Skip to content

URL fragment is lost when using username/password form #4462

New issue
New issue
Open
#4464
Open
URL fragment is lost when using username/password form#4462
#4464
@hvoort

Description

@hvoort
hvoort
opened on Jan 7, 2026

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

master

Storage Type

SQLite

Installation Type

Binary

Expected Behavior

When you visit an URL with fragment, and get redirected to dex to authenticate, the fragment should be part of the url when redirected back to the original URL

Example: A user navigates to https://example.com/#/about/me. It is redirected for authentication to dex IDP for ldap authentication. When successfully authenticated it will end up being redirected to https://example.com/

Actual Behavior

When you visit an URL with fragment, and get redirected to dex to authenticate, form interaction (password.html) will remove (or not include) the fragment in form action.

The fragment should be part of the form post so that it is present in the url when redirected back to the original URL

Steps To Reproduce

  1. Checkout master
  2. make build
  3. Run dex ./bin/dex serve examples/config-dev.yaml
  4. Run example app cd examples && go run ./example-app
  5. Go to http://127.0.0.1:5555/ click login
  6. Add #foobar to the URL and force refresh
  7. Click "Login with email" and observe the fragment is gone
  8. Add #foobar to the URL and force refresh
  9. Login using static user credentials admin@example.com and password and observe the fragment is gone when redirected.

Additional Information

This issue exists because the URL fragment stays in the browser, it's a client side part. So with the first url request from the browser the server can have many redirects and the fragment will stay. But when there is a form to submit something (user/pass) and the fragment is not included it will be lost.

The redirect url is created on the server and it is expected that this does not include the URL fragment.

oauth2-proxy has a similar fix for this problem. https://github.com/oauth2-proxy/oauth2-proxy/blob/0100ca9403399716586f56a08c784fc690c6fc79/pkg/app/pagewriter/sign_in.html#L113

--

I'm using dex + ldap as IDP with oauth2-proxy to protect an upstream webserver. I only have one connector and the auth selection page is skipped.

Configuration

examples/config-dev.yaml

Logs

Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions