Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest release

Area

storage

Describe the bug

Environment: Keycloak v20.0.1 [0], Debian 11, openjdk 17.0.4
Settings: `keycloak' Theme (the old theme and not the keycloak v2 one)

Problem description: We are currently working on a Custom User Storage Provider (following this description [1]). During development, we noticed an unexpected behavior concerning some usernames.

The username consists of two parts separated by an # symbol. Example: first12#second34.

Version

20.0.1

Expected behavior

I would expect a successful (admin-) lookup for usernames with # symbols (example: first12#second34).

Actual behavior

It is possible to successfully log in with usernames containing a # symbol but the username is not found within the admin lookup interface.
(found at Keycloak > Users > Search for `first12#second34' > click on the ID column).

See the keycloak2.png image with the Resource not found error page below.

How to Reproduce?

1. create and build the custom user provider, add it to the ~/providers directory within the keycloak installation
2. Run keycloak: bin/kc.sh build && bin/kc.sh start-dev
3. Create a realm and add the custom provider to the keycloak instance
4. Search for the username first12#second34
5. Click on the ID field with the URL: http://127.0.0.1:8080/admin/master/console/#/realms/test/users/f:123..$KeycloakID..:first12#second34
   (image keycloak1.png)
6. This will open a Resource not found page with the. URL: http://127.0.0.1:8080/admin/master/console/#/notfound#second34
   (image keycloak2.png)

The logging output of the attached user SPI:

2022-12-12 13:14:44,139 INFO  [com.foobar.dbuserprovider.DBUserStorageProvider]  Constructor
2022-12-12 13:14:44,139 INFO  [com.foobar.dbuserprovider.DBUserStorageProvider]  getUserByUsername():  username=first12, exteranlId=first12
2022-12-12 13:14:44,140 INFO  [com.foobar.dbuserprovider.DBUserStorageProvider]  close()

Anything else?

Questions:

• Regarding the output of the custom SPI: It looks like that getUserByUsername() method only receives the first part of the
  compound username (first12). Therefore, the lookup fails because no such user exists.
  Why is keycloak not sending the entire username to the getUserByUsername() method?
• Is the hash symbol interpreted as HTML anchor symbol? (see also keycloak2.png, the second part is appended to the URL)
  Do I have to ``escape'' it somehow at some point in time?
  (When and where?)
• When I am using the Keycloak v2 Theme and try to search for the
  first12#second34 user, I get this error message:

  Danger alert:Cannot include a '#' character in a manually specified `to.pathname` field [{"pathname":"/test/users/f:48d8b6cd-71d7-4bf4-8a5c-d18cdf31e482:first12#second34/settings"}]. Please separate it out to the `to.hash` field. Alternatively you may provide the full path as a string in <Link to="..."> and the router will parse it for you.

I am not sure where I can find further information about the to.hash field?
Is it something I can control within my Java extension?

Attachments: I have attached a minimal example (a Custom User Storage provider with a single username first12#second34, see DBUserStorageProvider.java and DBUserStorageProviderFactory.java) and two images showing the lookup list and the error message.

User Lookup Overview: (keycloak1.png)

Error message when clicking on the ID URL: (keycloak2.png)

DBUserStorageProvider.java.txt
DBUserStorageProviderFactory.java.txt

[0] https://github.com/keycloak/keycloak/releases/download/20.0.1/keycloak-20.0.1.tar.gz
[1] https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi