Manipulate OpenID redirect-response with custom implementation

Signed-off-by: Captain-P-Goldfish <captain.p.goldfish@gmx.de>

services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java

@@ -16,10 +16,10 @@
  */
 package org.keycloak.protocol.oidc;
 
-import static org.keycloak.protocol.oidc.grants.device.DeviceGrantType.approveOAuth2DeviceAuthorization;
+import jakarta.ws.rs.core.HttpHeaders;
-import static org.keycloak.protocol.oidc.grants.device.DeviceGrantType.denyOAuth2DeviceAuthorization;
+import jakarta.ws.rs.core.Response;
-import static org.keycloak.protocol.oidc.grants.device.DeviceGrantType.isOAuth2DeviceVerificationFlow;
+import jakarta.ws.rs.core.UriBuilder;
-
+import jakarta.ws.rs.core.UriInfo;
 import org.jboss.logging.Logger;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
@@ -43,6 +43,8 @@ import org.keycloak.protocol.LoginProtocol;
 import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker;
 import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
 import org.keycloak.protocol.oidc.utils.LogoutUtil;
+import org.keycloak.protocol.oidc.utils.OAuth2Code;
+import org.keycloak.protocol.oidc.utils.OAuth2CodeParser;
 import org.keycloak.protocol.oidc.utils.OIDCRedirectUriBuilder;
 import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
 import org.keycloak.protocol.oidc.utils.OIDCResponseType;
@@ -55,8 +57,6 @@ import org.keycloak.services.clientpolicy.ClientPolicyException;
 import org.keycloak.services.clientpolicy.context.ImplicitHybridTokenResponse;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.AuthenticationSessionManager;
-import org.keycloak.protocol.oidc.utils.OAuth2Code;
-import org.keycloak.protocol.oidc.utils.OAuth2CodeParser;
 import org.keycloak.services.managers.ResourceAdminManager;
 import org.keycloak.sessions.AuthenticationSessionModel;
 import org.keycloak.util.TokenUtil;
@@ -66,10 +66,9 @@ import java.net.URI;
 import java.util.Optional;
 import java.util.UUID;
 
-import jakarta.ws.rs.core.HttpHeaders;
+import static org.keycloak.protocol.oidc.grants.device.DeviceGrantType.approveOAuth2DeviceAuthorization;
-import jakarta.ws.rs.core.Response;
+import static org.keycloak.protocol.oidc.grants.device.DeviceGrantType.denyOAuth2DeviceAuthorization;
-import jakarta.ws.rs.core.UriBuilder;
+import static org.keycloak.protocol.oidc.grants.device.DeviceGrantType.isOAuth2DeviceVerificationFlow;
-import jakarta.ws.rs.core.UriInfo;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -282,7 +281,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
                 if (!clientConfig.isExcludeIssuerFromAuthResponse()) {
                     redirectUri.addParam(OAuth2Constants.ISSUER, clientSession.getNote(OIDCLoginProtocol.ISSUER));
                 }
-                return redirectUri.build();
+                return buildRedirectUri(redirectUri, authSession, userSession, clientSessionCtx, cpe, null);
             }
 
             AccessTokenResponse res = responseBuilder.build();
@@ -298,7 +297,35 @@ public class OIDCLoginProtocol implements LoginProtocol {
             }
         }
 
-        return redirectUri.build();
+        return buildRedirectUri(redirectUri, authSession, userSession, clientSessionCtx);
+    }
+
+    /**
+     * this method can be used in extension-implementations to the {@link OIDCLoginProtocol} to add additional
+     * parameters to the redirectUri after successful authentication and to store these e.g. in the clientSession
+     *
+     * @see https://github.com/keycloak/keycloak/issues/31086
+     */
+    public Response buildRedirectUri(OIDCRedirectUriBuilder redirectUriBuilder,
+                                     AuthenticationSessionModel authSession,
+                                     UserSessionModel userSession,
+                                     ClientSessionContext clientSessionCtx) {
+        return redirectUriBuilder.build();
+    }
+
+    /**
+     * this method can be used in extension-implementations to the {@link OIDCLoginProtocol} to add additional
+     * parameters to the redirectUri after failed authentication
+     *
+     * @see https://github.com/keycloak/keycloak/issues/31086
+     */
+    public Response buildRedirectUri(OIDCRedirectUriBuilder redirectUriBuilder,
+                                     AuthenticationSessionModel authSession,
+                                     UserSessionModel userSession,
+                                     ClientSessionContext clientSessionCtx,
+                                     Exception ex,
+                                     Error oidcError) {
+        return redirectUriBuilder.build();
     }
 
     // For FAPI 1.0 Advanced
@@ -324,7 +351,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
         // Remove authenticationSession from current tab
         new AuthenticationSessionManager(session).removeTabIdInAuthenticationSession(realm, authSession);
 
-        return redirectUri.build();
+        return buildRedirectUri(redirectUri, authSession, null, null, null, error);
     }
 
     private OIDCRedirectUriBuilder buildErrorRedirectUri(String redirect, String state, Error error) {
@@ -379,7 +406,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
 
         setupResponseTypeAndMode(clientData.getResponseType(), clientData.getResponseMode());
         OIDCRedirectUriBuilder redirectUri = buildErrorRedirectUri(clientData.getRedirectUri(), clientData.getState(), error);
-        return redirectUri.build();
+        return buildRedirectUri(redirectUri, null, null, null, null, error);
     }
 
     private OAuth2ErrorRepresentation translateError(Error error) {