Skip to content

derive keycloak oauth redirect_uri from configured base url#69801

Merged
vincbeck merged 1 commit into
apache:mainfrom
Samin061:keycloak-oauth-redirect-uri-base-url
Jul 13, 2026
Merged

derive keycloak oauth redirect_uri from configured base url#69801
vincbeck merged 1 commit into
apache:mainfrom
Samin061:keycloak-oauth-redirect-uri-base-url

Conversation

@Samin061

Copy link
Copy Markdown
Contributor

The keycloak login and login_callback routes built the OAuth redirect_uri with request.url_for, which Starlette derives from the request Host; with the API server started under --proxy-headers it trusts every X-Forwarded-Host, so a request header can steer the callback URL that Keycloak sends the authorization code to. This derives the redirect_uri from the configured [api] base_url instead, mirroring the logout and post-login redirects already in this file, and only falls back to the request URL when base_url is unset.


Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)

The login and login_callback routes built the OAuth redirect_uri from the request host, so behind --proxy-headers (where the API server trusts all X-Forwarded-Host) a request header could steer the callback URL that Keycloak sends the authorization code to. Use the configured [api] base_url instead, matching the logout and post-login redirects in the same file.
@vincbeck vincbeck merged commit 4fa9816 into apache:main Jul 13, 2026
79 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants