Update Geo OAuth redirect URI to use external primary URL

Because the internal URL is something internal to the Geo sites,
and the external URL is what users would access in the first place,
this updates the secondary login OAuth flow to always redirect users
to the external URL even if an internal URL is set for the primary.

ee/changelogs/unreleased/cat-geo-oauth-redirect-internal-url.yml

+---
+title: Update Geo OAuth redirect URI to use the external primary URL even when an
+  internal URL exists
+merge_request: 58966
+author:
+type: fixed

ee/lib/gitlab/geo/oauth/session.rb

@@ -57,7 +57,7 @@ module Gitlab
         end
 
         def oauth_authorization_url
-          Gitlab::Utils.append_path(Gitlab::Geo.primary_node.internal_url, AUTHORIZATION_PATH)
+          Gitlab::Utils.append_path(Gitlab::Geo.primary_node.url, AUTHORIZATION_PATH)
         end
       end
     end

ee/spec/lib/gitlab/geo/oauth/session_spec.rb

@@ -17,7 +17,7 @@ RSpec.describe Gitlab::Geo::Oauth::Session, :geo do
 
   describe '#authorized_url' do
     it 'returns a valid url to the primary node' do
-      expect(subject.authorize_url).to start_with(primary_node.internal_url)
+      expect(subject.authorize_url).to start_with(primary_node.url)
     end
 
     context 'secondary is configured with relative URL' do
@@ -36,6 +36,15 @@ RSpec.describe Gitlab::Geo::Oauth::Session, :geo do
         expect(subject.authorize_url).not_to include('relative-path')
       end
     end
+
+    context 'primary is configured with a different internal URL' do
+      it 'uses the external URL for the authorize redirect' do
+        primary_node.update!(internal_url: 'http://internal-primary')
+
+        expect(subject.authorize_url).not_to include('internal-primary')
+        expect(subject.authorize_url).to start_with(primary_node.url)
+      end
+    end
   end
 
   describe '#authenticate' do