From 18e93f064462b42955285d2f1420416b87fa0d57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Tue, 8 Oct 2024 12:53:26 +0300
Subject: [PATCH 1/2] feat(auth): allow setting external secure

---
 pkg/authentication/authenticate.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/authentication/authenticate.go b/pkg/authentication/authenticate.go
index 29879c6..b792c72 100644
--- a/pkg/authentication/authenticate.go
+++ b/pkg/authentication/authenticate.go
@@ -27,6 +27,7 @@ type Authenticator[T Ctx] struct {
 	sessions          Sessions[T]
 	encryptionKey     string
 	sessionCookieName string
+	externalSecure    bool
 }
 
 // Option allows customization of the [Authenticator] such as logging and more.
@@ -55,6 +56,12 @@ func WithSessionCookieName[T Ctx](cookieName string) Option[T] {
 	}
 }
 
+func WithExternalSecure[T Ctx](externalSecure bool) Option[T] {
+	return func(a *Authenticator[T]) {
+		a.externalSecure = externalSecure
+	}
+}
+
 func New[T Ctx](ctx context.Context, zitadel *zitadel.Zitadel, encryptionKey string, initAuthentication HandlerInitializer[T], options ...Option[T]) (*Authenticator[T], error) {
 	authN, err := initAuthentication(ctx, zitadel)
 	if err != nil {
@@ -143,7 +150,7 @@ func (a *Authenticator[T]) Logout(w http.ResponseWriter, req *http.Request) {
 	a.deleteSessionCookie(w)
 
 	proto := "http"
-	if req.TLS != nil {
+	if req.TLS != nil || a.externalSecure {
 		proto = "https"
 	}
 	postLogout := fmt.Sprintf("%s://%s/", proto, req.Host)

From 53cb67a29d90e31824c1a7cb52562e6a7b11e78a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Tue, 8 Oct 2024 13:05:12 +0300
Subject: [PATCH 2/2] godoc

---
 pkg/authentication/authenticate.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/authentication/authenticate.go b/pkg/authentication/authenticate.go
index b792c72..93e5edf 100644
--- a/pkg/authentication/authenticate.go
+++ b/pkg/authentication/authenticate.go
@@ -56,6 +56,7 @@ func WithSessionCookieName[T Ctx](cookieName string) Option[T] {
 	}
 }
 
+// WithExternalSecure allows using https redirects when the service is behind a reverse proxy.
 func WithExternalSecure[T Ctx](externalSecure bool) Option[T] {
 	return func(a *Authenticator[T]) {
 		a.externalSecure = externalSecure