Problem UTF-8 encoding URI components #211
Description
Hi.
We are currently trying to migrate all our CAS enabled applications to Keycloak using keycloak-protocol-cas provider. Among those applications we have an instance of MediaWiki. Beeing a Swedish organisation many user created pages contains non-ASCII characters in their title, thus also in the URL. I.e. https://wiki.[org].se/wiki/Övervakning. If this is the first page a user accesses, they will be required to authenicate themselves and gets redirected to Keycloak: https://keycloak.[org].se/realms/[realm]/protocol/cas/login?service=https%3a%2f%2fwiki.[org].se%2fwiki%2f%C3%96vervakning
The wiki handles authentication in Apache HTTPD using mod_auth_cas (snippet with relevant VHost configuration):
CASLoginURL https://keycloak.[org].se/realms/[realm]/protocol/cas/login
CASValidateSAML On
CASValidateURL https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate
Other requests to the same endpoint, without \xXX UTF-8 encoded characters, validates just fine.
The problem is how mod_auth_cas mixes encodings. The character Ö in the example above is encoded using \xXX-style encoding, where as the rest of the URL uses %xx-style encoding. @jacekkow claims Keycloak, as in keycloak-protocol-cas-provider, is correct in returning HTTP Status 400, see: jacekkow/keycloak-protocol-cas#78. I agree with him. mod_auth_cas needs to be consistent in using %xx-style encoding of URL.