From 0476d5745128c03f79b2b3d7b6a264bb3ab5ba83 Mon Sep 17 00:00:00 2001
From: Tim O'Farrell <tofarr@gmail.com>
Date: Thu, 26 Feb 2026 10:23:40 +0000
Subject: [PATCH] fix: properly extract redirect URL from OAuth state in
 keycloak_offline_callback (#13063)

Co-authored-by: openhands <openhands@all-hands.dev>
---
 enterprise/server/routes/auth.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/enterprise/server/routes/auth.py b/enterprise/server/routes/auth.py
index 75eb8b440f..a4dc968ebe 100644
--- a/enterprise/server/routes/auth.py
+++ b/enterprise/server/routes/auth.py
@@ -549,7 +549,10 @@ async def keycloak_offline_callback(code: str, state: str, request: Request):
         user_id=user_info['sub'], offline_token=keycloak_refresh_token
     )
 
-    return RedirectResponse(state if state else request.base_url, status_code=302)
+    redirect_url, _, _ = _extract_oauth_state(state)
+    return RedirectResponse(
+        redirect_url if redirect_url else request.base_url, status_code=302
+    )
 
 
 @oauth_router.get('/github/callback')