How to forward query parameters to external identity provider using Keycloak?

Question

While creating an identity provider (IdP) in the Keycloak there is an option available to forward the query params to the external IdP. How can I use that?

I want to forward, say, launch parameter to the external IdP. I mentioned the launch in the Forwarded Query Parameters field in Keycloak configuration page. I'm using an app on my locahost:9090 protected by Keyclaok. When I access http://localhost:9090?launch=abc this param is not forwarding to the external IdP. I'm using keycloak-spring-boot-starter for our Spring Boot app.

Also from the code of Keycloak, I have seen that there is some prefix is attached to the forwarded parameter i.e. client_request_param_ so I tried using http://localhost:9090?client_request_param_launch=abc but no luck.

AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX = client_request_param_

String forwardParameterConfig = getConfig().getForwardParameters() != null ? getConfig().getForwardParameters(): "";
List<String> forwardParameters = Arrays.asList(forwardParameterConfig.split("\\s*,\\s*"));
for(String forwardParameter: forwardParameters) {
    String name = AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + forwardParameter.trim();
    String parameter = request.getAuthenticationSession().getClientNote(name);
    if(parameter != null && !parameter.isEmpty()) {
        uriBuilder.queryParam(forwardParameter, parameter);
    }
}

P.S: I'm using Keycloak 7.0.0.

Answer 1

I had the same issue with setting acr_values parameters in the authorization request. I resolved it by putting the parameter directly in the authorization endpoint path:

https://YOUR_DOMAIN/oauth/authorize?acr_values=MY_VALUES&

I didn't investigate much, why Forwarded Query Parameter didn't work as expected (I'm using Keycloak 14.0.0). Happy to see if someone gives some explanation later here.

Answer 2

Just in case anyone encounter this. As implemented in the source code, there is a maximum limit of 5 additional query params (declared as constants: ADDITIONAL_REQ_PARAMS_MAX_MUMBER) for the processing of additional query params.

The additional query params are excluded from the subset of declared known req params (KNOWN_REQ_PARAMS declared here).

Example,

https://<domain>/openid-connect/auth?

scope=xx

&response_type=code

&client_id=xxx

&redirect_uri=xxx

&state=xxx

&addParam1=xx

&addParam2=xx

&addParam3=xx

&addParam4=xx

&addParam5=xx

&addParam6=xx (not processed)

&addParam7=xx (not processed)

Referring to the source code, the extractAdditionalReqParams method will only process up to addParam5 and stop afterwards.