Ensure OIDC endpoints use https behind reverse proxy

Set x-forwarded-proto header on requests before passing to oidc-provider so generated URLs use https:// in production.
2026-03-01 16:49:40 +00:00 · 2026-03-01 16:49:40 +00:00 · a3b4f1118c
commit a3b4f1118c
parent f43d1bf500
2 changed files with 10 additions and 0 deletions
--- a/server/routes/.well-known/openid-configuration.get.ts
+++ b/server/routes/.well-known/openid-configuration.get.ts
@ -14,6 +14,11 @@ export default defineEventHandler(async (event) => {
  // The provider expects the path relative to its root
  req.url = "/.well-known/openid-configuration";

+  // Ensure the provider sees https when behind Traefik
+  if (!req.headers["x-forwarded-proto"]) {
+    req.headers["x-forwarded-proto"] = "https";
+  }
+
  const callback = provider.callback() as Function;
  await new Promise<void>((resolve, reject) => {
    callback(req, res, (err: unknown) => {
--- a/server/routes/oidc/[...].ts
+++ b/server/routes/oidc/[...].ts
@ -17,6 +17,11 @@ export default defineEventHandler(async (event) => {
  // The provider's routes config includes the /oidc prefix,
  // so pass the full path through without stripping.

+  // Ensure the provider sees https when behind Traefik
+  if (!req.headers["x-forwarded-proto"]) {
+    req.headers["x-forwarded-proto"] = "https";
+  }
+
  // Hand off to oidc-provider's Connect-style callback
  const callback = provider.callback() as Function;
  await new Promise<void>((resolve, reject) => {