From 0b159bdb9c03f92ee464791005bcb7966bf4e271 Mon Sep 17 00:00:00 2001
From: Allen Porter <allen.porter@gmail.com>
Date: Sun, 14 Sep 2025 14:07:31 -0700
Subject: [PATCH] Update authorization server to prefer absolute urls (#152313)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 homeassistant/components/auth/login_flow.py | 19 +++++++--
 tests/components/auth/test_login_flow.py    | 46 ++++++++++++++++++---
 2 files changed, 56 insertions(+), 9 deletions(-)

diff --git a/homeassistant/components/auth/login_flow.py b/homeassistant/components/auth/login_flow.py
index 69ae3eb65bd..675c2d10fea 100644
--- a/homeassistant/components/auth/login_flow.py
+++ b/homeassistant/components/auth/login_flow.py
@@ -92,7 +92,11 @@ from homeassistant.components.http.ban import (
 from homeassistant.components.http.data_validator import RequestDataValidator
 from homeassistant.components.http.view import HomeAssistantView
 from homeassistant.core import HomeAssistant, callback
-from homeassistant.helpers.network import is_cloud_connection
+from homeassistant.helpers.network import (
+    NoURLAvailableError,
+    get_url,
+    is_cloud_connection,
+)
 from homeassistant.util.network import is_local
 
 from . import indieauth
@@ -125,11 +129,18 @@ class WellKnownOAuthInfoView(HomeAssistantView):
 
     async def get(self, request: web.Request) -> web.Response:
         """Return the well known OAuth2 authorization info."""
+        hass = request.app[KEY_HASS]
+        # Some applications require absolute urls, so we prefer using the
+        # current requests url if possible, with fallback to a relative url.
+        try:
+            url_prefix = get_url(hass, require_current_request=True)
+        except NoURLAvailableError:
+            url_prefix = ""
         return self.json(
             {
-                "authorization_endpoint": "/auth/authorize",
-                "token_endpoint": "/auth/token",
-                "revocation_endpoint": "/auth/revoke",
+                "authorization_endpoint": f"{url_prefix}/auth/authorize",
+                "token_endpoint": f"{url_prefix}/auth/token",
+                "revocation_endpoint": f"{url_prefix}/auth/revoke",
                 "response_types_supported": ["code"],
                 "service_documentation": (
                     "https://developers.home-assistant.io/docs/auth_api"
diff --git a/tests/components/auth/test_login_flow.py b/tests/components/auth/test_login_flow.py
index af9a2cf62f1..f7d20687c92 100644
--- a/tests/components/auth/test_login_flow.py
+++ b/tests/components/auth/test_login_flow.py
@@ -7,6 +7,7 @@ from unittest.mock import patch
 import pytest
 
 from homeassistant.core import HomeAssistant
+from homeassistant.core_config import async_process_ha_core_config
 
 from . import BASE_CONFIG, async_setup_auth
 
@@ -371,19 +372,54 @@ async def test_login_exist_user_ip_changes(
     assert response == {"message": "IP address changed"}
 
 
+@pytest.mark.usefixtures("current_request_with_host")  # Has example.com host
+@pytest.mark.parametrize(
+    ("config", "expected_url_prefix"),
+    [
+        (
+            {
+                "internal_url": "http://192.168.1.100:8123",
+                # Current request matches external url
+                "external_url": "https://example.com",
+            },
+            "https://example.com",
+        ),
+        (
+            {
+                # Current request matches internal url
+                "internal_url": "https://example.com",
+                "external_url": "https://other.com",
+            },
+            "https://example.com",
+        ),
+        (
+            {
+                # Current request does not match either url
+                "internal_url": "https://other.com",
+                "external_url": "https://again.com",
+            },
+            "",
+        ),
+    ],
+    ids=["external_url", "internal_url", "no_match"],
+)
 async def test_well_known_auth_info(
-    hass: HomeAssistant, aiohttp_client: ClientSessionGenerator
+    hass: HomeAssistant,
+    aiohttp_client: ClientSessionGenerator,
+    config: dict[str, str],
+    expected_url_prefix: str,
 ) -> None:
-    """Test logging in and the ip address changes results in an rejection."""
+    """Test the well-known OAuth authorization server endpoint with different URL configurations."""
+    await async_process_ha_core_config(hass, config)
     client = await async_setup_auth(hass, aiohttp_client, setup_api=True)
     resp = await client.get(
         "/.well-known/oauth-authorization-server",
     )
     assert resp.status == 200
     assert await resp.json() == {
-        "authorization_endpoint": "/auth/authorize",
-        "token_endpoint": "/auth/token",
-        "revocation_endpoint": "/auth/revoke",
+        "authorization_endpoint": f"{expected_url_prefix}/auth/authorize",
+        "token_endpoint": f"{expected_url_prefix}/auth/token",
+        "revocation_endpoint": f"{expected_url_prefix}/auth/revoke",
         "response_types_supported": ["code"],
         "service_documentation": "https://developers.home-assistant.io/docs/auth_api",
     }