In what area(s)?

/area runtime

What version of Dapr?

1.10.x (in v1.16.x still exists)

Expected Behavior

When forceHTTPS is set to "true" in the OAuth2 middleware configuration, the middleware should:

1. Save the original request URL to the session before redirecting to the OAuth provider
2. On callback, retrieve the redirect-url from the session
3. Force the scheme to https
4. Redirect the user back to the original URL

Actual Behavior

When forceHTTPS is set to "true":

1. The OAuth flow starts correctly and redirects to the OAuth provider
2. On callback, the middleware fails to deserialize the redirect-url from the session
3. Error occurs: "Value saved in state key 'redirect-url' is not a *url.URL"
4. OAuth callback returns HTTP 500 Internal Server Error
5. The user cannot reach the protected API.

Steps to Reproduce the Problem

1. Deploy Dapr >= 1.10.0 in a Kubernetes cluster
2. Configure the OAuth2 middleware component with forceHTTPS: "true":

   apiVersion: dapr.io/v1alpha1
   kind: Component
   metadata:
     name: oauth2
     namespace: default
   spec:
     type: middleware.http.oauth2
     version: v1
     metadata:
       - name: clientId
         value: "<your-client-id>"
       - name: clientSecret
         value: "<your-client-secret>"
       - name: scopes
         value: "profile,email,openid"
       - name: authURL
         value: "<your-provider-auth-url>"
       - name: tokenURL
         value: "<your-provider-token-url>"
       - name: redirectURL
         value: "https://your-domain.com/v1.0"
       - name: authHeaderName
         value: "authorization"
       - name: forceHTTPS
         value: "true"  # <-- This causes the issue

3. Configure Dapr Configuration to use the OAuth2 middleware:

 apiVersion: dapr.io/v1alpha1
   kind: Configuration
   metadata:
     name: pipeline
     namespace: default
   spec:
     httpPipeline:
       handlers:
         - type: middleware.http.oauth2
           name: oauth2

4. Deploy an application with a Dapr sidecar using this configuration.
5. Access a protected endpoint through the ingress (e.g., https://your-domain.com/v1.0/invoke/some-service/method/endpoint).
6. Observe the OAuth flow:

• Browser redirects to OAuth provider (Keycloak)
• User authenticates
• Browser redirects back to https://your-domain.com/v1.0?code=...&state=...
• Check Dapr sidecar logs - you should see:

   level=error msg="Value saved in state key 'redirect-url' is not a *url.URL"

7. Result: the OAuth flow fails with HTTP 500.

Note: Setting forceHTTPS: "false" allows the flow to complete successfully, confirming the issue is specific to forceHTTPS handling.

Root cause: Inside the OAuth2 middleware, the redirect URL is stored in the session as:

session.Set(redirectPath, r.URL)

After returning from the auth provider with the code, forceHTTPS is applied:

				if forceHTTPS {
					redirectURL.Scheme = "https"
				}

Then finally:

httputils.RespondWithRedirect(w, http.StatusFound, redirectURL.String())

When the original URL path is relative and forceHTTPS == true, r.URL.Host is empty. This produces an invalid redirect like: https:///path/to/resource, which triggers the error.

Possible solution: Use r.Host instead of r.URL.Host, since r.Host should always be populated.

Release Note

RELEASE NOTE: