Bug: OmniAuth redirect_uri hardcoded to Tailscale hostname — public domain login fails #246

New issue

Closed

opened 2026-06-17 12:01:31 +00:00 by ldraney · 1 comment

ldraney commented 2026-06-17 12:01:31 +00:00

Owner

Copy link

Type

Bug

Lineage

Related to ldraney/landscaping-assistant #224 (config.hosts + Keycloak redirect URIs for public domain).

Repo

ldraney/landscaping-assistant

What Broke

When accessing the app via https://landscaping-assistant.app, clicking "Sign in" redirects to Keycloak with the wrong redirect_uri:

redirect_uri=https://landscaping-assistant.tail5b443a.ts.net/auth/keycloak/callback

Instead of:

redirect_uri=https://landscaping-assistant.app/auth/keycloak/callback

The Keycloak login page renders, credentials can be entered, but after authentication Keycloak redirects back to the Tailscale hostname — so the public domain session is never established. The user appears unauthenticated on landscaping-assistant.app.

Repro Steps

1. Navigate to https://landscaping-assistant.app
2. Click "Sign in"
3. Observe: URL bar shows Keycloak auth URL with redirect_uri pointing to landscaping-assistant.tail5b443a.ts.net, not landscaping-assistant.app
4. Enter valid credentials (e.g. lucas-super-admin / Test1234!)
5. Observe: redirected to Tailscale hostname, public domain session not established

Expected Behavior

The OmniAuth redirect_uri should match the host the user is accessing from. When accessed via landscaping-assistant.app, the callback should be https://landscaping-assistant.app/auth/keycloak/callback.

Environment

• Cluster/namespace: prod (landscaping-assistant namespace)
• Accessed via: https://landscaping-assistant.app (public domain via Hetzner edge proxy)
• Keycloak realm: landscaping
• Keycloak client: landscaping-assistant

Root Cause (Likely)

The OmniAuth Keycloak initializer hardcodes the callback URL or base URL to the Tailscale hostname. It needs to dynamically resolve based on the incoming request's Host header, or use OmniAuth's full_host / redirect_uri option to respect the current domain.

Acceptance Criteria

• Accessing via landscaping-assistant.app produces redirect_uri with landscaping-assistant.app
• Accessing via Tailscale hostname still works (no regression)
• Keycloak client valid_redirect_uris includes https://landscaping-assistant.app/auth/keycloak/callback
• Full login flow succeeds on public domain (session established, user identity visible)

Related

• project-landscaping-assistant — project this affects
• ldraney/landscaping-assistant #224 — config.hosts + Keycloak redirect URIs ticket (in validation)
• ldraney/pal-e-platform #434 — Caddy reverse proxy config (in validation)
• ldraney/landscaping-assistant #231 — HostAuthorization fix (done)

