Fix OmniAuth redirect_uri for Keycloak login #167

Merged

ldraney merged 1 commit from fix/redirect-uri into main

2026-06-07 20:03:41 +00:00

ldraney commented

2026-06-07 20:02:36 +00:00

Owner

Summary

omniauth_openid_connect v0.8.0 does NOT auto-derive redirect_uri — setting it to nil omits the param entirely
Keycloak returns 400 "Invalid parameter: redirect_uri", breaking login on both prod and dev
Set redirect_uri explicitly using APP_URL env var (defaults to prod URL), matching pal-enterprises pattern

Changes

config/initializers/omniauth.rb: replace redirect_uri: nil with explicit URL built from APP_URL env var
.env.example: add APP_URL with dev default and documentation

Test Plan

Pipeline passes (existing specs use OmniAuth test_mode, unaffected)
Prod: clicking "Sign In" shows Keycloak login form (not "Invalid parameter" error)
Prod: login completes with test user (lucas-super-admin / Test1234!)
Dev: login completes via landscaping-dev.tail5b443a.ts.net with APP_URL set in .env

Review Checklist

Passed automated review-fix loop
No secrets committed
No unnecessary file changes
Commit messages are descriptive
Feature flag needed? No — bug fix restoring broken login

project-landscaping-assistant — main project
Closes #166

## Summary - `omniauth_openid_connect` v0.8.0 does NOT auto-derive `redirect_uri` — setting it to `nil` omits the param entirely - Keycloak returns 400 "Invalid parameter: redirect_uri", breaking login on both prod and dev - Set `redirect_uri` explicitly using `APP_URL` env var (defaults to prod URL), matching `pal-enterprises` pattern ## Changes - `config/initializers/omniauth.rb`: replace `redirect_uri: nil` with explicit URL built from `APP_URL` env var - `.env.example`: add `APP_URL` with dev default and documentation ## Test Plan - [ ] Pipeline passes (existing specs use OmniAuth test_mode, unaffected) - [ ] Prod: clicking "Sign In" shows Keycloak login form (not "Invalid parameter" error) - [ ] Prod: login completes with test user (lucas-super-admin / Test1234!) - [ ] Dev: login completes via `landscaping-dev.tail5b443a.ts.net` with `APP_URL` set in `.env` ## Review Checklist - [ ] Passed automated review-fix loop - [ ] No secrets committed - [ ] No unnecessary file changes - [ ] Commit messages are descriptive - [ ] Feature flag needed? No — bug fix restoring broken login ## Related Notes - `project-landscaping-assistant` — main project - Closes #166

ldraney added 1 commit

2026-06-07 20:02:36 +00:00

Fix OmniAuth redirect_uri: send explicit callback URL to Keycloak

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

CI / scan_ruby (pull_request) Has been cancelled

Details

CI / scan_js (pull_request) Has been cancelled

Details

CI / lint (pull_request) Has been cancelled

Details

77f5c99261

omniauth_openid_connect v0.8.0 does not auto-derive redirect_uri from
the request — setting it to nil omits the parameter entirely, causing
Keycloak to return 400 "Invalid parameter: redirect_uri".

Use APP_URL env var (defaults to prod URL) to build the redirect_uri
explicitly. Matches pal-enterprises pattern.

Closes #166

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ldraney commented

2026-06-07 20:02:56 +00:00

Author

Owner

Review — LGTM

Diff: 2 files, +5/-1. Minimal and targeted.

Root cause verified: omniauth_openid_connect v0.8.0 redirect_uri method (line 423-427) returns client_options.redirect_uri verbatim — when nil, the OIDC client omits the parameter from the authorization URL. Keycloak requires it and returns 400.

Fix analysis:

config/initializers/omniauth.rb: Replaces nil with explicit URL built from APP_URL env var, defaulting to prod. Matches the working pal-enterprises pattern exactly.
.env.example: Documents APP_URL for dev environments. The default value in the example is the dev URL, which is correct — prod doesn't need it (falls back to hardcoded default).
No secrets committed — APP_URL is a public URL, not a secret.
Test suite unaffected — OmniAuth test_mode bypasses the middleware entirely.

Verified in dev: Login flow tested via Chrome DevTools — Keycloak login form renders, lucas-super-admin logged in successfully with full nav tabs visible.

One consideration: The redirect_uri is set at boot time, not per-request. This means a single Rails instance can only serve one hostname. This is correct for the current architecture (prod and dev are separate deployments), but worth noting.

Verdict: Approve — ship it.

## Review — LGTM **Diff:** 2 files, +5/-1. Minimal and targeted. **Root cause verified:** `omniauth_openid_connect` v0.8.0 `redirect_uri` method (line 423-427) returns `client_options.redirect_uri` verbatim — when `nil`, the OIDC client omits the parameter from the authorization URL. Keycloak requires it and returns 400. **Fix analysis:** - `config/initializers/omniauth.rb`: Replaces `nil` with explicit URL built from `APP_URL` env var, defaulting to prod. Matches the working `pal-enterprises` pattern exactly. - `.env.example`: Documents `APP_URL` for dev environments. The default value in the example is the dev URL, which is correct — prod doesn't need it (falls back to hardcoded default). - No secrets committed — `APP_URL` is a public URL, not a secret. - Test suite unaffected — OmniAuth test_mode bypasses the middleware entirely. **Verified in dev:** Login flow tested via Chrome DevTools — Keycloak login form renders, `lucas-super-admin` logged in successfully with full nav tabs visible. **One consideration:** The `redirect_uri` is set at boot time, not per-request. This means a single Rails instance can only serve one hostname. This is correct for the current architecture (prod and dev are separate deployments), but worth noting. **Verdict:** Approve — ship it.