DefGuard · wojcik91 · Feb 25, 2026 · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/flake.lock b/flake.lock
diff --git a/proto b/proto
diff --git a/src/config.rs b/src/config.rs
@@ -26,9 +26,19 @@ pub struct EnvConfig {
     pub grpc_port: u16,
 
     #[arg(long, env = "DEFGUARD_PROXY_GRPC_CERT")]
+    #[serde(skip_serializing)]
+    #[deprecated(
+        since = "2.0.0",
+        note = "Certificates are automatically generated by Core CA"
+    )]
     pub grpc_cert: Option<String>,
 
     #[arg(long, env = "DEFGUARD_PROXY_GRPC_KEY")]
+    #[serde(skip_serializing)]
+    #[deprecated(
+        since = "2.0.0",
+        note = "Certificates are automatically generated by Core CA"
+    )]
     pub grpc_key: Option<String>,
 
     #[arg(long, env = "DEFGUARD_PROXY_LOG_LEVEL", default_value_t = LevelFilter::Info)]
@@ -47,6 +57,8 @@ pub struct EnvConfig {
         default_value = "http://localhost:8080"
     )]
     #[serde(default = "default_url")]
+    #[serde(skip_serializing)]
+    #[deprecated(since = "2.0.0", note = "Public URL is generated by Core instead")]
     pub url: Url,
 
     /// Configuration file path

diff --git a/src/enterprise/handlers/desktop_client_mfa.rs b/src/enterprise/handlers/desktop_client_mfa.rs
@@ -79,8 +79,9 @@ pub(super) async fn mfa_auth_callback(
     let request = ClientMfaOidcAuthenticateRequest {
         code: payload.code,
         nonce,
-        callback_url: state.callback_url(&payload.flow_type).to_string(),
         state: payload.state,
+        #[allow(deprecated)]
+        callback_url: String::new(),
     };
 
     debug!("Sending MFA OIDC authenticate request to core service");

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
@@ -12,8 +12,8 @@ use crate::{
     handlers::get_core_response,
     http::AppState,
     proto::{
-        core_request, core_response, AuthCallbackRequest, AuthCallbackResponse, AuthInfoRequest,
-        DeviceInfo,
+        core_request, core_response, AuthCallbackRequest, AuthCallbackResponse, AuthFlowType,
+        AuthInfoRequest, DeviceInfo,
     },
 };
 
@@ -68,9 +68,15 @@ async fn auth_info(
 ) -> Result<(PrivateCookieJar, Json<AuthInfo>), ApiError> {
     debug!("Getting auth info for OAuth2/OpenID login");
 
+    let auth_flow_type = match request_data.flow_type {
+        FlowType::Enrollment => AuthFlowType::Enrollment as i32,
+        FlowType::Mfa => AuthFlowType::Mfa as i32,
+    };
     let request = AuthInfoRequest {
-        redirect_url: state.callback_url(&request_data.flow_type).to_string(),
+        #[allow(deprecated)]
+        redirect_url: String::new(),
         state: request_data.state,
+        auth_flow_type,
     };
 
     let rx = state
@@ -158,7 +164,8 @@ async fn auth_callback(
     let request = AuthCallbackRequest {
         code: payload.code,
         nonce,
-        callback_url: state.callback_url(&payload.flow_type).to_string(),
+        #[allow(deprecated)]
+        callback_url: String::new(),
     };
 
     let rx = state

diff --git a/src/http.rs b/src/http.rs
@@ -26,12 +26,11 @@ use tower_governor::{
 };
 use tower_http::trace::{self, TraceLayer};
 use tracing::{info_span, Level};
-use url::Url;
 
 use crate::{
     assets::{index, web_asset},
     config::EnvConfig,
-    enterprise::handlers::openid_login::{self, FlowType},
+    enterprise::handlers::openid_login,
     error::ApiError,
     grpc::{Configuration, ProxyServer},
     handlers::{desktop_client_mfa, enrollment, password_reset, polling},
@@ -53,23 +52,6 @@ pub const GRPC_KEY_NAME: &str = "proxy_grpc_key.pem";
 pub(crate) struct AppState {
     pub(crate) grpc_server: ProxyServer,
     cookie_key: Arc<RwLock<Option<Key>>>,
-    url: Url,
-}
-
-impl AppState {
-    /// Returns configured URL with "auth/callback" appended to the path.
-    #[must_use]
-    pub(crate) fn callback_url(&self, flow_type: &FlowType) -> Url {
-        let mut url = self.url.clone();
-        // Append "/openid/callback" to the URL.
-        if let Ok(mut path_segments) = url.path_segments_mut() {
-            match flow_type {
-                FlowType::Enrollment => path_segments.extend(&["openid", "callback"]),
-                FlowType::Mfa => path_segments.extend(&["openid", "mfa", "callback"]),
-            };
-        }
-        url
-    }
 }
 
 impl FromRef<AppState> for Key {
@@ -354,7 +336,6 @@ pub async fn run_server(
     let shared_state = AppState {
         cookie_key,
         grpc_server,
-        url: env_config.url.clone(),
     };
 
     // Setup tower_governor rate-limiter

diff --git a/web/package.json b/web/package.json
@@ -20,8 +20,8 @@
     "@tanstack/react-form": "^1.28.3",
     "@tanstack/react-query": "^5.90.21",
     "@tanstack/react-query-devtools": "^5.91.3",
-    "@tanstack/react-router": "^1.162.8",
-    "@tanstack/react-router-devtools": "^1.162.8",
+    "@tanstack/react-router": "^1.163.2",
+    "@tanstack/react-router-devtools": "^1.163.2",
     "@uidotdev/usehooks": "^2.4.1",
     "axios": "^1.13.5",
     "change-case": "^5.4.4",
@@ -42,7 +42,7 @@
     "@biomejs/biome": "2.3.14",
     "@inlang/paraglide-js": "2.10.0",
     "@tanstack/devtools-vite": "^0.5.1",
-    "@tanstack/router-plugin": "^1.162.8",
+    "@tanstack/router-plugin": "^1.163.2",
     "@types/lodash-es": "^4.17.12",
     "@types/node": "^25.3.0",
     "@types/qs": "^6.14.0",