zalando · czhou-brex · Sep 3, 2024 · Sep 3, 2024 · Sep 3, 2024 · Sep 4, 2024
diff --git a/docs/reference/filters.md b/docs/reference/filters.md
@@ -1687,6 +1687,10 @@ to untrusted downstream services.
 The filter will inject the OAuth2 bearer token into the request headers if the flag
 `oauth2-access-token-header-name` is set.
 
+The filter will substitute the base URL of redirect_uri, if "X-Skipper-Redirect-Base-Uri" header is passed in the request.
+The value will be in the form of "http://host.tld" or "https://host.tld".
+Otherwise, the "Host" of the request is used as the base URL of the redirect_uri.
+
 The filter must be used in conjunction with the [grantCallback](#grantcallback) filter
 where the OAuth2 provider can redirect authenticated users with an authorization code.
 Skipper will make sure to add the `grantCallback` filter for you to your routes when

diff --git a/filters/auth/grantconfig.go b/filters/auth/grantconfig.go
@@ -358,6 +358,7 @@ func (c *OAuthConfig) GetAuthURLParameters(redirectURI string) []oauth2.AuthCode
 
 // RedirectURLs constructs the redirect URI based on the request and the
 // configured CallbackPath.
+// X-Skipper-Redirect-Host header overrides the host generated in the redirect URL
 func (c *OAuthConfig) RedirectURLs(req *http.Request) (redirect, original string) {
 	u := *req.URL
 
@@ -367,10 +368,22 @@ func (c *OAuthConfig) RedirectURLs(req *http.Request) (redirect, original string
 		u.Scheme = "https"
 	}
 
-	u.Host = req.Host
-
 	original = u.String()
 
+	redirectBaseOverride := req.Header.Get("X-Skipper-Redirect-Base-Uri")
+	if redirectBaseOverride != "" {
+		u, err := url.Parse(redirectBaseOverride)
+		if err == nil {
+			redirect = (&url.URL{
+				Scheme: u.Scheme,
+				Host:   u.Host,
+				Path:   c.CallbackPath,
+			}).String()
+			return
+		}
+	}
+
+	u.Host = req.Host
 	redirect = (&url.URL{
 		Scheme: u.Scheme,
 		Host:   u.Host,