WEBLATE_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL can't have query parameters

[oliverrahner]

Describe the issue

For some processes (in my case, I wanted to add the kc_idp_hint parameter) one must add static query parameters to the OAuth Authorization URL.
Other solutions (Grafana for example) combine the URL provided for authorization correctly.
Weblate does not.

Weblate appends the parameters required for the authorization process as statically as ?param=value&..., no matter if a query parameter is already present.
Other solutions (e.g. Grafana, to name one) correctly determine the presence of query parameters and instead append their parameters via &param=value&....

So, when I provide the authorization URL such as

https://id.example.com/realms/example/protocol/openid-connect/auth?kc_idp_hint=upstream_idp

I'll be redirected to

https://id.example.com/realms/example/protocol/openid-connect/auth?kc_idp_hint=upstream_idp?client_id=weblate&redirect_uri=https://weblate.example.com/accounts/complete/keycloak/&state=oZtmPIV6DVmT0BJUnX7UChSOY1gswDgh&response_type=code)
                                                                  ^                        ^

instead of

https://id.example.com/realms/example/protocol/openid-connect/auth?kc_idp_hint=upstream_idp&client_id=weblate&redirect_uri=https://weblate.example.com/accounts/complete/keycloak/&state=oZtmPIV6DVmT0BJUnX7UChSOY1gswDgh&response_type=code)
                                                                  ^                        ^

I already tried

• I've read and searched the documentation.
• I've searched for similar filed issues in this repository.

Steps to reproduce the behavior

1. In a docker-compose file, add the following envs for enabling OAuth (plus all the other envs required for OAuth config):

      WEBLATE_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: https://id.example.com/realms/example/protocol/openid-connect/auth?kc_idp_hint=upstream_idp

2. Try to login with this provider
3. Notice that the URL you're redirected to contains two ?

Expected behavior

Query parameters should be correctly appended

Screenshots

No response

Exception traceback

No response

How do you run Weblate?

Docker container

Weblate versions

• Weblate: 5.4.2
• Django: 4.2.10
• siphashc: 2.4.1
• translate-toolkit: 3.12.2
• lxml: 5.1.0
• pillow: 10.2.0
• nh3: 0.2.15
• python-dateutil: 2.8.2
• social-auth-core: 4.5.3
• social-auth-app-django: 5.4.0
• django-crispy-forms: 2.1
• oauthlib: 3.2.2
• django-compressor: 4.4
• djangorestframework: 3.14.0
• django-filter: 23.5
• django-appconf: 1.0.6
• user-agents: 2.2.0
• filelock: 3.13.1
• rapidfuzz: 3.6.1
• openpyxl: 3.1.2
• celery: 5.3.6
• django-celery-beat: 2.5.0
• kombu: 5.3.5
• translation-finder: 2.16
• weblate-language-data: 2024.3
• html2text: 2020.1.16
• pycairo: 1.26.0
• PyGObject: 3.46.0
• diff-match-patch: 20230430
• requests: 2.31.0
• django-redis: 5.4.0
• hiredis: 2.3.2
• sentry-sdk: 1.40.5
• Cython: 3.0.8
• misaka: 2.1.1
• GitPython: 3.1.42
• borgbackup: 1.2.7
• pyparsing: 3.1.1
• ahocorasick_rs: 0.22.0
• python-redis-lock: 4.0.0
• charset-normalizer: 3.3.2
• Python: 3.12.2
• Git: 2.39.2
• psycopg: 3.1.18
• psycopg-binary: 3.1.18
• phply: 1.2.6
• ruamel.yaml: 0.18.6
• tesserocr: 2.6.2
• boto3: 1.34.47
• zeep: 4.2.1
• aeidon: 1.13
• iniparse: 0.5
• mysqlclient: 2.2.4
• Mercurial: 6.6.3
• git-svn: 2.39.2
• git-review: 2.3.1
• PostgreSQL server: 14.11
• Database backends: django.db.backends.postgresql
• PostgreSQL implementation: psycopg3 (binary)
• Cache backends: default:RedisCache, avatar:FileBasedCache
• Email setup: django.core.mail.backends.smtp.EmailBackend: smtp.eu.mailgun.org
• OS encoding: filesystem=utf-8, default=utf-8
• Celery: redis://cache:6379/1, redis://cache:6379/1, regular
• Platform: Linux 5.15.0-113-generic (x86_64)

Weblate deploy checks

System check identified some issues:

WARNINGS:
?: (security.W018) You should not have DEBUG set to True in deployment.

INFOS:
?: (weblate.I021) Error collection is not set up, it is highly recommended for production use
        HINT: https://docs.weblate.org/en/weblate-5.4.2/admin/install.html#collecting-errors
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
        HINT: https://docs.weblate.org/en/weblate-5.4.2/admin/backup.html
?: (weblate.I031) New Weblate version is available, please upgrade to 5.8.4.
        HINT: https://docs.weblate.org/en/weblate-5.4.2/admin/upgrade.html

Additional context

No response

[nijel]

Indeed the question mark is directly appended:

https://github.com/python-social-auth/social-core/blob/505ce601fd35d921f8814ccca007113319959c13/social_core/backends/oauth.py#L280

The proper way to do this in python-social-auth would be:

SOCIAL_AUTH_KEYCLOAK_AUTH_EXTRA_ARGUMENTS = {"kc_idp_hint": "upstream_idp"}

You can specify this manually in settings-override.py, see https://docs.weblate.org/en/latest/admin/install/docker.html#overriding-settings-from-the-data-volume.

[oliverrahner]

Thanks for the hint! I didn’t think about this being an upstream issue.
I still find it non-intuitive, mostly compared to other solutions (I went through all of our OAuth connected tools yesterday to add this setting, and managed to do it for all others without looking at docs). But then that’s an issue to be raised upstream.
Should we close this here?