterRedirect() || !auth.redirectPath.isPresent(); + } + private String encodeExtraStateValue(CodeAuthenticationStateBean extraStateValue, TenantConfigContext configContext) { if (extraStateValue.getCodeVerifier() != null) { JsonObject json = new JsonObject(); diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java index ef2df3a1f0d36..806236d21e3f9 100644 --- a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java +++ b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java @@ -629,7 +629,7 @@ public void testIdTokenInjectionWithoutRestoredPathDifferentRoot() throws IOExce try (final WebClient webClient = createWebClient()) { HtmlPage page = webClient.getPage("http://localhost:8081/web-app2/callback-before-redirect?tenantId=tenant-2"); assertNotNull(getStateCookieStateParam(webClient, "tenant-2")); - assertNull(getStateCookieSavedPath(webClient, "tenant-2")); + assertEquals("?tenantId=tenant-2", getStateCookieSavedPath(webClient, "tenant-2")); assertEquals("Sign in to quarkus", page.getTitleText());