Web application access with browser fails from root cluster with trusted clusters in Teleport >=16.4.0

[mcantinqc]

Expected behavior: Web application access should work seamlessly from a root cluster with trusted clusters configured.

Current behavior: When trying to access a web application hosted in a leaf Teleport cluster from a root Teleport cluster with trust enabled, the access fails with the error message: "Access denied Failed to match applications with FQDN", we are never redirected to the application url. This issue is specific to browser-based access, as accessing the application using the Teleport CLI (tsh app login A) works without any problems.

Bug details: Teleport version: 16.4.0 and 16.4.2 (tested on both versions)

Recreation steps: Set up a Teleport root cluster with trust enabled to a leaf cluster Configure a web application (A) in the leaf Teleport cluster Attempt to access the web application (A) from the root cluster using a web browser

Debug logs: The API response visible in the browser console shows the following:

{
  "fqdn": "app-a.root.example.io",
  "requiredAppFQDNs": [
    "app-a.leaf.example.io"
  ]
}

I didn't found error on cluster logs.

Additional information: Rolling back to Teleport version 16.3.0 resolved the issue, confirming that the problem is specific to versions 16.4.0 and more.