From 7ce46ccbe0f398b5d61591237ff1fceba873822e Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Tue, 21 Jan 2025 18:07:59 +0100
Subject: [PATCH] stages/redirect: fix query parameter when redirecting to flow
 (cherry-pick #12750) (#12752)

stages/redirect: fix query parameter when redirecting to flow (#12750)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
---
 authentik/stages/redirect/stage.py |  6 ++++--
 authentik/stages/redirect/tests.py | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/authentik/stages/redirect/stage.py b/authentik/stages/redirect/stage.py
index 9083af7dc782..2601d9aba817 100644
--- a/authentik/stages/redirect/stage.py
+++ b/authentik/stages/redirect/stage.py
@@ -20,7 +20,7 @@
     FlowPlanner,
 )
 from authentik.flows.stage import ChallengeStageView
-from authentik.flows.views.executor import SESSION_KEY_PLAN, InvalidStageError
+from authentik.flows.views.executor import SESSION_KEY_GET, SESSION_KEY_PLAN, InvalidStageError
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.stages.redirect.models import RedirectMode, RedirectStage
 
@@ -72,7 +72,9 @@ def switch_flow_with_context(self, flow: Flow, keep_context=True) -> str:
         self.request.session[SESSION_KEY_PLAN] = plan
         kwargs = self.executor.kwargs
         kwargs.update({"flow_slug": flow.slug})
-        return reverse_with_qs("authentik_core:if-flow", self.request.GET, kwargs=kwargs)
+        return reverse_with_qs(
+            "authentik_core:if-flow", self.request.session[SESSION_KEY_GET], kwargs=kwargs
+        )
 
     def get_challenge(self, *args, **kwargs) -> Challenge:
         """Get the redirect target. Prioritize `redirect_stage_target` if present."""
diff --git a/authentik/stages/redirect/tests.py b/authentik/stages/redirect/tests.py
index 7b59fee87a0c..1a6f13ac6346 100644
--- a/authentik/stages/redirect/tests.py
+++ b/authentik/stages/redirect/tests.py
@@ -1,5 +1,7 @@
 """Test Redirect stage"""
 
+from urllib.parse import urlencode
+
 from django.urls.base import reverse
 from rest_framework.exceptions import ValidationError
 
@@ -58,6 +60,23 @@ def test_flow(self):
             response, reverse("authentik_core:if-flow", kwargs={"flow_slug": self.target_flow.slug})
         )
 
+    def test_flow_query(self):
+        self.stage.mode = RedirectMode.FLOW
+        self.stage.save()
+
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+            + "?"
+            + urlencode({"query": urlencode({"test": "foo"})})
+        )
+
+        self.assertStageRedirects(
+            response,
+            reverse("authentik_core:if-flow", kwargs={"flow_slug": self.target_flow.slug})
+            + "?"
+            + urlencode({"test": "foo"}),
+        )
+
     def test_override_static(self):
         policy = ExpressionPolicy.objects.create(
             name=generate_id(),