platform(general): Double-Encode URI for RelayState Parameter

[SimOnPanw]

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

This pull request addresses an issue where the Identity Provider (IDP) was stripping information from the RelayState parameter if it was not double-encoded. The change ensures that the URI is correctly double-encoded before being passed as the RelayState parameter, thus preserving the full URI information.

Testing: Verified that the double-encoded URI is correctly passed as the RelayState parameter. Confirmed that the IDP retains the full information of the RelayState parameter without stripping any part of the URI.

Checklist:

• [x] My code follows the style guidelines of this project
• [x] I have performed a self-review of my own code
• [x] I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have added tests that prove my feature, policy, or fix is effective and works
• [x] New and existing tests pass locally with my changes
• [ ] Any dependent changes have been merged and published in downstream modules

[mikeurbanski1]

@SimOnPanw is this true for every IDP? I am wondering how the initial implementation of this worked (assuming it was tested). Did it ever work?

[SimOnPanw]

@SimOnPanw is this true for every IDP? I am wondering how the initial implementation of this worked (assuming it was tested). Did it ever work?

@mikeurbanski1, Yes, it used to work. I noticed some changes when we changed the landing pages from /project to /home/appsec/projects, but I could not pinpoint the issue at that moment. It was only when a customer raised the issue that we further troubleshot and discovered that Azure IDP was stripping information from the URL.

[mikeurbanski1]

@SimOnPanw is this true for every IDP? I am wondering how the initial implementation of this worked (assuming it was tested). Did it ever work?

@mikeurbanski1, Yes, it used to work. I noticed some changes when we changed the landing pages from /project to /home/appsec/projects, but I could not pinpoint the issue at that moment. It was only when a customer raised the issue that we further troubleshot and discovered that Azure IDP was stripping information from the URL.

Ok. I guess my concern here is whether this fix will be universal. I don't really have a way to test it and my memory for SSO flow details is weak.