Support SCRIPT_NAME (subdirectory or proxied environment)

.rubocop_gradual.lock

@@ -5,10 +5,10 @@
     [114, 30, 3, "Style/AndOr: Use `&&` instead of `and`.", 193409806],
     [114, 37, 1, "Lint/AssignmentInCondition: Wrap assignment in parentheses if intentional", 177560]
   ],
-  "spec/integration/middleware_spec.rb:4062046892": [
+  "spec/integration/middleware_spec.rb:4142891586": [
     [3, 16, 39, "RSpec/DescribeClass: The first argument to describe should be the class or module being tested.", 638096201],
     [30, 14, 10, "RSpec/ExpectActual: Provide the actual value you are testing to `expect(...)`.", 837117997],
-    [65, 5, 317, "RSpec/LeakyConstantDeclaration: Stub class constant instead of declaring explicitly.", 424933157]
+    [81, 5, 317, "RSpec/LeakyConstantDeclaration: Stub class constant instead of declaring explicitly.", 424933157]
   ],
   "spec/integration/roda_integration_spec.rb:1921252381": [
     [3, 16, 50, "RSpec/DescribeClass: The first argument to describe should be the class or module being tested.", 3681952328],
@@ -30,14 +30,14 @@
     [47, 7, 38, "RSpec/AnyInstance: Avoid stubbing using `allow_any_instance_of`.", 3627954156],
     [84, 7, 48, "RSpec/AnyInstance: Avoid stubbing using `allow_any_instance_of`.", 2759780562]
   ],
-  "spec/omniauth/strategies/ldap_spec.rb:783052937": [
-    [93, 13, 9, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 1130140517],
-    [148, 17, 28, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 3444838747],
-    [157, 17, 23, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 1584148894],
-    [168, 17, 32, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 1515076977],
-    [177, 19, 19, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 2526348694],
-    [203, 17, 56, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 2413495789],
-    [218, 13, 9, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 3182939526],
-    [251, 15, 19, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 2526348694]
+  "spec/omniauth/strategies/ldap_spec.rb:2044523926": [
+    [120, 13, 9, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 1130140517],
+    [175, 17, 28, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 3444838747],
+    [184, 17, 23, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 1584148894],
+    [195, 17, 32, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 1515076977],
+    [204, 19, 19, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 2526348694],
+    [230, 17, 56, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 2413495789],
+    [245, 13, 9, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 3182939526],
+    [278, 15, 19, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 2526348694]
   ]
 }

CHANGELOG.md

@@ -22,6 +22,10 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Added
 
+- Support for SCRIPT_NAME for proper URL generation
+  - behind certain proxies/load balancers, or
+  - under a subdirectory
+
 ### Changed
 
 ### Deprecated

README.md

@@ -401,6 +401,81 @@ provider :ldap,
 
 This trims `[email protected]` to `alice` before searching.
 
