Force x-forwarded-proto to https for OIDC endpoints

server/routes/.well-known/openid-configuration.get.ts

@@ -14,10 +14,8 @@ export default defineEventHandler(async (event) => {
   // The provider expects the path relative to its root
   req.url = "/.well-known/openid-configuration";
 
-  // Ensure the provider sees https when behind Traefik
-  if (!req.headers["x-forwarded-proto"]) {
-    req.headers["x-forwarded-proto"] = "https";
-  }
+  // Traefik terminates TLS — tell the provider we're on https
+  req.headers["x-forwarded-proto"] = "https";
 
   const callback = provider.callback() as Function;
   await new Promise<void>((resolve, reject) => {

server/routes/oidc/[...].ts

@@ -17,10 +17,8 @@ export default defineEventHandler(async (event) => {
   // The provider's routes config includes the /oidc prefix,
   // so pass the full path through without stripping.
 
-  // Ensure the provider sees https when behind Traefik
-  if (!req.headers["x-forwarded-proto"]) {
-    req.headers["x-forwarded-proto"] = "https";
-  }
+  // Traefik terminates TLS — tell the provider we're on https
+  req.headers["x-forwarded-proto"] = "https";
 
   // Hand off to oidc-provider's Connect-style callback
   const callback = provider.callback() as Function;