Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest nightly release

Area

core

Describe the bug

The OpenID Connect Login is being refused, if the client redirect uri contains encoded curly brackets, even if they are correctly configured as valid redirect uri in keycloak client configuration.
This was working fine until keycloak 15.0.5 at least.

Version

22.0.1

Expected behavior

Keycloak displays the login form for the specified realm/client.

Actual behavior

Error message:

We are sorry...
Invalid parameter: redirect_uri

How to Reproduce?

1. Configure a OpenID Connect Client with a redirect uri containing encoded curly braces, e.g. http://clienthost/%7B123%7D/
2. Add http://clienthost/%7B123%7D/ as valid Request URI in keycloak client configuration.
3. Client will open this login request: https://keycloakhost/realms/.../protocol/openid-connect/auth?client_id=...&redirect_uri=http%3A%2F%2Flocalhost%2F%257B123%257D%2F&response_type=code&scope=openid&state=...&code_challenge=...&code_challenge_method=S256&response_mode=query

Anything else?

• Could reproduce this in keycloak 20.0.5, 21.1.0 and 22.0.1.
• Maybe similar to v20.0.2 attempts to URL decode same string up to 5 times for unclear reasons #16851.
• When using redirect uri http://clienthost/123/ (without encoded curly brackets) it's working fine and the login form is being displayed as expected.