[Bug]: redirect_uri default HTTP/HTTPS ports are corrupted during Identity Provider login

[MarekUniq]

What happened?

Description

When using an external Identity Provider (e.g. Google), the redirect_uri generated by FusionAuth corrupts port number when the original request is served for HTTP on default port 80 or for HTTPS on default port 443.
Corrupted redirect_uri includes FusionAuth’s docker container internal port 9011 (instead of not having explicit port at all)

These ports are the default for their respective protocols—HTTP commonly uses port 80 and HTTPS uses port 443 — and in such cases, the port is often not explicitly included in the URL. For example, http://localhost implicitly means http://localhost:80 and vice versa. https://localhost implicitly means https://localhost:443 and vice versa.

FusionAuth, however, corrupts these default ports with docker container internal port (9011) when constructing the redirect URI, leading to invalid redirects during the Identity Provider login flow.

Affects versions

Tested with 1.46, 1.57, 1.58, 1.59, 1.60

Steps to reproduce

Start docker image with port mapping 80:9011

--- docker-compose.yml ---
services:
  fusionauth:
    image: fusionauth/fusionauth-app:1.60.2
    ports:
      - 80:9011
--- docker-compose.yml ---

Configure "Google Identity Provider" (possibly any other provider)

Goto URL http://localhost/admin

Click on "Google Identity Provider" button to log in

Login fails because of wrong redirect_uri: redirect_uri=http://localhost:9011/oauth2/callback

Expected redirect_uri: redirect_uri=http://localhost/oauth2/callback

Summary

The issue occurs when using the default ports for HTTP and HTTPS. If a non-default port is used, the redirect_uri is generated correctly.

However, when the default HTTP port (80) or HTTPS port (443) is in use, FusionAuth replaces the expected port with the container’s internal application port. Exposing internal container parameters is fundamentally wrong.

The original connection information must be preserved when constructing the redirect_uri, without altering the port.

If the original request used an implicit (default) port, the resulting redirect_uri should also keep the port implicit rather than substituting any internal or explicit port number.

Version

What version of FusionAuth are you using?

1.36.8 (in which the redirect_uri is still generated correctly)

Affects Versions

>= 1.46.0

Alternatives / Workarounds

Workaround: Use non-default ports

Do not use port 80 for http
Do not use port 443 for https

Example

Start docker image with port mapping 81:9011

--- docker-compose.yml ---
services:
  fusionauth:
    image: fusionauth/fusionauth-app:1.60.2
    ports:
      - 81:9011
--- docker-compose.yml ---

Configure "Google Identity Provider" (possibly any other provider)

Goto URL http://localhost:81/admin

Click on "Google Identity Provider" button to log in

Login succeeds, because of correct redirect_uri=http://localhost:81/oauth2/callback

Related Issues

• wrong port in redirect_uri / fusionauth 1.37+ #2250

[robotdan]

FusionAuth/java-http#44 has been merged, and will be included in the next java-http release, targetted for the next FusionAuth release.

[MarekUniq]

Great, thank you 👍. I look forward to the next FusionAuth release.

[robotdan]

This will be delivered via #3228