Problem decoding UTF-8 URI components

[pereng]

Hi.

We are currently trying to migrate all our CAS enabled applications to Keycloak using keycloak-protocol-cas provider. Among those applications we have an instance of MediaWiki. Beeing a Swedish organisation many user created pages contains non-ASCII characters in their title, thus also in the URL. I.e. https://wiki.[org].se/wiki/Övervakning. If this is the first page a user accesses, they will be required to authenicate themselves and gets redirected to Keycloak: https://keycloak.[org].se/realms/[realm]/protocol/cas/login?service=https%3a%2f%2fwiki.[org].se%2fwiki%2f%C3%96vervakning

The wiki handles authentication in Apache HTTPD using mod_auth_cas (snippet with relevant VHost configuration):

CASLoginURL         https://keycloak.[org].se/realms/[realm]/protocol/cas/login
CASValidateSAML     On
CASValidateURL      https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate

<Location />
  AuthType CAS
  AuthName "CAS"
  CASScope /
  Require valid-user
</Location>

After successful authentication user is redirected back to the wiki-application where the CAS-ticket failes to validate. The following validation request gives HTTP Status 400 - Bad Request: https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.[org].se%2fwiki%2f\xc3\x96vervakning.
Keycloak logs: [org.keycloak.protocol.cas.endpoints.SamlValidateEndpoint] (executor-thread-93) Invalid SAML1.1 token Code not valid

Other requests to the same endpoint, without UTF-8 encoded characters, validates just fine.

My guess is that TARGET request parameter gets decoded wrong.

[jacekkow]

The validation URL is clearly invalid. Instead of:

https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.[org].se%2fwiki%2f\xc3\x96vervakning

it should read:

https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.[org].se%2fwiki%2f%c3%96vervakning

Note the different encoding: \xXX (invalid) vs %XX (valid). Isn't this invalid parameter generated by mod_auth_cas?

[pereng]

Yes. The request is indeed generated by mod_auth_cas, v. 1.0.10 to be exact. We are migrating from Jasig CAS, aka Apereo CAS, and have had no previous problems such as these... I don't know how to configure mod_auth_cas to use %xx instead of \xXX encoding. I don't even think it is possible.

[jacekkow]

mod_cas_auth sends the following request line:

0000   47 45 54 20 2f 72 65 61 6c 6d 73 2f 6d 61 73 74   GET /realms/mast
0010   65 72 2f 70 72 6f 74 6f 63 6f 6c 2f 63 61 73 2f   er/protocol/cas/
0020   73 65 72 76 69 63 65 56 61 6c 69 64 61 74 65 3f   serviceValidate?
0030   73 65 72 76 69 63 65 3d 68 74 74 70 25 33 61 25   service=http%3a%
0040   32 66 25 32 66 31 37 32 2e 31 37 2e 30 2e 33 25   2f%2f172.17.0.3%
0050   32 66 c3 96 76 65 72 76 61 6b 6e 69 6e 67 2e 68   2f..vervakning.h
0060   74 6d 6c 26 74 69 63 6b 65 74 3d 53 54 2d 62 65   tml&ticket=ST-be
0070   31 31 39 61 39 65 2d 65 66 36 30 2d 34 35 66 37   119a9e-ef60-45f7
0080   2d 61 33 33 38 2d 66 30 35 37 35 38 35 66 32 61   -a338-f057585f2a
0090   39 64 2e 35 32 65 66 65 35 37 37 2d 36 39 64 61   9d.52efe577-69da
00a0   2d 34 36 39 33 2d 38 39 36 37 2d 38 66 38 61 34   -4693-8967-8f8a4
00b0   31 36 32 66 64 38 30 2e 65 65 63 64 37 39 65 30   162fd80.eecd79e0
00c0   2d 38 66 65 38 2d 34 33 63 39 2d 62 37 30 62 2d   -8fe8-43c9-b70b-
00d0   65 65 32 31 39 62 64 34 32 39 65 62 20 48 54 54   ee219bd429eb HTT
00e0   50 2f 31 2e 31 0d 0a                              P/1.1..

with bytes 0xC3 0x96 in the URL. This is an invalid request that is (correctly) rejected with "400 Bad Request". Please contact authors of mod_cas_auth - it needs to be fixed there.