diff --git a/ee/changelogs/unreleased/oauth-geo-fix.yml b/ee/changelogs/unreleased/oauth-geo-fix.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1f8bf7bb1dd187053dfddc5806bb17b254aa780c
--- /dev/null
+++ b/ee/changelogs/unreleased/oauth-geo-fix.yml
@@ -0,0 +1,5 @@
+---
+title: 'Geo: Fix OAuth authentication with relative URL used on secondary'
+merge_request: 37083
+author:
+type: fixed
diff --git a/ee/lib/gitlab/geo/oauth/session.rb b/ee/lib/gitlab/geo/oauth/session.rb
index f0941a8aa2d5851f7a12012b2da4b0c85e8eacf9..507131fdce2de2897f6fecc17766d335dd1834c0 100644
--- a/ee/lib/gitlab/geo/oauth/session.rb
+++ b/ee/lib/gitlab/geo/oauth/session.rb
@@ -8,11 +8,12 @@ module Gitlab
         include Gitlab::Utils::StrongMemoize
         include GrapePathHelpers::NamedRouteMatcher
 
-        # We don't use oauth_token_path helper because its output depends
+        # We don't use oauth_*_path helpers because their outputs depends
         # on secondary configuration (ex., relative URL) while we really need
         # it for a primary. This is why we're building it ourselves using
-        # primary node configuration and this static URL
+        # primary node configuration and these static URLs
         TOKEN_PATH = '/oauth/token'
+        AUTHORIZATION_PATH = '/oauth/authorize'
 
         def authorize_url(params = {})
           oauth_client.auth_code.authorize_url(params)
@@ -41,7 +42,7 @@ module Gitlab
               oauth_application&.uid,
               oauth_application&.secret,
               site: Gitlab::Geo.primary_node.url,
-              authorize_url: oauth_authorization_path,
+              authorize_url: oauth_authorization_url,
               token_url: token_url
             )
           end
@@ -54,6 +55,10 @@ module Gitlab
         def token_url
           Gitlab::Utils.append_path(Gitlab::Geo.primary_node.internal_url, TOKEN_PATH)
         end
+
+        def oauth_authorization_url
+          Gitlab::Utils.append_path(Gitlab::Geo.primary_node.internal_url, AUTHORIZATION_PATH)
+        end
       end
     end
   end
diff --git a/ee/spec/lib/gitlab/geo/oauth/session_spec.rb b/ee/spec/lib/gitlab/geo/oauth/session_spec.rb
index 258729346ca6151d70e8c221451ec9a79ccb8754..b49f179b7a165cc13f95189651c84f9fad456a9f 100644
--- a/ee/spec/lib/gitlab/geo/oauth/session_spec.rb
+++ b/ee/spec/lib/gitlab/geo/oauth/session_spec.rb
@@ -19,6 +19,23 @@ RSpec.describe Gitlab::Geo::Oauth::Session, :geo do
     it 'returns a valid url to the primary node' do
       expect(subject.authorize_url).to start_with(primary_node.internal_url)
     end
+
+    context 'secondary is configured with relative URL' do
+      def stub_relative_url(host, script_name)
+        url_options = { host: host, protocol: "http", port: nil, script_name: script_name }
+
+        allow(Rails.application.routes).to receive(:default_url_options).and_return(url_options)
+      end
+
+      it 'does not include secondary relative URL path' do
+        secondary_url = 'http://secondary.host/relative-path/'
+
+        stub_config_setting(url: secondary_url, https: false)
+        stub_relative_url('secondary.host', '/relative-path')
+
+        expect(subject.authorize_url).not_to include('relative-path')
+      end
+    end
   end
 
   describe '#authenticate' do