Proxy Outpost Restart causes broken redirect, 400 status code, Envoy

[christensenjairus]

Describe the bug

The proxy outposts store sessions in memory. When restarted, the session data is lost, and it causes a redirect to https://<forward_auth_protected_domain>/outpost.goauthentik.io/callback, which returns a 400 error because the session isn't present after the restart. If I simply visit the main url of my forward auth app, it will log in again, as expected.

Basically, if the outpost could redirect to the main url of the application and send a 302 instead of a 400 or something like that, I believe it would work.

With the Istio/Envoy way of setting up forward auth, AFAIK there is not requirement to have a /outpost.goauthentik.io* path redirect to the outpost, though I believe that's how it's done for other ways of setting up forward auth, so I can see how this slipped through.

This issue exists with the latest version (2025.12.1 at the time of writing) proxy outpost, but does not exist in 2025.8.4, which is what I'm using until this is fixed.

How to reproduce

1. Set up istio w/ envoy like it says in the docs
2. Set up a forward auth provider
3. Log in to the forward authed application
4. Restart the outpost
5. Refresh the page

Expected behavior

Refreshing the page after an outpost restart should transparently get you a new session

Screenshots

No response

Additional context

No response

Deployment Method

Kubernetes

Version

2025.12.1

Relevant log output

[christensenjairus]

This seems to be fixed on my end w/ 2025.12.4 (#18063)

[christensenjairus]

This seems to be fixed on my end w/ 2025.12.4 (#18063)

I take this back, it's still happening to me on 2025.12.4.

[mathieuruellanmyscript]

Still happening on 2026.2.0