Fix OAuth infinite redirect loop

- Ensure redirect_uri matches exactly between authorization and token exchange
- Use SPACE_HOST consistently in both requests on HF Spaces
- Fixes 400 Bad Request error during OAuth token exchange

CHANGELOG.md

@@ -50,6 +50,11 @@
   - Added token aggregation from all sub-agents
 
 ### Fixed
+- **OAuth Redirect URI Mismatch**
+  - Fixed 400 Bad Request error during OAuth token exchange
+  - Ensured redirect_uri matches exactly between authorization and token exchange requests
+  - Both now use SPACE_HOST environment variable on HF Spaces
+
 - **Supabase Client Debug Logging**
   - Added debug output to show SUPABASE_URL and SUPABASE_KEY values during initialization
   - Added environment variable diagnostic logging in server.R to check HF Spaces secrets

server.R

@@ -248,11 +248,17 @@ if 'agents.manager_agent' in sys.modules:
     }
 
     tryCatch({
-      # Get redirect URI (use current host)
-      redirect_uri <- paste0(session$clientData$url_protocol, "//",
-                            session$clientData$url_hostname,
-                            if (session$clientData$url_port != "") paste0(":", session$clientData$url_port) else "",
-                            session$clientData$url_pathname)
+      # Get redirect URI - must match exactly what was used in authorization request
+      space_host <- Sys.getenv("SPACE_HOST", "")
+      if (space_host != "") {
+        redirect_uri <- paste0("https://", space_host)
+      } else {
+        redirect_uri <- paste0(session$clientData$url_protocol, "//",
+                              session$clientData$url_hostname,
+                              if (session$clientData$url_port != "") paste0(":", session$clientData$url_port) else "")
+      }
+
+      print(paste("OAuth: Token exchange using redirect_uri:", redirect_uri))
 
       # Exchange code for token
       token_result <- exchange_code_for_token(oauth_config, input$oauth_code, redirect_uri)