Fix OAuth2 login redirect when using context path

[omerlebo]

Closes #1893

What's changed

OAuth2 login did not set an authenticationSuccessHandler, so it fell back to Spring Security's default handler, which is not aware of the servlet context path (SERVER_SERVLET_CONTEXT_PATH / server.servlet.context-path).

When kafka-ui is hosted under a base path (e.g. /kafka), the post-login 302 redirect omits the context path. The browser is sent to a location that doesn't include /kafka, so the user is stranded after authenticating instead of being routed back into the UI. Manually navigating to /kafka after login works, confirming auth itself succeeds — only the redirect target is wrong.

The LOGIN_FORM and LDAP configs already attach emptyRedirectSuccessHandler() (which prepends the context path via EmptyRedirectStrategy):

// BasicAuthSecurityConfig / LdapSecurityConfig
.formLogin(form -> form
    .loginPage(LOGIN_URL)
    .authenticationSuccessHandler(emptyRedirectSuccessHandler()))

This PR applies the same handler to oauth2Login for parity:

.oauth2Login(oauth2 -> oauth2
    .authenticationManager(delegatingAuthManager)
    .authenticationSuccessHandler(emptyRedirectSuccessHandler()))

emptyRedirectSuccessHandler() is already defined in the shared AbstractAuthSecurityConfig base class — it simply wasn't wired into the OAuth2 flow.

Tests

Adds EmptyRedirectStrategyTest covering the context-path behavior the fix depends on (and which was previously untested):

• prepends context path to a root (/) redirect → /kafka/
• prepends context path to an absolute-path redirect → /kafka/ui/clusters
• leaves the location unchanged when no context path is configured
• does not rewrite absolute-URL redirects (e.g. external IdP URLs)

How to reproduce

1. Configure OAuth2/OIDC auth (auth.type=OAUTH2).
2. Set SERVER_SERVLET_CONTEXT_PATH=/kafka.
3. Log in — the post-login 302 redirect does not point to /kafka, leaving the user on a blank/unrouted page. Manually visiting /kafka works.

Affects main and the latest release (v1.5.0).

Summary by CodeRabbit

• Bug Fixes

  • Improved OAuth login redirect handling by ensuring successful authentication uses the configured “empty redirect” behavior, keeping redirects consistent with the app’s context path.

• Tests

  • Added JUnit coverage for redirect rewriting behavior (root redirects, context-path-prefixed paths, unchanged locations when context path is empty, and no rewriting for absolute external URLs).

[coderabbitai]

📝 Walkthrough

Walkthrough

OAuthSecurityConfig.configure(...) is updated to explicitly set authenticationSuccessHandler(emptyRedirectSuccessHandler()) on the oauth2Login DSL, in addition to the existing authenticationManager. A new JUnit 5 test class, EmptyRedirectStrategyTest, validates the EmptyRedirectStrategy redirect URI rewriting logic across four scenarios.

Changes

OAuth Empty Redirect Handler

Layer / File(s)	Summary
OAuth2 login success handler wiring and redirect strategy tests api/src/main/java/io/kafbat/ui/config/auth/OAuthSecurityConfig.java, api/src/test/java/io/kafbat/ui/util/EmptyRedirectStrategyTest.java	oauth2Login now calls authenticationSuccessHandler(emptyRedirectSuccessHandler()). Four tests assert that EmptyRedirectStrategy prepends the context path to root and path-based redirects, leaves Location unchanged for an empty context path, and does not rewrite absolute external URLs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 Hop, hop, hooray — no more wild redirect!
The context path now leads where we expect,
oauth2Login wired just so,
The empty handler guides the flow,
Four tests confirm no wrong turn's checked! ✅

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix OAuth2 login redirect when using context path' directly and concisely summarizes the main change: fixing OAuth2 login redirect handling for context paths.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

Hi omerlebo! 👋

Welcome, and thank you for opening your first PR in the repo!

Please wait for triaging by our maintainers.

Please take a look at our contributing guide.

[kapybro]

AI Summary

OAuth2 login redirects ignore the servlet context path, causing users to be redirected to a URL without the base path (e.g., /kafka) after authentication, which results in a broken navigation experience. The fix applies the existing emptyRedirectSuccessHandler() to the OAuth2 flow, ensuring the context path is properly prepended to redirect URLs, consistent with how form and LDAP logins are handled. A new test confirms the redirect strategy correctly handles context paths for various redirect scenarios.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/src/test/java/io/kafbat/ui/util/EmptyRedirectStrategyTest.java`:
- Around line 48-57: The test method doesNotRewriteAbsoluteUrlRedirects only
covers the case where an absolute URL has an explicit path segment (like
/login), but the EmptyRedirectStrategy.createLocation() method has a separate
code path for URLs with empty paths. Add a new test method to
EmptyRedirectStrategyTest that tests the scenario with an absolute URL that has
no path (e.g., https://auth.example.com without the /login suffix). In this new
test, create an exchange with a context path, pass an absolute URI with an empty
path to the STRATEGY.sendRedirect() method, and verify the actual behavior when
the path is empty string to ensure the implementation correctly handles this
case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ffcf7470-538d-4406-b826-30086b792b84

📥 Commits

Reviewing files that changed from the base of the PR and between e78f6a6 and a59c107.

📒 Files selected for processing (2)

• api/src/main/java/io/kafbat/ui/config/auth/OAuthSecurityConfig.java
• api/src/test/java/io/kafbat/ui/util/EmptyRedirectStrategyTest.java