We are struggling at the moment. A protected resource loaded inside iframe is blocked by mixed active content because the auth_callback URL is served over http instead of https.
Our current flow is:
Apache reverse proxy -> nodejs application with openid Keycloak
Nginx reverse proxy -> Keycloak Docker container
We do not know what part of these flows are throwing away the SSL. Can anyone please help or advise?