From b3ce0faf2617a54480e86e69d3eca3bd80c6affa Mon Sep 17 00:00:00 2001
From: Ben Harper <github@tukom.org>
Date: Wed, 22 Apr 2026 00:30:04 +1000
Subject: [PATCH] docs: document necessity of forwarded-allow-ips with OIDC
 behind reverse-proxy https in oidc-v2.md (#7424)

Co-authored-by: Michael Genson <71845777+michael-genson@users.noreply.github.com>
---
 .../documentation/getting-started/authentication/oidc-v2.md   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/docs/documentation/getting-started/authentication/oidc-v2.md b/docs/docs/documentation/getting-started/authentication/oidc-v2.md
index 14032dbd5..ccfef3f91 100644
--- a/docs/docs/documentation/getting-started/authentication/oidc-v2.md
+++ b/docs/docs/documentation/getting-started/authentication/oidc-v2.md
@@ -42,6 +42,10 @@ Before you can start using OIDC Authentication, you must first configure a new c
         http://localhost:9091/login
         https://mealie.example.com/login
 
+    If you are hosting Mealie behind a reverse proxy (nginx, Caddy, ...) to terminate TLS, make sure to start Mealie's Gunicorn server
+    with `--forwarded-allow-ips=<ip-of-proxy>`, otherwise the `X-Forwarded-*` headers will be ignored and the generated OIDC redirect
+    URI will use the wrong scheme (http instead of https). This will lead to authentication errors with strict OIDC providers.
+
 3. Configure allowed scopes
 
     The scopes required are `openid profile email`