From a3b4f1118c3844eb5bc5fe6a147f6c9e66170d5d Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Sun, 1 Mar 2026 16:49:40 +0000
Subject: [PATCH] Ensure OIDC endpoints use https behind reverse proxy

Set x-forwarded-proto header on requests before passing to
oidc-provider so generated URLs use https:// in production.
---
 server/routes/.well-known/openid-configuration.get.ts | 5 +++++
 server/routes/oidc/[...].ts                           | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/server/routes/.well-known/openid-configuration.get.ts b/server/routes/.well-known/openid-configuration.get.ts
index 4e0dc85..69ff7f5 100644
--- a/server/routes/.well-known/openid-configuration.get.ts
+++ b/server/routes/.well-known/openid-configuration.get.ts
@@ -14,6 +14,11 @@ export default defineEventHandler(async (event) => {
   // The provider expects the path relative to its root
   req.url = "/.well-known/openid-configuration";
 
+  // Ensure the provider sees https when behind Traefik
+  if (!req.headers["x-forwarded-proto"]) {
+    req.headers["x-forwarded-proto"] = "https";
+  }
+
   const callback = provider.callback() as Function;
   await new Promise<void>((resolve, reject) => {
     callback(req, res, (err: unknown) => {
diff --git a/server/routes/oidc/[...].ts b/server/routes/oidc/[...].ts
index ec6d7be..7b0fc5a 100644
--- a/server/routes/oidc/[...].ts
+++ b/server/routes/oidc/[...].ts
@@ -17,6 +17,11 @@ export default defineEventHandler(async (event) => {
   // The provider's routes config includes the /oidc prefix,
   // so pass the full path through without stripping.
 
+  // Ensure the provider sees https when behind Traefik
+  if (!req.headers["x-forwarded-proto"]) {
+    req.headers["x-forwarded-proto"] = "https";
+  }
+
   // Hand off to oidc-provider's Connect-style callback
   const callback = provider.callback() as Function;
   await new Promise<void>((resolve, reject) => {