From dcbb7bbe58b73b1ab15bf2407376073515d76f68 Mon Sep 17 00:00:00 2001
From: Doug Goldstein <cardoe@cardoe.com>
Date: Tue, 13 Jan 2026 01:39:41 -0600
Subject: [PATCH] fix: device callback URL needs to handle a / (#4448)

If the issuer path ends with a / the URL will be built wrong so we
should instead use the helper function to ensure the path is built
correctly. fixes #4242.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
 server/oauth2.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/oauth2.go b/server/oauth2.go
index 18cc3dd4..bd0b0530 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -491,7 +491,7 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques
 		return nil, newDisplayedErr(http.StatusBadRequest, "Unregistered redirect_uri (%q).", redirectURI)
 	}
 	if redirectURI == deviceCallbackURI && client.Public {
-		redirectURI = s.issuerURL.Path + deviceCallbackURI
+		redirectURI = s.absPath(deviceCallbackURI)
 	}
 
 	// From here on out, we want to redirect back to the client with an error.