[Bug]: HERMES_DASHBOARD_PUBLIC_URL not respected for self-hosted OIDC callback in Docker / reverse proxy setup

[valentinpx]

Bug Description

HERMES_DASHBOARD_PUBLIC_URL does not appear to be respected by the dashboard self-hosted OIDC login flow in Docker on Hermes 0.16.0. The documentation says this variable should override dashboard.public_url for OAuth callback construction behind reverse proxies, but Hermes still generated an http:// callback URL until I set dashboard.public_url directly in config.yaml.

Steps to Reproduce

1. Run Hermes Agent 0.16.0 in Docker Compose with the dashboard enabled and self-hosted OIDC configured behind a reverse proxy.
2. Set HERMES_DASHBOARD_PUBLIC_URL=https://hermes.domain.com in the container environment, and configure the OIDC provider callback URL as https://hermes.domain.com/auth/callback.
3. Open the dashboard and click Sign in with Self-Hosted OIDC.
4. Observe that the request fails before reaching the provider login page, and Hermes reports a generated callback URL of http://hermes.domain.com/auth/callback.
5. Edit /opt/data/config.yaml and set dashboard.public_url: 'https://hermes.domain.com', restart Hermes, and retry login.
6. Observe that login works after setting the value in config.yaml.

I first suspected a reverse proxy header issue, but directly calling Hermes with Host: hermes.domain.com and X-Forwarded-Proto: https still produced the same http://hermes.domain.com/auth/callback redirect URI. That suggests the issue is inside Hermes’ callback URL generation rather than in the proxy layer.
As a workaround, setting dashboard.public_url: 'https://hermes.domain.com' directly in /opt/data/config.yaml fixed the OIDC login flow immediately. Based on the docs, this workaround should not be necessary when HERMES_DASHBOARD_PUBLIC_URL is already set.

Expected Behavior

Hermes should honor HERMES_DASHBOARD_PUBLIC_URL=https://hermes.domain.com and generate the OIDC callback as https://hermes.domain.com/auth/callback, because the docs state that this environment variable overrides dashboard.public_url for OAuth callback construction behind reverse proxies.

Actual Behavior

Hermes generated http://hermes.domain.com/auth/callback during /auth/login?provider=self-hosted, which caused the OIDC provider to reject the redirect URI before showing the login page. The issue disappeared only after manually setting dashboard.public_url in /opt/data/config.yaml.

Affected Component

Other

Messaging Platform (if gateway-related)

No response

Debug Report

Hermes `/api/status` showed that auth was enabled and the self-hosted provider was loaded.


HTTP/1.1 503 Service Unavailable
{"detail":"Provider unreachable: redirect_uri may only use http:// for localhost/127.0.0.1, got 'http://hermes.domain.com/auth/callback'"}

{"ts":"2026-06-09T09:42:25.469868+00:00","event":"login_failure","provider":"self-hosted","reason":"provider_unreachable","ip":"192.168.XXX.XXX"}

Operating System

Docker v5.1.4 on Ubuntu 24.04

Python Version

3.13.5

Hermes Version

v0.16.0 (2026.6.5)

Additional Logs / Traceback (optional)

Root Cause Analysis (optional)

No response

Proposed Fix (optional)

No response

Are you willing to submit a PR for this?

• I'd like to fix this myself and submit a PR

[harjothkhara]

I tried to reproduce this against current main and couldn't — the OIDC callback path does honor HERMES_DASHBOARD_PUBLIC_URL, so I think the root cause is environmental rather than in Hermes' URL generation. Walking through it:

• /auth/login builds the redirect_uri via _redirect_uri(request) → resolve_public_url() (hermes_cli/dashboard_auth/prefix.py), whose precedence is env var first, then dashboard.public_url, then request reconstruction.
• The self-hosted provider uses that redirect_uri verbatim (it doesn't rebuild it).
• Empirically, with HERMES_DASHBOARD_PUBLIC_URL=https://hermes.domain.com set, resolve_public_url() returns https://hermes.domain.com and the redirect_uri becomes https://hermes.domain.com/auth/callback. There's also already a regression test asserting the env var wins over config.

The override landed in a890389b6, which is included in your v0.16.0, so you did have it. The telling detail is that setting dashboard.public_url in config.yaml fixed it — that goes through the same normaliser as the env var, so if config worked, the env value must have been seen as empty/invalid at runtime. Two common causes:

1. The variable didn't actually reach the Hermes process (e.g. set in an env_file the container didn't load, or in a different service in the compose file).
2. The value contained a character the normaliser deliberately rejects — it hard-rejects values containing quotes/whitespace/newlines rather than sanitising them. A value like "https://hermes.domain.com" (literal quotes) or a trailing newline from a mounted secret would be treated as unset and fall through to config.

Could you run printenv HERMES_DASHBOARD_PUBLIC_URL inside the running container and paste the exact output (including any surrounding quotes)? That'll tell us which of the two it is. Happy to dig further once we see it.

[benbarclay]

Thanks for the detailed report — the note that hitting Hermes directly with Host: + X-Forwarded-Proto: https still produced http:// was the key clue, because it rules out the proxy and points inside Hermes.

On current main (and the latest release), HERMES_DASHBOARD_PUBLIC_URL is honored by the OAuth callback construction (resolve_public_url() → tier-1 override), and I verified the Docker image passes the env var through to the dashboard process correctly (s6-overlay imports the full container environment; both the dashboard and gateway run scripts use with-contenv + s6-setuidgid, which preserve it). So this isn't an image/env-passthrough bug.

The most likely cause: the value is being silently rejected for not having a scheme. resolve_public_url() runs the value through a validator that requires a full http(s)://host and returns empty for anything else — and empty is treated as "unset", so Hermes falls back to reconstructing the callback URL from request headers (which behind your proxy yields http://). A value like HERMES_DASHBOARD_PUBLIC_URL=hermes.domain.com (no https://) would reproduce your symptom exactly, and would also explain why setting dashboard.public_url in config.yaml fixed it — presumably you wrote it there with the scheme.

Could you confirm the exact value you set?

docker compose config | grep -i public_url      # what compose resolves
docker compose exec <service> printenv HERMES_DASHBOARD_PUBLIC_URL

If it's missing the https:// prefix, that's the bug.

Either way, the silent-discard behaviour is a footgun, so I've opened #43214 to emit a clear WARNING whenever a non-empty HERMES_DASHBOARD_PUBLIC_URL / dashboard.public_url is rejected as malformed — so this diagnoses itself next time instead of failing quietly. Leaving this issue open until we confirm the value on your side.