Geo secondary auth redirects to the internal URL of the primary site

Summary

If a different internal_url is configured for the Primary Geo site, during authentication on the Geo secondary, the user will get redirected to this internal URL instead. This breaks the authentication flow if the internal URL is "actually" internal, i.e. only reachable from the secondary Geo site.

Steps to reproduce

1. On a Geo setup, set a different internal_url for the primary
2. Attempt authentication on the Geo secondary site, and notice the redirects:

$ curl -c c.jar -b c.jar -L -v -x '' https://gitlab-external.secondary/ 2>&1 | grep Location
< Location: https://gitlab-external.secondary/users/sign_in
< Location: https://gitlab-external.secondary/oauth/geo/auth?state=[FILTERED]
< Location: https://gitlab-internal.primary/oauth/authorize?client_id=[FILTERED]&redirect_uri=https%3A%2F%2Fgitlab-external.secondary%2Foauth%2Fgeo%2Fcallback&response_type=code&state=[FILTERED]

What is the current bug behavior?

Auth on the secondary redirects to the internal URL of the primary

What is the expected correct behavior?

Users should be redirected to the external URL of the primary, considering that's what they access in the browser.

Possible fixes

Update how oauth_authorization_url gets built to not use the internal URL.

Marking as severity2 initially (might be severity3 due to low occurrence) since the only "workaround" is to not use an internal URL (which may incur network transfer fees etc in some specific cases, or be slower overall due to the need to go through a load balancer or similar), or every user to manually replace the internal URL with the external URL in their browser when getting redirected.