OmniAuth sends no redirect_uri to Keycloak — login broken #166

New issue

Closed

opened 2026-06-07 20:01:16 +00:00 by ldraney · 0 comments

ldraney commented 2026-06-07 20:01:16 +00:00

Owner

Copy link

Type

Bug

Lineage

Regression from PR #161 (OmniAuth restore after ROPC revert). The original PR #134 likely had the same bug but wasn't caught because Keycloak may have had looser validation at that time.

Repo

ldraney/landscaping-assistant

What Broke

Clicking "Sign In" redirects to Keycloak with no redirect_uri parameter. Keycloak returns 400: "Invalid parameter: redirect_uri". Login is completely broken on both prod and dev.

The omniauth_openid_connect gem (v0.8.0) does NOT auto-derive redirect_uri from the request — when client_options.redirect_uri is nil, it sends nil to the OIDC client, which omits the parameter entirely.

Repro Steps

1. Navigate to https://landscaping-assistant.tail5b443a.ts.net/login
2. Click "Sign In"
3. Observe: Keycloak error page "Invalid parameter: redirect_uri"

Expected Behavior

Keycloak should show the login form. The redirect_uri should be https://landscaping-assistant.tail5b443a.ts.net/auth/keycloak/callback.

Environment

• Cluster/namespace: prod (landscaping-assistant) and dev (docker-compose)
• Service version/commit: current main
• Related alerts: none

Acceptance Criteria

• Clicking "Sign In" on prod shows Keycloak login form
• Clicking "Sign In" on dev shows Keycloak login form
• Login completes successfully with test users on both environments
• redirect_uri parameter present in Keycloak authorization URL

Related

• project-landscaping-assistant — main project
• ldraney/landscaping-assistant #161 — OmniAuth restore PR
• Pattern: matches pal-enterprises approach (explicit APP_URL env var)

### Type Bug ### Lineage Regression from PR #161 (OmniAuth restore after ROPC revert). The original PR #134 likely had the same bug but wasn't caught because Keycloak may have had looser validation at that time. ### Repo `ldraney/landscaping-assistant` ### What Broke Clicking "Sign In" redirects to Keycloak with no `redirect_uri` parameter. Keycloak returns 400: "Invalid parameter: redirect_uri". Login is completely broken on both prod and dev. The `omniauth_openid_connect` gem (v0.8.0) does NOT auto-derive `redirect_uri` from the request — when `client_options.redirect_uri` is `nil`, it sends `nil` to the OIDC client, which omits the parameter entirely. ### Repro Steps 1. Navigate to `https://landscaping-assistant.tail5b443a.ts.net/login` 2. Click "Sign In" 3. Observe: Keycloak error page "Invalid parameter: redirect_uri" ### Expected Behavior Keycloak should show the login form. The redirect_uri should be `https://landscaping-assistant.tail5b443a.ts.net/auth/keycloak/callback`. ### Environment - Cluster/namespace: prod (landscaping-assistant) and dev (docker-compose) - Service version/commit: current main - Related alerts: none ### Acceptance Criteria - [ ] Clicking "Sign In" on prod shows Keycloak login form - [ ] Clicking "Sign In" on dev shows Keycloak login form - [ ] Login completes successfully with test users on both environments - [ ] `redirect_uri` parameter present in Keycloak authorization URL ### Related - `project-landscaping-assistant` — main project - `ldraney/landscaping-assistant #161` — OmniAuth restore PR - Pattern: matches `pal-enterprises` approach (explicit `APP_URL` env var)

ldraney referenced this issue from a commit 2026-06-07 20:02:24 +00:00

Fix OmniAuth redirect_uri: send explicit callback URL to Keycloak

ldraney referenced this issue from a pull request that will close it, 2026-06-07 20:02:36 +00:00

Fix OmniAuth redirect_uri for Keycloak login #167

ldraney closed this issue 2026-06-07 20:03:41 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs/update-app-architecture

revert-213

move-other-crew-bottom-remove-schedule

feature/today-view-improvements

154-enable-assume-ssl

revert-145-person-icon

docs/user-stories-auth

docs/update-infra-pipeline-post-incident

fix-cache-step-blocking-deploy

fix-kaniko-registry-pull

deactivate-from-today

feature/quick-address-entry

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/landscaping-assistant#166

No description provided.