From 7b01c9007f4695a86b26348aac10c9bcea9afcb1 Mon Sep 17 00:00:00 2001
From: waterponey <prosper.burq@gmail.com>
Date: Sat, 21 Mar 2026 12:03:34 +0100
Subject: [PATCH 1/2] fix(frontend): include basePath in AUTH_OIDC_BASE_URL

When global.basePath.enabled is true, AUTH_OIDC_BASE_URL now appends the
frontend base path to the ingress host. This fixes OIDC authentication
failures where the redirect_uri sent to the identity provider was missing
the base path (e.g. /datahub), causing an "Invalid parameter: redirect_uri"
error.

Also adds an oidcBaseUrl override in the oidcAuthentication values block
for cases where the automatically constructed URL is not suitable.

Closes #680
---
 .../subcharts/datahub-frontend/templates/deployment.yaml    | 6 ++++++
 charts/datahub/subcharts/datahub-frontend/values.yaml       | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/charts/datahub/subcharts/datahub-frontend/templates/deployment.yaml b/charts/datahub/subcharts/datahub-frontend/templates/deployment.yaml
index e253d7ba2..7e0c1188c 100644
--- a/charts/datahub/subcharts/datahub-frontend/templates/deployment.yaml
+++ b/charts/datahub/subcharts/datahub-frontend/templates/deployment.yaml
@@ -244,7 +244,13 @@ spec:
               value: {{ .clientSecret }}
             {{- end }}
             - name: AUTH_OIDC_BASE_URL
+            {{- if .oidcBaseUrl }}
+              value: {{ .oidcBaseUrl }}
+            {{- else if $.Values.global.basePath.enabled }}
+              value: https://{{ (first $.Values.ingress.hosts).host }}{{ $.Values.global.basePath.frontend }}
+            {{- else }}
               value: https://{{ (first $.Values.ingress.hosts).host }}
+            {{- end }}
             - name: AUTH_OIDC_USER_NAME_CLAIM
               value: {{ .user_name_claim | default "email" }}
             - name: AUTH_OIDC_USER_NAME_CLAIM_REGEX
diff --git a/charts/datahub/subcharts/datahub-frontend/values.yaml b/charts/datahub/subcharts/datahub-frontend/values.yaml
index c90428165..913846d96 100644
--- a/charts/datahub/subcharts/datahub-frontend/values.yaml
+++ b/charts/datahub/subcharts/datahub-frontend/values.yaml
@@ -126,6 +126,10 @@ oidcAuthentication:
   # if needed, it should set meaningful defaults from provider
   # scope: "openid profile email"
 
+  # Override the base URL used for OIDC redirect URIs.
+  # When not set, the chart builds it from the first ingress host (and basePath if enabled).
+  # oidcBaseUrl: https://example.com/datahub
+
   # The attribute that will contain the username used on the DataHub platform.
   # user_name_claim: "email"
   # A regex string used for extracting the username from the userNameClaim attribute.

From 94734fb1009c37f8ab31714279837a91964e3b47 Mon Sep 17 00:00:00 2001
From: Prosper Burq <prosper.burq@gmail.com>
Date: Mon, 23 Mar 2026 18:39:54 +0100
Subject: [PATCH 2/2] fix(frontend): chart version to 0.8.23

bump chart version
---
 charts/datahub/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/datahub/Chart.yaml b/charts/datahub/Chart.yaml
index 624a091a1..befcc5880 100644
--- a/charts/datahub/Chart.yaml
+++ b/charts/datahub/Chart.yaml
@@ -4,7 +4,7 @@ description: A Helm chart for DataHub
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.8.22
+version: 0.8.23
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.