Skip to content

providers/proxy: preserve URL-encoded path characters in redirect#20476

Merged
BeryJu merged 1 commit intogoauthentik:mainfrom
Brolywood:feature/preserve-encoded-slashes-in-proxy-redirect
Feb 23, 2026
Merged

providers/proxy: preserve URL-encoded path characters in redirect#20476
BeryJu merged 1 commit intogoauthentik:mainfrom
Brolywood:feature/preserve-encoded-slashes-in-proxy-redirect

Conversation

@Brolywood
Copy link
Contributor

@Brolywood Brolywood commented Feb 23, 2026

Summary

  • Use r.URL.EscapedPath() instead of r.URL.Path in redirectToStart() to preserve URL-encoded characters like %2F
  • r.URL.Path returns the decoded path, converting %2F to /, which url.JoinPath then collapses via path.Clean, stripping encoded slashes from the redirect URL
  • EscapedPath() preserves the original encoding while remaining backward compatible for paths without encoded characters

Fixes #12602

Test plan

  • Added TestRedirectToStart_Proxy_EncodedSlash test case verifying %2F is preserved in both the redirect URL and session redirect value
  • All existing TestRedirectToStart_* tests continue to pass
  • All existing TestProxy_Redirect* tests continue to pass
  • All existing TestCheckRedirectParam_* tests continue to pass
  • Full Go test suite passes (excluding pre-existing PostgreSQL-dependent tests that require a database)

@Brolywood
providers/proxy: preserve URL-encoded path characters in redirect
e5a0961 
Use r.URL.EscapedPath() instead of r.URL.Path when building the
redirect URL in redirectToStart(). The decoded Path field converts
%2F to /, which url.JoinPath then collapses via path.Clean, stripping
encoded slashes from the URL. EscapedPath() preserves the original
encoding, fixing 301 redirects that break apps like RabbitMQ which
use %2F in their API paths.
@Brolywood Brolywood requested a review from a team as a code owner February 23, 2026 14:48
@netlify
Copy link

netlify bot commented Feb 23, 2026

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit e5a0961
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/699c68c2f8b04f00087d0a23
😎 Deploy Preview https://deploy-preview-20476--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@BeryJu BeryJu added area:backend backport/version-2026.2 Add this label to PRs to backport changes to version-2026.2 labels Feb 23, 2026
@BeryJu BeryJu merged commit 17ab3a4 into goauthentik:main Feb 23, 2026
101 checks passed
@authentik-automation authentik-automation bot mentioned this pull request Feb 23, 2026
Merged
@authentik-automation
Copy link
Contributor

authentik-automation bot commented Feb 23, 2026

🍒 Cherry-pick to version-2026.2 created: #20482

@codecov
Copy link

codecov bot commented Feb 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.25%. Comparing base (6e04a42) to head (e5a0961).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #20476      +/-   ##
==========================================
- Coverage   93.28%   93.25%   -0.03%     
==========================================
  Files         981      981              
  Lines       55186    55276      +90     
==========================================
+ Hits        51479    51549      +70     
- Misses       3707     3727      +20
Flag Coverage Δ
conformance 37.38% <ø> (-0.06%) ⬇️
e2e 43.19% <ø> (-0.07%) ⬇️
integration 22.35% <ø> (-0.08%) ⬇️
unit 91.50% <ø> (+0.01%) ⬆️
unit-migrate 91.52% <ø> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

kensternberg-authentik added a commit that referenced this pull request Feb 23, 2026
@kensternberg-authentik
Merge branch 'main' into web/maintenance/no-unknown-attributes-2
1a0b7da 
* main:
  web: bump ajv from 6.12.6 to 6.14.0 in /web (#20479)
  providers/proxy: preserve URL-encoded path characters in redirect (#20476)
  policies: measure policy process from manager (#20477)
BeryJu pushed a commit that referenced this pull request Feb 23, 2026
@authentik-automation @Brolywood
providers/proxy: preserve URL-encoded path characters in redirect (ch…
cd75fe2 
…erry-pick #20476 to version-2026.2) (#20482)

providers/proxy: preserve URL-encoded path characters in redirect (#20476)

Use r.URL.EscapedPath() instead of r.URL.Path when building the
redirect URL in redirectToStart(). The decoded Path field converts
%2F to /, which url.JoinPath then collapses via path.Clean, stripping
encoded slashes from the URL. EscapedPath() preserves the original
encoding, fixing 301 redirects that break apps like RabbitMQ which
use %2F in their API paths.

Co-authored-by: Brolywood <44068132+Brolywood@users.noreply.github.com>
kensternberg-authentik added a commit that referenced this pull request Feb 24, 2026
@kensternberg-authentik
Merge branch 'main' into web/flow/tidy-identification-stage
7277872 
* main: (104 commits)
  sources/saml: improve exception handling for saml response parsing (#20125)
  web/flow: separate flow inspector lifecycle from flow executor lifecycle (#20063)
  web/maintenance: no unknown attributes part 2 (#19014)
  website/docs: add info about make install and recovery key (#20447)
  web: bump ajv from 6.12.6 to 6.14.0 in /web (#20479)
  providers/proxy: preserve URL-encoded path characters in redirect (#20476)
  policies: measure policy process from manager (#20477)
  enterprise: monkey patch pyjwt to accept mismatching key (#20402)
  enterprise/lifecycle: use datetime instead of date to track review cycles (#20283)
  root: run `npm i` with `npm@11.10.1` in all subdirectories (#20471)
  providers/oauth2: device code flow client id via auth header (#20457)
  core: bump goauthentik/fips-debian from `4419749` to `d6def0a` in /lifecycle/container (#20467)
  core: bump goauthentik/fips-python from `d973c46` to `bccefee` in /lifecycle/container (#20466)
  core, web: bump ajv from 6.12.6 to 6.14.0 in /packages/prettier-config (#20462)
  ci: bump and fix daily (#20461)
  website/integrations: fix Vaultwarden SSO_SCOPES syntax (#20459)
  stages/user_login: log correct user when session binding is broken (#20094)
  web/flow: generate a single API object for network transactions and use it for the lifetime of the FlowExecutor (#20030)
  web/flow: refactor flow executor so component selection is in an easy-to-maintain table (#19999)
  website/integrations: gatus: fix config block  (#20446)
  ...
kensternberg-authentik added a commit that referenced this pull request Feb 25, 2026
@kensternberg-authentik
Merge branch 'web/flow/20261-tidy-identification-stage' into web/flow…
1f35644 
…/soc-captchas-and-webauthn

* web/flow/20261-tidy-identification-stage: (107 commits)
  Added some visibility keys, as per @GirlBossRush
  sources/saml: improve exception handling for saml response parsing (#20125)
  web/flow: separate flow inspector lifecycle from flow executor lifecycle (#20063)
  web/maintenance: no unknown attributes part 2 (#19014)
  website/docs: add info about make install and recovery key (#20447)
  web: bump ajv from 6.12.6 to 6.14.0 in /web (#20479)
  providers/proxy: preserve URL-encoded path characters in redirect (#20476)
  Weird merge bug: same function appeared twice.
  policies: measure policy process from manager (#20477)
  enterprise: monkey patch pyjwt to accept mismatching key (#20402)
  enterprise/lifecycle: use datetime instead of date to track review cycles (#20283)
  root: run `npm i` with `npm@11.10.1` in all subdirectories (#20471)
  providers/oauth2: device code flow client id via auth header (#20457)
  core: bump goauthentik/fips-debian from `4419749` to `d6def0a` in /lifecycle/container (#20467)
  core: bump goauthentik/fips-python from `d973c46` to `bccefee` in /lifecycle/container (#20466)
  core, web: bump ajv from 6.12.6 to 6.14.0 in /packages/prettier-config (#20462)
  ci: bump and fix daily (#20461)
  website/integrations: fix Vaultwarden SSO_SCOPES syntax (#20459)
  stages/user_login: log correct user when session binding is broken (#20094)
  web/flow: generate a single API object for network transactions and use it for the lifetime of the FlowExecutor (#20030)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BeryJu BeryJu BeryJu approved these changes

@dominic-r dominic-r dominic-r approved these changes

Assignees

No one assigned

Labels

area:backend backport/version-2026.2 Add this label to PRs to backport changes to version-2026.2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Incorrect URL Handling: /%2F/ Becomes / Causing 404 Errors with RabbitMQ

3 participants

@Brolywood @BeryJu @dominic-r