diff --git a/src/applications/auth/controller/oauthregistration/default/PhabricatorOAuthDefaultRegistrationController.php b/src/applications/auth/controller/oauthregistration/default/PhabricatorOAuthDefaultRegistrationController.php
index 29fdfca33d..f29fca7e5a 100644
--- a/src/applications/auth/controller/oauthregistration/default/PhabricatorOAuthDefaultRegistrationController.php
+++ b/src/applications/auth/controller/oauthregistration/default/PhabricatorOAuthDefaultRegistrationController.php
@@ -121,13 +121,19 @@ class PhabricatorOAuthDefaultRegistrationController
       $error_view->setErrors($errors);
     }
 
+    // Strip the URI down to the path, because otherwise we'll trigger
+    // external CSRF protection (by having a protocol in the form "action")
+    // and generate a form with no CSRF token.
+    $action_uri = new PhutilURI($provider->getRedirectURI());
+    $action_path = $action_uri->getPath();
+
     $form = new AphrontFormView();
     $form
       ->addHiddenInput('token', $provider->getAccessToken())
       ->addHiddenInput('expires', $oauth_info->getTokenExpires())
       ->addHiddenInput('state', $this->getOAuthState())
       ->setUser($request->getUser())
-      ->setAction($provider->getRedirectURI())
+      ->setAction($action_path)
       ->appendChild(
         id(new AphrontFormTextControl())
           ->setLabel('Username')
diff --git a/src/applications/auth/controller/oauthregistration/default/__init__.php b/src/applications/auth/controller/oauthregistration/default/__init__.php
index ba332f4cf1..441cdbc3d4 100644
--- a/src/applications/auth/controller/oauthregistration/default/__init__.php
+++ b/src/applications/auth/controller/oauthregistration/default/__init__.php
@@ -16,6 +16,7 @@ phutil_require_module('phabricator', 'view/form/control/text');
 phutil_require_module('phabricator', 'view/form/error');
 phutil_require_module('phabricator', 'view/layout/panel');
 
+phutil_require_module('phutil', 'parser/uri');
 phutil_require_module('phutil', 'utils');