Redirect fails if non-default port is configured

[vitSkalicky]

Describe the bug
When using the Proxy provider in forward-auth mode for an application that is hosted on a non-default port (for example https://app1.example.com:8443), the user is not redirected to the application after successful login, but gets redirected to the "My applications page".

To Reproduce

1. Configure Authentik Proxy provider and Nginx in forward-auth mode according to docs for an application on non-defualt port.
2. Visit the application while not logged in: go to https://app1.example.com:8443
3. You will be redirected to Authentik login page
4. Log in
5. You get redirected to https://auth.exmaple.com/if/user/#/library instead of https://app1.example.com:8443

Expected behavior
After login, the user is redirected to the URL they were originally trying to visit

Version and Deployment (please complete the following information):

• authentik version: 2025.6.3
• Deployment: docker-compose

Additional context
I've been digging in the code and found the source of the bug:

authentik/internal/outpost/proxyv2/application/oauth_state.go

Line 63 in 21a73fe

if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {

The code is comparing URL.Host with a.proxyConfig.CookieDomain, which is wrong. URL.Hostname should be used instead.

According to docs, URL.Host contains the host and port, while Hostname returns only the host without the port. CookieDomain obviously does not contain the port. string.HasSuffix function is used, so this bug only appears when a non-default port is used in the redirected URL.

[authentik-automation]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.