Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

After updating the helm chart from 8.2.0 to 8.3.1 (appversion 3.0.11 -> 3.1.1), the OIDC configured with keycloak returns an error page and no longer logs in.

The error is

Invalid redirect URL: the protocol and host (including port) must match and the path must be within allowed URLs if provided

I also test the helm chart 8.2.7, which works fine. 8.3.0 also does not work.

I have set the logging to JSON and debug but I do not really see anything useful when looking at the server pods logs.

To Reproduce

Install using the helmfile 8.3.0 or 8.3.1 (non HA version) and setup a keycloak OIDC configuration

configs:
  cm:
    oidc.config: |
      name: Keycloak
      issuer: ISSUER
      clientID: argo-cd
      enablePKCEAuthentication: true
      requestedScopes: ["openid", "profile", "email", "groups"]

Expected behavior

Redirect to the Keycloak login page

Screenshots

Version

Helmfile 8.3.1 Application 3.1.1

argocd: v3.1.1+fa342d1
BuildDate: 2025-08-25T15:32:14Z
GitCommit: fa342d1
GitTreeState: clean
GoVersion: go1.24.6
Compiler: gc
Platform: linux/amd64

Logs

│ {"level":"info","msg":"Initializing OIDC provider (issuer: ISSUER)","time":"2025-08-28T06:53:30Z"}                           
│ {"level":"info","msg":"OIDC supported scopes: [openid roles service_account email basic microprofile-jwt profile web-origins organization address phone offline_access acr groups]","time"