From f70be86ddcc2a2a64670586e62ae65938f8d1e94 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Mon, 20 Feb 2023 21:22:18 +0100
Subject: [PATCH] providers/proxy: strip scheme when comparing redirect URL

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 internal/outpost/proxyv2/application/oauth.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go
index 41f3f311b..9f9c18d8f 100644
--- a/internal/outpost/proxyv2/application/oauth.go
+++ b/internal/outpost/proxyv2/application/oauth.go
@@ -30,8 +30,13 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
 	}
 	// Check to make sure we only redirect to allowed places
 	if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
-		if !strings.Contains(u.String(), a.proxyConfig.ExternalHost) {
-			a.log.WithField("url", u.String()).WithField("ext", a.proxyConfig.ExternalHost).Warning("redirect URI did not contain external host")
+		ext, err := url.Parse(a.proxyConfig.ExternalHost)
+		if err != nil {
+			return "", false
+		}
+		ext.Scheme = ""
+		if !strings.Contains(u.String(), ext.String()) {
+			a.log.WithField("url", u.String()).WithField("ext", ext.String()).Warning("redirect URI did not contain external host")
 			return "", false
 		}
 	} else {