From 7dede37fd80f7aaa2f1f6b77383c284611bbccff Mon Sep 17 00:00:00 2001
From: chuckbutkus <chuck@all-hands.dev>
Date: Wed, 11 Jun 2025 14:19:15 -0400
Subject: [PATCH] Make sure redirect URI is HTTPS unless it is for localhost
 (#9076)

---
 frontend/src/utils/generate-auth-url.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/frontend/src/utils/generate-auth-url.ts b/frontend/src/utils/generate-auth-url.ts
index 8201d0b3f7..9e8d9a267b 100644
--- a/frontend/src/utils/generate-auth-url.ts
+++ b/frontend/src/utils/generate-auth-url.ts
@@ -5,7 +5,10 @@
  * @returns The URL to redirect to for OAuth
  */
 export const generateAuthUrl = (identityProvider: string, requestUrl: URL) => {
-  const redirectUri = `${requestUrl.origin}/oauth/keycloak/callback`;
+  // Use HTTPS protocol unless the host is localhost
+  const protocol =
+    requestUrl.hostname === "localhost" ? requestUrl.protocol : "https:";
+  const redirectUri = `${protocol}//${requestUrl.host}/oauth/keycloak/callback`;
   let authUrl = requestUrl.hostname
     .replace(/(^|\.)staging\.all-hands\.dev$/, "$1auth.staging.all-hands.dev")
     .replace(/(^|\.)app\.all-hands\.dev$/, "auth.app.all-hands.dev")