diff --git a/src/webserver/oidc.rs b/src/webserver/oidc.rs
index a1bec14b..3d17bbf2 100644
--- a/src/webserver/oidc.rs
+++ b/src/webserver/oidc.rs
@@ -478,6 +478,16 @@ fn parse_logout_params(query: &str) -> anyhow::Result<LogoutParams> {
         .map(Query::into_inner)
 }
 
+fn get_request_scheme(request: &ServiceRequest) -> String {
+    request
+        .headers()
+        .get("x-forwarded-proto")
+        .and_then(|h| h.to_str().ok())
+        .and_then(|s| s.split(',').next())
+        .map(|s| s.trim().to_string())
+        .unwrap_or_else(|| request.connection_info().scheme().to_string())
+}
+
 async fn process_oidc_logout(
     oidc_state: &OidcState,
     request: &ServiceRequest,
@@ -494,7 +504,7 @@ async fn process_oidc_logout(
         .ok()
         .flatten();
 
-    let scheme = request.connection_info().scheme().to_string();
+    let scheme = get_request_scheme(request);
     let mut response =
         if let Some(end_session_endpoint) = oidc_state.get_end_session_endpoint().await {
             let absolute_redirect_uri =
@@ -1104,6 +1114,23 @@ mod tests {
         assert_eq!(location, "/foo");
     }
 
+    #[test]
+    fn test_get_request_scheme() {
+        use actix_web::test::TestRequest;
+        let req = TestRequest::default().to_srv_request();
+        assert_eq!(get_request_scheme(&req), "http");
+
+        let req = TestRequest::default()
+            .insert_header(("x-forwarded-proto", "https"))
+            .to_srv_request();
+        assert_eq!(get_request_scheme(&req), "https");
+
+        let req = TestRequest::default()
+            .insert_header(("x-forwarded-proto", "https, http"))
+            .to_srv_request();
+        assert_eq!(get_request_scheme(&req), "https");
+    }
+
     #[test]
     fn parse_auth0_rfc3339_updated_at() {
         let claims_json = r#"{