### Type Bug ### Lineage Related to `ldraney/landscaping-assistant #224` (config.hosts + Keycloak redirect URIs for public domain). ### Repo `ldraney/landscaping-assistant` ### What Broke When accessing the app via `https://landscaping-assistant.app`, clicking "Sign in" redirects to Keycloak with the wrong `redirect_uri`: ``` redirect_uri=https://landscaping-assistant.tail5b443a.ts.net/auth/keycloak/callback ``` Instead of: ``` redirect_uri=https://landscaping-assistant.app/auth/keycloak/callback ``` The Keycloak login page renders, credentials can be entered, but after authentication Keycloak redirects back to the Tailscale hostname — so the public domain session is never established. The user appears unauthenticated on `landscaping-assistant.app`. ### Repro Steps 1. Navigate to `https://landscaping-assistant.app` 2. Click "Sign in" 3. Observe: URL bar shows Keycloak auth URL with `redirect_uri` pointing to `landscaping-assistant.tail5b443a.ts.net`, not `landscaping-assistant.app` 4. Enter valid credentials (e.g. `lucas-super-admin` / `Test1234!`) 5. Observe: redirected to Tailscale hostname, public domain session not established ### Expected Behavior The OmniAuth `redirect_uri` should match the host the user is accessing from. When accessed via `landscaping-assistant.app`, the callback should be `https://landscaping-assistant.app/auth/keycloak/callback`. ### Environment - Cluster/namespace: prod (`landscaping-assistant` namespace) - Accessed via: `https://landscaping-assistant.app` (public domain via Hetzner edge proxy) - Keycloak realm: `landscaping` - Keycloak client: `landscaping-assistant` ### Root Cause (Likely) The OmniAuth Keycloak initializer hardcodes the callback URL or base URL to the Tailscale hostname. It needs to dynamically resolve based on the incoming request's `Host` header, or use OmniAuth's `full_host` / `redirect_uri` option to respect the current domain. ### Acceptance Criteria - [ ] Accessing via `landscaping-assistant.app` produces `redirect_uri` with `landscaping-assistant.app` - [ ] Accessing via Tailscale hostname still works (no regression) - [ ] Keycloak client `valid_redirect_uris` includes `https://landscaping-assistant.app/auth/keycloak/callback` - [ ] Full login flow succeeds on public domain (session established, user identity visible) ### Related - `project-landscaping-assistant` — project this affects - `ldraney/landscaping-assistant #224` — config.hosts + Keycloak redirect URIs ticket (in validation) - `ldraney/pal-e-platform #434` — Caddy reverse proxy config (in validation) - `ldraney/landscaping-assistant #231` — HostAuthorization fix (done)

ldraney commented 2026-06-17 12:03:48 +00:00

Author

Owner

Copy link

Scope Review: READY

Review note: review-1478-2026-06-17

Ticket is well-scoped with verified file targets and complete traceability. Root cause confirmed: config/initializers/omniauth.rb line 28 hardcodes Tailscale hostname as ENV.fetch fallback default. All 4 acceptance criteria are concrete and agent-verifiable. Single-file fix, no decomposition needed. Ready for implementation.

## Scope Review: READY Review note: `review-1478-2026-06-17` Ticket is well-scoped with verified file targets and complete traceability. Root cause confirmed: `config/initializers/omniauth.rb` line 28 hardcodes Tailscale hostname as `ENV.fetch` fallback default. All 4 acceptance criteria are concrete and agent-verifiable. Single-file fix, no decomposition needed. Ready for implementation.

ldraney referenced this issue from a commit 2026-06-17 12:10:43 +00:00

Fix OmniAuth redirect_uri to resolve dynamically from request host

ldraney referenced this issue from a pull request that will close it, 2026-06-17 12:11:01 +00:00

Fix OmniAuth redirect_uri to resolve dynamically from request host (Closes #246) #247

ldraney referenced this issue 2026-06-17 12:12:27 +00:00

Fix OmniAuth redirect_uri to resolve dynamically from request host (Closes #246) #247

ldraney referenced this issue 2026-06-17 12:18:33 +00:00

Fix OmniAuth redirect_uri to resolve dynamically from request host (Closes #246) #247

ldraney closed this issue 2026-06-17 12:30:09 +00:00

ldraney referenced this issue from a commit 2026-06-17 12:30:10 +00:00

Fix OmniAuth redirect_uri to resolve dynamically from request host (Closes #246) (#247)

ldraney referenced this issue 2026-06-18 03:27:19 +00:00

Fix: Update keycloak-test-users.env with correct email-format usernames #248

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs/update-app-architecture

revert-213

move-other-crew-bottom-remove-schedule

feature/today-view-improvements

154-enable-assume-ssl

revert-145-person-icon

docs/user-stories-auth

docs/update-infra-pipeline-post-incident

fix-cache-step-blocking-deploy

fix-kaniko-registry-pull

deactivate-from-today

feature/quick-address-entry

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/landscaping-assistant#246

No description provided.