Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering

Describe the bug

Problem

uriBuilder.queryParam() already performs URL encoding.

Manually applying URLEncoder.encode(parameter, StandardCharsets.UTF_8) before calling it results in double encoding, where:

space → "+" → "%2B"

Affected method:

uriBuilder.queryParam(forwardParameter, URLEncoder.encode(parameter, StandardCharsets.UTF_8));

Reference (line of code):

Related commit that introduced the issue:
#41755

Take note : It was working in version 26.0

Version

26.4

Regression

• The issue is a regression

Expected behavior

The URI component should only be encoded once.

Actual behavior

The URI component are encoded twice.

How to Reproduce?

Create an Identity Provider and add a forwarded query parameter, use a query parameter such as acr_values. You will notice that something like hello world turns into hello%2Bworld when it should be either +or %20.

Anything else?

Reference (line of code):

Related commit that introduced the issue:
#41755