Forward LOGIN_HINT of authentication session with identity-provider-redirector

Fixes keycloak#36396

Signed-off-by: Oliver Cremerius <antikalk@users.noreply.github.com>

services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java

@@ -75,7 +75,8 @@ public class IdentityProviderAuthenticator implements Authenticator {
     }
 
     protected void redirect(AuthenticationFlowContext context, String providerId) {
-        redirect(context, providerId, null);
+        String loginHint = context.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM);
+        redirect(context, providerId, loginHint);
     }
 
     protected void redirect(AuthenticationFlowContext context, String providerId, String loginHint) {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/AbstractDefaultIdpTest.java

@@ -134,6 +134,26 @@ public abstract class AbstractDefaultIdpTest extends AbstractInitializedBaseBrok
         assertEquals(expectedErrorMessageOnLoginScreen, UIUtils.getTextFromElement(errorElement));
     }
 
+    protected void testLoginHintForwarded() {
+        // Set the Default Identity Provider option to the remote IdP name
+        configureFlow(getBrokerConfiguration().getIDPAlias());
+
+        String username = "all-info-set@localhost.com";
+        String urlEncodedUsername = "all-info-set%40localhost.com";
+        createUser(bc.providerRealmName(), username, "password", "FirstName");
+
+        // Navigate to the auth page of consumer realm
+        oauth.realm(bc.consumerRealmName()).client("broker-app").loginForm().loginHint(username).open();
+
+        waitForPage(driver, "sign in to", true);
+
+        // Make sure we got redirected to the remote IdP (provider) automatically
+        Assert.assertTrue("Driver should be on the provider realm page right now",
+                driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
+        Assert.assertTrue("Provider page should contain login_hint parameter",
+                driver.getCurrentUrl().contains("login_hint=" + urlEncodedUsername));
+    }
+
     protected void configureFlow(String defaultIdpValue) {
         String newFlowAlias;
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerConfiguration.java

@@ -201,6 +201,7 @@ public class KcOidcBrokerConfiguration implements BrokerConfiguration {
         config.put("clientId", CLIENT_ID);
         config.put("clientSecret", CLIENT_SECRET);
         config.put("prompt", "login");
+        config.put("loginHint", "true");
         config.put(OIDCIdentityProviderConfig.ISSUER, getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME);
         config.put("authorizationUrl", getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/auth");
         config.put("tokenUrl", getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/token");

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcDefaultIdpTest.java

@@ -33,6 +33,12 @@ public class KcOidcDefaultIdpTest extends AbstractDefaultIdpTest {
         testDefaultIdpSetTriedAndReturnedError("Access denied when authenticating with kc-oidc-idp");
     }
 
+    // Issue 36396
+    @Test
+    public void testLoginHintIsForwarded() {
+        testLoginHintForwarded();
+    }
+
     @Override
     protected BrokerConfiguration getBrokerConfiguration() {
         return new KcOidcBrokerConfiguration();