Unable to do git clone/push to private repository after updating ROOT_URL

I am installing Gitea version v1.22.1 using a Helm chart, and everything works fine when exposing it with the root domain (domain.com). However, when I expose it using a subpath (domain.com/ui/gitea), I encounter issues.

Server config for reference,

[server]
DISABLE_SSH = true
DOMAIN = domain.com
HTTP_PORT = 3000
APP_DATA_PATH = /data
STATIC_URL_PREFIX = /ui/gitea
LFS_JWT_SECRET = 
ENABLE_PPROF = false
ROOT_URL = https://<domain.com>/ui/gitea
PROTOCOL = http

I have integrated Gitea with Keycloak(OAuth2 authentication), and after updating the subpath(/ui/gitea), I can successfully log in via Keycloak, create repositories, create files, and commit code through the UI.

However, when I generate PAT and try run Git commands (both clone and push) on private repository, I get unauthorised error.

Git Clone Trace:

GIT_TRACE=1 GIT_CURL_VERBOSE=1 git clone https://giteaci:<PAT>@domain/ui/gitea/giteaci/test.git 
 16:24:00.058393 http.c:664              == Info: Issue another request to this URL: 'https://giteaci:<PAT>@domain/ui/gitea/giteaci/test.git/info/refs?service=git-upload-pack'
16:24:00.058463 http.c:664              == Info: Found bundle for host domain: 0x564108721dd0 [can multiplex]
16:24:00.058504 http.c:664              == Info: Re-using existing connection! (#0) with host domain
16:24:00.058564 http.c:664              == Info: Connected to domain (x.x.x.x) port 443 (#0)
16:24:00.058612 http.c:664              == Info: Server auth using Basic with user 'giteaci'
16:24:00.058666 http.c:664              == Info: Using Stream ID: 3 (easy handle 0x56410871bd00)
16:24:00.058798 http.c:611              => Send header, 0000000337 bytes (0x00000151)
16:24:00.058823 http.c:623              => Send header: GET /ui/gitea/giteaci/test.git/info/refs?service=git-upload-pack HTTP/2
16:24:00.058849 http.c:623              => Send header: Host: domain
16:24:00.058858 http.c:623              => Send header: authorization: Basic <redacted>
16:24:00.058870 http.c:623              => Send header: user-agent: git/2.34.1
16:24:00.058877 http.c:623              => Send header: accept: */*
16:24:00.058894 http.c:623              => Send header: accept-encoding: deflate, gzip, br, zstd
16:24:00.058913 http.c:623              => Send header: pragma: no-cache
16:24:00.058920 http.c:623              => Send header: git-protocol: version=2
16:24:00.058933 http.c:623              => Send header:
16:24:00.067827 http.c:611              <= Recv header, 0000000013 bytes (0x0000000d)
16:24:00.067863 http.c:623              <= Recv header: HTTP/2 401
remote: Unauthorized
fatal: Authentication failed for 'https://domain/ui/gitea/giteaci/test.git/'

Gitea Pod Logs:

gitea 2024/07/17 14:24:00 ...eb/routing/logger.go:102:func1() [I] router: completed GET //giteaci/test.git/info/refs?service=git-upload-pack for x.x.x.x,x.x.x.x:0, 401 Unauthorized in 6.6ms @ repo/githttp.g │o:517(repo.GetInfoRefs)                                                                                                                                                                                                           
gitea 2024/07/17 14:24:00 ...eb/routing/logger.go:102:func1() [I] router: completed GET //giteaci/test.git/info/refs?service=git-upload-pack for x.x.x.x,x.x.x.x:0, 401 Unauthorized in 4.5ms @ repo/githttp.g │o:517(repo.GetInfoRefs)

Put in your config https://domain.com:3000/ with the port. It works for me without sufix url. I mean, remove the ui/gitea