[BUG] Multi-server tinyauth redirect error

[eliasbenb]

Describe the bug

When using tinyauth on a second level subdomain and signing in, the page doesn't redirect correctly. Instead, it takes you to the main tinyauth landing page.

Despite that, authentication still works as expected with cookies being set correctly.

To Reproduce
Steps to reproduce the behavior:

1. Have tinyauth running on a 1st level subdomain (e.g. tinyauth.example.com)
2. Setup a secondary app on a 2nd level subdomain behind tinyauth (e.g. some.app.example.com)
3. Go to the secondary app's URL
4. Get redirected to the tinyauth log in page
5. After a successful log in, notice that you are not redirected to the secondary app

Expected behavior

After a login, the user should be redirected to the URL they were first trying to reach.

Logs
Please include the Tinyauth logs below, make sure to not include sensitive info.

2025-05-03T00:07:08Z INF Starting tinyauth version=v3.3.0
2025-05-03T00:07:08Z INF Parsing users
2025-05-03T00:07:08Z DBG Using users from file
2025-05-03T00:07:08Z DBG Parsing users
2025-05-03T00:07:08Z DBG Parsed users
2025-05-03T00:07:08Z DBG Getting domain
2025-05-03T00:07:08Z INF Using domain for cookie store domain=example.com
2025-05-03T00:07:08Z DBG Setting up router
2025-05-03T00:07:08Z DBG Setting up assets
2025-05-03T00:07:08Z DBG Setting up file server
2025-05-03T00:07:08Z INF Starting server address=0.0.0.0 port=3000
2025-05-03T00:07:18Z INF Request address=[::1]:60992 latency="25.7µs" method=GET path=/api/healthcheck status=200
2025-05-03T00:07:28Z INF Request address=[::1]:50816 latency="33.629µs" method=GET path=/api/healthcheck status=200
2025-05-03T00:07:38Z INF Request address=[::1]:39058 latency="25.704µs" method=GET path=/api/healthcheck status=200
2025-05-03T00:07:38Z DBG Getting app context
2025-05-03T00:07:38Z INF Request address=172.22.0.10:48484 latency="402.644µs" method=GET path=/api/app status=200
2025-05-03T00:07:38Z DBG Getting user context
2025-05-03T00:07:38Z DBG Getting session cookie
2025-05-03T00:07:38Z DBG Got session
2025-05-03T00:07:38Z WRN Session cookie is invalid
2025-05-03T00:07:38Z DBG Deleting session cookie
2025-05-03T00:07:38Z DBG Provider is not username
2025-05-03T00:07:38Z DBG Unauthorized
2025-05-03T00:07:38Z INF Request address=172.22.0.10:48500 latency="989.932µs" method=GET path=/api/user status=200
2025-05-03T00:07:43Z DBG Request is most likely coming from a browser
2025-05-03T00:07:43Z DBG Got proxy proxy=traefik
2025-05-03T00:07:43Z DBG Docker not connected, returning empty labels
2025-05-03T00:07:43Z DBG Got labels labels={"Allowed":"","Headers":null,"OAuthGroups":"","OAuthWhitelist":"","Users":""}

Device (please complete the following information):

• OS: Windows 11
• Browser FireFox
• Tinyauth v3.3.0
• Docker 28.1.1

Additional context

The cause of the problem seems to be in the redirect_uri. After being redirected to the tinyauth login page, the redirect URI is filled correctly with https://some.app.example.com but then another redirect occurs, which almost instantly overwrites the redirect_uri to tinyauth.example.com.

[steveiliop56]

Hello!

When does the redirect URI change? Do you login with OAuth and then you get incorrectly redirected? Does your account have TOTP and the redirect URI gets messed up in the TOTP page or is the continue page?

[eliasbenb]

When does the redirect URI change?

I went to check on this and realized I was mistaken; the redirect uri is never set correctly, it's always https://tinyauth.example.com.

Do you login with OAuth and then you get incorrectly redirected?

No OAuth

Does your account have TOTP and the redirect URI gets messed up in the TOTP page or is the continue page?

No TOTP

[steveiliop56]

Alright, what proxy do you use?

[eliasbenb]

Alright, what proxy do you use?

Traefik

[scottmckendry]

Also running into this issue since upgrading to v3.3.1. Was working on v3.2.1. Sign-in is successful but the redirect doesn't work.

I'm also running Traefik. Kubernetes v1.32.3.

[steveiliop56]

Will debug this when I get back home (probably on Monday).

[steveiliop56]

I cannot reproduce unfortunately. What browser are you using? Can you try running:

curl -H 'Accept: text/html' http://app.sub.example.com

You should get something like:

<a href="http://tinyauth.example.com/?redirect_uri=http%3A%2F%2Fapp.sub.example.com%2F">Temporary Redirect</a>.

[eliasbenb]

Sure:

curl -H 'Accept: text/html' https://app.sub.example.com
<a href="https://tinyauth.libplex.eu.org/?redirect_uri=https%3A%2F%2Ftinyauth.example.com">Temporary Redirect</a>.

[steveiliop56]

What's your app URL?

[eliasbenb]

What's your app URL?

If you mean the APP_URL environment variable, it's: https://tinyauth.mydomain.eu.org

If you mean the app I'm trying to get redirected to, it's https://app.o.mydomain.eu.org

[steveiliop56]

And are you using the "default" traefik setup? What's the output if you try to curl your app?

[eliasbenb]

And are you using the "default" traefik setup?

Not sure what you mean by default, but this is my compose.yaml for tinyauth:

  tinyauth-1:
    image: ghcr.io/steveiliop56/tinyauth:latest
    environment:
      TZ: ${TZ}
      SECRET: ${TINYAUTH_SECRET}
      APP_URL: https://tinyauth.${DOMAIN_1}
      USERS_FILE: /etc/htpasswd
      DISABLE_CONTINUE: true
      SESSION_EXPIRY: 2624016
      LOG_LEVEL: 0
    volumes:
      - ./config/htpasswd:/etc/htpasswd:ro
    labels:
      traefik.enable: true
      traefik.http.routers.tinyauth-1.rule: Host(`tinyauth.${DOMAIN_1}`)
      traefik.http.middlewares.tinyauth-1.forwardauth.address: http://tinyauth-1:3000/api/auth/traefik
    restart: unless-stopped

What's the output if you try to curl your app?

curl https://app.sub.example.com
{"message":"Unauthorized","status":401}

[steveiliop56]

Alright your traefik setup is good. Please include the -H "Accept: text/html" in the curl command.