From bc3a1f128bd3c3472c296d5e484d0506acbb21c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADt=20Skalick=C3=BD?= <skalicky@vitskal.cz>
Date: Thu, 22 Jan 2026 18:44:22 +0100
Subject: [PATCH] providers/proxy: Fix incorrect comparison of redirect URL and
 CookieDomain (#15686)

* Fix incorect comparison of redirect URL and CookieDomain. Fixes #15685

According to docs, URL.Host contains the host and port, while Hostname
returns only the host without the port. CookieDomain obviously does not
contain the port. string.HasSuffix function is used, so if a port is set
in the redirect URL, this check always fails.

* Fixed missing parentheses

---------

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
---
 internal/outpost/proxyv2/application/oauth_state.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/outpost/proxyv2/application/oauth_state.go b/internal/outpost/proxyv2/application/oauth_state.go
index a851e7e4d4..b5c40d071e 100644
--- a/internal/outpost/proxyv2/application/oauth_state.go
+++ b/internal/outpost/proxyv2/application/oauth_state.go
@@ -60,8 +60,8 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
 			return "", false
 		}
 	} else {
-		if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {
-			a.log.WithField("host", u.Host).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Host was not included in cookie domain")
+		if !strings.HasSuffix(u.Hostname(), *a.proxyConfig.CookieDomain) {
+			a.log.WithField("host", u.Hostname()).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Hostname was not included in cookie domain")
 			return "", false
 		}
 	}