+### Mounted under a subdirectory (SCRIPT_NAME)
+
+If your app is served from a path prefix (for example, behind a reverse proxy at `/myapp`, or mounted via Rack::URLMap, or Rails `relative_url_root`), the OmniAuth callback must include that subdirectory. This strategy uses `callback_url` for the form action and redirects, so it automatically includes any `SCRIPT_NAME` set by Rack/Rails. In other words, you typically do not need any special configuration beyond ensuring `SCRIPT_NAME` is correct in the request environment.
+
+- Works out-of-the-box when:
+  - You mount the app at a path using Rack’s `map`/`URLMap`.
+  - You set Rails’ `config.relative_url_root` (or `RAILS_RELATIVE_URL_ROOT`) or deploy under a prefix with a reverse proxy that sets `SCRIPT_NAME`.
+
+Rack example (mounted at /myapp):
+
+```ruby
+# config.ru
+require "rack"
+require "omniauth-ldap"
+
+app = Rack::Builder.new do
+  use(Rack::Session::Cookie, secret: "change_me")
+  use(OmniAuth::Builder) do
+    provider(
+      :ldap,
+      host: "ldap.example.com",
+      base: "dc=example,dc=com",
+      uid: "uid",
+      title: "Example LDAP",
+    )
+  end
+
+  run(->(env) { [404, {"Content-Type" => "text/plain"}, [env.key?("omniauth.auth").to_s]] })
+end
+
+run Rack::URLMap.new(
+  "/myapp" => app,
+)
+```
+
+- Visiting `POST /myapp/auth/ldap` renders the login form with `action='http://host/myapp/auth/ldap/callback'`.
+- Any redirects (including header-based SSO fast path) will also point to `http://host/myapp/auth/ldap/callback`.
+
+Rails example (relative_url_root):
+
+```ruby
+# config/environments/production.rb (or an initializer)
+Rails.application.configure do
+  config.relative_url_root = "/myapp"  # or set ENV["RAILS_RELATIVE_URL_ROOT"]
+end
+
+# config/initializers/omniauth.rb
+Rails.application.config.middleware.use(OmniAuth::Builder) do
+  provider :ldap,
+    title: "Acme LDAP",
+    host: "ldap.acme.internal",
+    base: "dc=acme,dc=corp",
+    uid: "uid"
+end
+```
+
+- With `relative_url_root` set, Rails/Rack provide `SCRIPT_NAME=/myapp`, and this strategy will issue a form with `action='.../myapp/auth/ldap/callback'` and redirect accordingly.
+
+Behind proxies with unusual host/proto handling (optional):
+
+OmniAuth usually derives the correct scheme/host/prefix from Rack (and standard `X-Forwarded-*` headers). If your environment produces incorrect absolute URLs, you can override the computed host and prefix by setting `OmniAuth.config.full_host`:
+
+```ruby
+OmniAuth.config.full_host = lambda do |env|
+  scheme = (env["HTTP_X_FORWARDED_PROTO"] || env["rack.url_scheme"]).to_s.split(",").first
+  host = env["HTTP_X_FORWARDED_HOST"] || env["HTTP_HOST"] || [env["SERVER_NAME"], env["SERVER_PORT"]].compact.join(":")
+  script = env["SCRIPT_NAME"].to_s
+  "#{scheme}://#{host}#{script}"
+end
+```
+
+Note: You generally do not need this override. Prefer configuring your proxy to pass standard `X-Forwarded-Proto` and `X-Forwarded-Host` headers and let Rack/OmniAuth compute the full URL.
+
+- Header-based SSO (`header_auth: true`) also respects `SCRIPT_NAME`; when a trusted header is present on `POST /myapp/auth/ldap`, the strategy redirects to `http://host/myapp/auth/ldap/callback`.
+
 ### Trusted header SSO (REMOTE_USER and friends)
 
 Some deployments terminate SSO at a reverse proxy or portal and forward the already-authenticated user identity via an HTTP header such as `REMOTE_USER`.

docs/OmniAuth.html

@@ -107,7 +107,7 @@ <h2>Defined Under Namespace</h2>
 </div>
 
       <div id="footer">
-  Generated on Wed Nov  5 04:53:08 2025 by
+  Generated on Wed Nov  5 20:02:30 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP.html

@@ -135,7 +135,7 @@ <h2>
 </div>
 
       <div id="footer">
-  Generated on Wed Nov  5 04:53:08 2025 by
+  Generated on Wed Nov  5 20:02:30 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor.html

@@ -1036,7 +1036,7 @@ <h3 class="signature first" id="bind_as-instance_method">
 </div>
 
       <div id="footer">
-  Generated on Wed Nov  5 04:53:08 2025 by
+  Generated on Wed Nov  5 20:02:30 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/AuthenticationError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Wed Nov  5 04:53:08 2025 by
+  Generated on Wed Nov  5 20:02:30 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/ConfigurationError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Wed Nov  5 04:53:08 2025 by
+  Generated on Wed Nov  5 20:02:30 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/ConnectionError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Wed Nov  5 04:53:08 2025 by
+  Generated on Wed Nov  5 20:02:30 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/LdapError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Wed Nov  5 04:53:08 2025 by
+  Generated on Wed Nov  5 20:02:30 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Version.html

@@ -111,7 +111,7 @@ <h2>
 </div>
 
       <div id="footer">
-  Generated on Wed Nov  5 04:53:08 2025 by
+  Generated on Wed Nov  5 20:02:30 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/Strategies.html

@@ -105,7 +105,7 @@ <h2>Defined Under Namespace</h2>
 </div>
 
       <div id="footer">
-  Generated on Wed Nov  5 04:53:08 2025 by
+  Generated on Wed Nov  5 20:02:30 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>