From 4c8b180383cd38831ac55b388b6045469c8c4355 Mon Sep 17 00:00:00 2001
From: Dotty Dotter <dotty@Mac-mini-von-Dotty.local>
Date: Fri, 10 Apr 2026 21:16:15 +0200
Subject: [PATCH] =?UTF-8?q?Fix:=20Keycloak=20redirect=5Furi=20http?=
 =?UTF-8?q?=E2=86=92https=20(Traefik=20TLS-Termination)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/main.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/main.py b/app/main.py
index a7abcd9..320bf53 100644
--- a/app/main.py
+++ b/app/main.py
@@ -296,8 +296,10 @@ async def auth_login_url(request: Request, redirect: str = "/"):
     """Keycloak-Login-URL für den Browser-Redirect."""
     if not _is_auth_enabled():
         return {"enabled": False, "url": ""}
-    # Construct absolute redirect URI
-    base = str(request.base_url).rstrip("/")
+    # Construct absolute redirect URI. Traefik terminiert TLS, deshalb
+    # sieht FastAPI http:// als base_url. Erzwinge https:// damit die
+    # redirect_uri zum Keycloak-Client-Config passt.
+    base = str(request.base_url).rstrip("/").replace("http://", "https://"  )
     url = keycloak_login_url(f"{base}{redirect}")
     return {"enabled": True, "url": url}