Fix OIDC token exchange behind HTTPS reverse proxy (#162)

* Initial plan * Fix OIDC callback URL construction for HTTPS reverse proxy - Replace hardcoded http:// URL with OIDC_REDIRECT_URI from environment - Build complete callback URL with query parameters for proper validation - Fixes token exchange 401 errors when running behind HTTPS reverse proxy Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com> * Update OIDC_REDIRECT_URI documentation to clarify full URL requirement Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com> * fix: format oidc.ts to pass biome check --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com> Co-authored-by: Daniel Volz <mail@danielvolz.org>
2026-02-13 18:29:33 +01:00
parent 38f3533dd9
commit 0b0472f2f5
3 changed files with 16 additions and 10 deletions
@@ -144,17 +144,17 @@ export async function oidcRoutes(app: FastifyInstance) {

 			try {
 				const config = await getOIDCConfig();
-				const _redirectUri = env.OIDC_REDIRECT_URI!;
+				const redirectUri = env.OIDC_REDIRECT_URI!;

 				// Exchange code for tokens
-				const tokens = await client.authorizationCodeGrant(
-					config,
-					new URL(request.url, `http://${request.headers.host}`),
-					{
-						pkceCodeVerifier: storedVerifier.value,
-						expectedState: state,
-					}
-				);
+				// Build complete callback URL with query parameters for validation
+				const callbackUrl = new URL(redirectUri);
+				callbackUrl.search = new URLSearchParams(request.query as Record<string, string>).toString();
+
+				const tokens = await client.authorizationCodeGrant(config, callbackUrl, {
+					pkceCodeVerifier: storedVerifier.value,
+					expectedState: state,
+				});

 				// Get user info
 				const sub = tokens.claims()?.sub;