Backwards compatability AdminURL not working

[Falco20019]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

If SERVE_ADMIN_HOST is configured, it's not used for backwards compatability correctly. If it's not set at all, localhost:4445 will be used instead, which is not working for an provider in docker as localhost would refer to the container itself. This was already mentioned in #3335 but never followed-up on.

Reproducing the bug

1. Start hydra (i.e. in docker)
2. Access /oauth2/auth/requests/login (or any other Admin endpoint)
3. Get forwarded to http:///admin/oauth2/auth/requests/login

Relevant log output

Without SERVE_ADMIN_HOST: hydra:

2025-01-10 11:05:38 time=2025-01-10T10:05:38Z level=info msg=completed handling request http_request=map[headers:map[accept-encoding:gzip user-agent:Go-http-client/1.1] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:172.18.0.4:58494 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 location:http://localhost:4445/admin/oauth2/auth/requests/login?login_challenge=...] size:1551 status:307 text_status:Temporary Redirect took:346.221µs]

With SERVE_ADMIN_HOST: hydra:

2025-01-10 11:06:40 time=2025-01-10T10:06:40Z level=info msg=completed handling request http_request=map[headers:map[accept-encoding:gzip user-agent:Go-http-client/1.1] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:172.18.0.4:32962 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 location:http:///admin/oauth2/auth/requests/login?login_challenge=...] size:1537 status:307 text_status:Temporary Redirect took:395.047µs]

Relevant configuration

SERVE_ADMIN_HOST: hydra

Version

2.2.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

I tried to use icoreru/werther:v1.2.1 with oryd/hydra:v2.2.0. Since it's still using the old API, it is uses the endpoints without /admin. This should work using the backwards compatability forward, but it's failing due to the aforementioned bug.

[Falco20019]

I assume the issue is happening here:

hydra/driver/config/provider.go

Lines 387 to 398 in cddaa69

	func (p *DefaultProvider) fallbackURL(ctx context.Context, path string, host string, port int) *url.URL {
	var u url.URL
	u.Scheme = "http"
	if tls := p.TLS(ctx, PublicInterface); tls.Enabled() || !p.IsDevelopmentMode(ctx) {
	u.Scheme = "https"
	}
	if host == "" {
	u.Host = fmt.Sprintf("%s:%d", "localhost", port)
	}
	u.Path = path
	return &u
	}

I would assume the u.Host needs to be set also if host is not empty as I don't see any other location where it would be set (not sure if RequestURIF would do it as I'm not too deep into GoLang). Or it would has been assumed to create a relative link, but due to the scheme always being set, it's ending up with an incomplete URL.