diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go
index 14fb813b2..f699370eb 100644
--- a/internal/outpost/proxyv2/application/oauth.go
+++ b/internal/outpost/proxyv2/application/oauth.go
@@ -17,7 +17,7 @@ const (
 )
 
 func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
-	rd := r.Header.Get(redirectParam)
+	rd := r.URL.Query().Get(redirectParam)
 	if rd == "" {
 		return "", false
 	}
@@ -28,16 +28,16 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
 	}
 	// Check to make sure we only redirect to allowed places
 	if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
-		if !strings.Contains(u.String(), a.ProxyConfig().ExternalHost) {
+		if !strings.Contains(u.String(), a.proxyConfig.ExternalHost) {
 			a.log.Warning("redirect URI did not contain external host")
 			return "", false
 		}
 	} else {
-		if !strings.HasSuffix(rd, *a.ProxyConfig().CookieDomain) {
+		if !strings.HasSuffix(rd, *a.proxyConfig.CookieDomain) {
 			return "", false
 		}
 	}
-	return u.String(), false
+	return u.String(), true
 }
 
 func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) {
diff --git a/internal/outpost/proxyv2/application/oauth_test.go b/internal/outpost/proxyv2/application/oauth_test.go
new file mode 100644
index 000000000..ced8f2fdb
--- /dev/null
+++ b/internal/outpost/proxyv2/application/oauth_test.go
@@ -0,0 +1,32 @@
+package application
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCheckRedirectParam(t *testing.T) {
+	a := newTestApplication()
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start", nil)
+
+	rd, ok := a.checkRedirectParam(req)
+
+	assert.Equal(t, false, ok)
+	assert.Equal(t, "", rd)
+
+	req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://google.com", nil)
+
+	rd, ok = a.checkRedirectParam(req)
+
+	assert.Equal(t, false, ok)
+	assert.Equal(t, "", rd)
+
+	req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test", nil)
+
+	rd, ok = a.checkRedirectParam(req)
+
+	assert.Equal(t, true, ok)
+	assert.Equal(t, "https://ext.t.goauthentik.io/test", rd)
+}
diff --git a/internal/outpost/proxyv2/application/test.go b/internal/outpost/proxyv2/application/test.go
index 8e1fbc340..c87e7cbfc 100644
--- a/internal/outpost/proxyv2/application/test.go
+++ b/internal/outpost/proxyv2/application/test.go
@@ -15,6 +15,7 @@ func newTestApplication() *Application {
 			ClientId:                   api.PtrString(ak.TestSecret()),
 			ClientSecret:               api.PtrString(ak.TestSecret()),
 			CookieSecret:               api.PtrString(ak.TestSecret()),
+			ExternalHost:               "https://ext.t.goauthentik.io",
 			CookieDomain:               api.PtrString(""),
 			Mode:                       api.PROXYMODE_FORWARD_SINGLE.Ptr(),
 			SkipPathRegex:              api.PtrString("/skip.*"),