From adfb81c6edaac398939f9f2ee07fe3c22c11e6e2 Mon Sep 17 00:00:00 2001
From: ZhFahim <50145591+ZhFahim@users.noreply.github.com>
Date: Sat, 11 Apr 2026 15:14:07 +0600
Subject: [PATCH] fix(auth): display the OIDC callback URL from oidcSettings
 instead of window location

---
 server/src/auth/oidc/oidc-client.service.ts |  2 +-
 server/src/auth/oidc/oidc-config.service.ts | 10 ++++++++++
 web/app/(app)/admin/page.tsx                |  7 +++----
 web/features/admin/types.ts                 |  1 +
 4 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/server/src/auth/oidc/oidc-client.service.ts b/server/src/auth/oidc/oidc-client.service.ts
index 363e6b2..d3df4f7 100644
--- a/server/src/auth/oidc/oidc-client.service.ts
+++ b/server/src/auth/oidc/oidc-client.service.ts
@@ -164,6 +164,6 @@ export class OidcClientService {
    * Get callback URL
    */
   private getCallbackUrl(): string {
-    return `${this.oidcConfigService.getAppUrl()}/api/auth/oidc/callback`;
+    return this.oidcConfigService.getOidcCallbackUrl();
   }
 }
diff --git a/server/src/auth/oidc/oidc-config.service.ts b/server/src/auth/oidc/oidc-config.service.ts
index eae1b9f..73dc440 100644
--- a/server/src/auth/oidc/oidc-config.service.ts
+++ b/server/src/auth/oidc/oidc-config.service.ts
@@ -116,6 +116,14 @@ export class OidcConfigService {
     return this.configService.get<string>('APP_URL') || 'http://localhost:3000';
   }
 
+  /**
+   * OIDC redirect URI
+   */
+  getOidcCallbackUrl(): string {
+    const base = this.getAppUrl().replace(/\/+$/, '');
+    return `${base}/api/auth/oidc/callback`;
+  }
+
   /**
    * Check if OIDC is enabled
    */
@@ -153,6 +161,7 @@ export class OidcConfigService {
     issuerUrl?: string;
     clientId?: string;
     hasClientSecret: boolean;
+    callbackUrl: string;
     disableInternalAuth: boolean;
     isLocked: boolean;
     source: 'env' | 'database' | 'default';
@@ -166,6 +175,7 @@ export class OidcConfigService {
       issuerUrl: config.issuerUrl,
       clientId: config.clientId,
       hasClientSecret: !!config.clientSecret,
+      callbackUrl: this.getOidcCallbackUrl(),
       disableInternalAuth: config.disableInternalAuth,
       isLocked: locked,
       source: locked ? 'env' : 'database',
diff --git a/web/app/(app)/admin/page.tsx b/web/app/(app)/admin/page.tsx
index 499fd97..e30d479 100644
--- a/web/app/(app)/admin/page.tsx
+++ b/web/app/(app)/admin/page.tsx
@@ -633,12 +633,11 @@ export default function AdminPage() {
                     <div className="rounded-lg border bg-muted/30 p-4">
                       <p className="text-sm font-medium mb-1">Callback URL</p>
                       <code className="text-xs break-all rounded bg-background px-2 py-1 block">
-                        {typeof window !== "undefined"
-                          ? `${window.location.origin}/api/auth/oidc/callback`
-                          : "/api/auth/oidc/callback"}
+                        {oidcSettings.callbackUrl}
                       </code>
                       <p className="text-xs text-muted-foreground mt-2">
-                        Add this URL in your OIDC provider as the redirect/callback URL.
+                        Add this URL in your OIDC provider as the redirect/callback URL. It comes from the {" "}
+                        <code className="px-1 py-0.5 bg-background rounded text-[0.7rem] font-mono">APP_URL</code> env variable.
                       </p>
                     </div>
                   </>
diff --git a/web/features/admin/types.ts b/web/features/admin/types.ts
index 9dbf193..b3773fa 100644
--- a/web/features/admin/types.ts
+++ b/web/features/admin/types.ts
@@ -61,6 +61,7 @@ export interface OidcSettings {
   issuerUrl?: string;
   clientId?: string;
   hasClientSecret: boolean;
+  callbackUrl: string;
   disableInternalAuth: boolean;
   isLocked: boolean;
   source: "env" | "database" | "default";