Adding custom Query Paramater to the Authorization End Point - Keycloak Login Page URL

[saravanad]

Hi @ch4mpy ,

Is it possible to add custom Query parameter to the Authentication End Point. The Default URL that is redirected to is shown below

https://XXXX/realms/YYYY/protocol/openid-connect/auth?response_type=code&client_id=spring-addons-confidential&scope=openid%20profile%20email%20offline_access%20roles&state=IdByTBp-14_B5iUxIaHEGZovpbxjriXeUyIG7bCeoB4%3D&redirect_uri=https://XXXX/login/oauth2/code/XXXX&nonce=YJxES6LxOgm419DLtvXDl1aSILbb_BvjI5V4mcWK2PY

We would like to add another custom query parameter for example ZZZZ with value temp

https://XXXX/realms/YYYY/protocol/openid-connect/auth?response_type=code&client_id=spring-addons-confidential&scope=openid%20profile%20email%20offline_access%20roles&state=IdByTBp-14_B5iUxIaHEGZovpbxjriXeUyIG7bCeoB4%3D&redirect_uri=https://XXXX/login/oauth2/code/XXXX&nonce=YJxES6LxOgm419DLtvXDl1aSILbb_BvjI5V4mcWK2PY**&ZZZZ=temp**

Any pointers on how to achieve this will be really appreciated.

Thanks in advance for your support.

Saravana

[ch4mpy]

What is the use case? What is this parameter used for?

[saravanad]

The parameter is used to auto redirect keycloak to external IDP when keycloak is acting as Identity Broker. The parameter name is kc_idp_hint

[ch4mpy]

Mostly follow Spring Security official documentation:

If the value is static, setting it in spring.security.oauth2.client.provider.{provider-id}.authorization-uri property should work. Something like:spring.security.oauth2.client.provider.keycloak.authorization-uri=https://localhost:8443/realms/master/protocol/openid-connect/auth?kc_idp_hint=google.

If you want it to be dynamic, then expose your own OAuth2AuthorizationRequestResolver bean, spring-addons will pick it. You might use SpringAddonsOAuth2AuthorizationRequestResolver as base class (extend it), but you don't have to.

[saravanad]

Thanks @ch4mpy . It worked.

[ch4mpy]

@saravanad I don't know if you noticed that, but since 6.1.15, there is an application property which covers your use case (no need to define a custom OAuth2AuthorizationRequestResolver anymore, spring-addons default one is enough):

com:
  c4-soft:
    springaddons:
      oidc:
        client:
          authorization-request-params:
            keycloak:
            - name: kc_idp_hint
              value: google
            - name: ZZZZ
              value: temp

where keycloak is a registration ID in your boot conf:

spring:
  security:
    oauth2:
      client:
        provider:
          keycloak-provider:
            issuer-uri: ${keycloak-issuer}
        registration:
          keycloak:
            authorization-grant-type: authorization_code
            client-id: ${keycloak-client-id}
            client-secret: ${keycloak-secret}
            provider: keycloak-provider
            scope: 
            - openid
            - profile
            - email
            - offline_access

If this works for you, would you kindly mark this as answer?

[saravanad]

Thanks @ch4mpy for the update