Keycloak cannot handle special characters into password
Summary
I have noticed some deployment failures due of these two jobs (keycloak-add-client-scope/keycloak-add-realm-role) which are stalled.
Looking into keycloak logs I found following error:
2025-04-16 02:07:56,990 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-2) Uncaught server error: java.lang.RuntimeException: Failed to decode URL p48tS!1mG%VBnWHT to UTF-8
at org.jboss.resteasy.reactive.common.util.URLUtils.failedToDecodeURL(URLUtils.java:227)
at org.jboss.resteasy.reactive.common.util.URLUtils.decode(URLUtils.java:161)
at org.jboss.resteasy.reactive.common.util.URLUtils.decode(URLUtils.java:87)
at org.jboss.resteasy.reactive.server.core.multipart.FormEncodedDataDefinition$FormEncodedDataParser.decodeParameterValue(FormEncodedDataDefinition.java:208)
at org.jboss.resteasy.reactive.server.core.multipart.FormEncodedDataDefinition$FormEncodedDataParser.doParse(FormEncodedDataDefinition.java:184)
at org.jboss.resteasy.reactive.server.core.multipart.FormEncodedDataDefinition$FormEncodedDataParser.parseBlocking(FormEncodedDataDefinition.java:237)and I think is trying to decode a URL-encoded string that it received in a request. Specifically, it failed to interpret the special strings as valid UTF-8.
This error occured once we merged new vault policy for password and it's not present in each deployment because the password is random.( see MR !4095 (merged) )
Locally when I noticed this issue my password was 3Ytax%P%u@jZS00J and trying to replicate the same actions like jobs does I got:
curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d "password=3Ytax%P%u@jZS00J" -d "grant_type=password" -d "client_id=admin-cli" https://keycloak.sylva/realms/master/protocol/openid-connect/token
{"error":"unknown_error","error_description":"For more on this error consult the server log."}A solution to handle it was to use the URL-encoded version for each special characters ( %: %25 @: %40)
curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d "password=3Ytax%25P%25u%40jZS00J" -d "grant_type=password" -d "client_id=admin-cli" https://keycloak.sylva/realms/master/protocol/openid-connect/token | jq .
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrcnVYelNlTXpVWldrMjVVdzJhVkJHQnBOdHpJQkctelhSdDJYRDlZYzJNIn0.eyJleHAiOjE3NDQ4MDM3NDUsImlhdCI6MTc0NDgwMzY4NSwianRpIjoiNjkwNWI3MTAtM2JiOS00Zjk4LWE5MmUtNDVlNWYwOWIwYzU2IiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5zeWx2YS9yZWFsbXMvbWFzdGVyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwic2lkIjoiYWI2NTczNTQtNzBiNy00Njg5LWFhZTUtOGNhNmVjNzI3YzdlIiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIn0.zMzEvO_enWOVNLeKv0Z5cNK3g2v3tJoAwksN49X_2zZHjbRJe0cEJvlGKL4ZM3NSg-IcxcHw07owSixspYkJHkEzL7xPUNs84p6A3W4FggTJTSUJkUsDi7xUdo0ZGOM8wgyfLhGX0E78IG6t5amBGbRUAe1OJGz4a9x1sWpi5qhPHGqgCQAUWDpX7ZLxD-lskBTUeCt_FdKga0RcOdGk5uYl0n5wYkXUrtOxSBMTjCOtY_V931p7mrBYXBZA0a4XECOBhNRWIjXhmmWJoUX0LqpTs2Km5keuKwKR1n79JTROCJKz6tutFWmC47xr4NN5-cy14ke-UE6uG4YFaGmCLQ",
"expires_in": 60,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1NzdmZDg2ZC04YTlkLTRjMDgtYjJmMy0xYzgyYTI4Mzg1ZTUifQ.eyJleHAiOjE3NDQ4MDU0ODUsImlhdCI6MTc0NDgwMzY4NSwianRpIjoiODM2YmM0ZmMtMTM0YS00ZmIxLTgzYjMtNjAyM2MyYWQ1ZTBkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5zeWx2YS9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiaHR0cHM6Ly9rZXljbG9hay5zeWx2YS9yZWFsbXMvbWFzdGVyIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImFkbWluLWNsaSIsInNpZCI6ImFiNjU3MzU0LTcwYjctNDY4OS1hYWU1LThjYTZlYzcyN2M3ZSIsInNjb3BlIjoid2ViLW9yaWdpbnMgcHJvZmlsZSByb2xlcyBiYXNpYyBlbWFpbCBhY3IifQ.vIlafbxP_4MfsXr1BOy53M6dHQRzXWJw7WPJkcof-4RbGNkJpcLuMnJgHD2ria0zFjiQj8xVpNvfssA0F0pw-g",
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "ab657354-70b7-4689-aae5-8ca6ec727c7e",
"scope": "profile email"
},"not-before-policy":0,"session_state":"f0402ea4-f4af-408c-86ec-398c21c4f8c2","scope":"profile email"}related references
https://gitlab.com/sylva-projects/sylva-core/-/jobs/9733990298
https://gitlab.com/sylva-projects/sylva-core/-/jobs/9734274498
https://gitlab.com/sylva-projects/sylva-core/-/jobs/9732596425
https://gitlab.com/sylva-projects/sylva-core/-/jobs/9732618145