From 1362cc0dac37aac7f9d4e85348aca9cabd0ffceb Mon Sep 17 00:00:00 2001 From: Serhii Vasyliev Date: Mon, 23 Feb 2026 11:36:37 +0100 Subject: [PATCH] Improve debug logging around callback URL matching (#126) * Add debug logging around callback URL matching in ServeHTTP The callback URL comparison at the core of OIDC flow had zero logging, making it extremely difficult to diagnose redirect loop issues caused by misconfigured callbackURL (e.g., full URL vs path-only). Every other path comparison in ServeHTTP already logs debug info (logout, backchannel, frontchannel, excluded URLs), but the callback URL check was completely silent. Added debug logs that show: - The values being compared (request path vs configured callback) - Whether the match succeeded or failed - Configured redirURLPath during initialization This would have immediately revealed the root cause of issue #1 where callbackURL was set as a full URL but compared against req.URL.Path which only contains the path component. Closes #3 * improve-callback-url-logging: Add init-time logging for callbackURL config --- main.go | 6 ++++++ middleware.go | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/main.go b/main.go index de39983..f8a2963 100644 --- a/main.go +++ b/main.go @@ -303,6 +303,12 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name logger.Debugf("TraefikOidc.New: Final t.scopes initialized to: %v", t.scopes) + // Log callback URL configuration to help diagnose redirect loop issues. + // If callbackURL is a full URL instead of a path, the callback matching + // in ServeHTTP will silently fail because req.URL.Path is compared directly. + logger.Debugf("TraefikOidc.New: callbackURL (redirURLPath) configured as: %q", t.redirURLPath) + logger.Debugf("TraefikOidc.New: logoutURLPath configured as: %q", t.logoutURLPath) + t.providerURL = config.ProviderURL // Use singleton resource manager for metadata initialization diff --git a/middleware.go b/middleware.go index 5b7f742..4bbf4af 100644 --- a/middleware.go +++ b/middleware.go @@ -173,10 +173,14 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) { host := utils.DetermineHost(req) redirectURL := buildFullURL(scheme, host, t.redirURLPath) + // Check if the current request is the OIDC callback + t.logger.Debugf("Checking callback URL match: request_path=%q, configured_callback=%q", req.URL.Path, t.redirURLPath) if req.URL.Path == t.redirURLPath { + t.logger.Debugf("Callback URL matched, processing OIDC callback (redirect_url=%s)", redirectURL) t.handleCallback(rw, req, redirectURL) return } + t.logger.Debugf("Callback URL did not match (request_path=%q != configured=%q), continuing auth flow", req.URL.Path, t.redirURLPath) authenticated, needsRefresh, expired := t.isUserAuthenticated(session)