From e4813075b7168ac2e4aa3e696cd7fd4fc246cde4 Mon Sep 17 00:00:00 2001 From: Jennie Robinson Faber Date: Sun, 1 Mar 2026 16:53:38 +0000 Subject: [PATCH] Force x-forwarded-proto to https for OIDC endpoints --- server/routes/.well-known/openid-configuration.get.ts | 6 ++---- server/routes/oidc/[...].ts | 6 ++---- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/server/routes/.well-known/openid-configuration.get.ts b/server/routes/.well-known/openid-configuration.get.ts index 69ff7f5..8afa4af 100644 --- a/server/routes/.well-known/openid-configuration.get.ts +++ b/server/routes/.well-known/openid-configuration.get.ts @@ -14,10 +14,8 @@ export default defineEventHandler(async (event) => { // The provider expects the path relative to its root req.url = "/.well-known/openid-configuration"; - // Ensure the provider sees https when behind Traefik - if (!req.headers["x-forwarded-proto"]) { - req.headers["x-forwarded-proto"] = "https"; - } + // Traefik terminates TLS — tell the provider we're on https + req.headers["x-forwarded-proto"] = "https"; const callback = provider.callback() as Function; await new Promise((resolve, reject) => { diff --git a/server/routes/oidc/[...].ts b/server/routes/oidc/[...].ts index 7b0fc5a..39528f0 100644 --- a/server/routes/oidc/[...].ts +++ b/server/routes/oidc/[...].ts @@ -17,10 +17,8 @@ export default defineEventHandler(async (event) => { // The provider's routes config includes the /oidc prefix, // so pass the full path through without stripping. - // Ensure the provider sees https when behind Traefik - if (!req.headers["x-forwarded-proto"]) { - req.headers["x-forwarded-proto"] = "https"; - } + // Traefik terminates TLS — tell the provider we're on https + req.headers["x-forwarded-proto"] = "https"; // Hand off to oidc-provider's Connect-style callback const callback = provider.callback() as Function;