From 83525abd8afb7d59c8e1d3bf5f5c3af7accb751a Mon Sep 17 00:00:00 2001
From: Yaroslav Semennikov <52397003+ysemennikov@users.noreply.github.com>
Date: Mon, 1 Dec 2025 20:35:33 +0100
Subject: [PATCH 1/3] fix(zitadel): don't prepend https if another protocol is
 used

---
 src/runtime/server/lib/oauth/zitadel.ts | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/runtime/server/lib/oauth/zitadel.ts b/src/runtime/server/lib/oauth/zitadel.ts
index c2a85993..7afa0ada 100644
--- a/src/runtime/server/lib/oauth/zitadel.ts
+++ b/src/runtime/server/lib/oauth/zitadel.ts
@@ -1,6 +1,6 @@
 import type { H3Event } from 'h3'
 import { eventHandler, getQuery, sendRedirect } from 'h3'
-import { withQuery } from 'ufo'
+import { hasProtocol, withQuery } from 'ufo'
 import { defu } from 'defu'
 import type { RequestAccessTokenOptions } from '../utils'
 import { handleMissingConfiguration, handleAccessTokenErrorResponse, getOAuthRedirectURL, requestAccessToken, handleState, handlePkceVerifier, handleInvalidState } from '../utils'
@@ -48,6 +48,7 @@ export function defineOAuthZitadelEventHandler({ config, onSuccess, onError }: O
     config = defu(config, useRuntimeConfig(event).oauth?.zitadel, {
       authorizationParams: {},
     }) as OAuthZitadelConfig
+    const domain = hasProtocol(config.domain) ? config.domain : `https://${config.domain}`
 
     const query = getQuery<{ code?: string, state?: string, error?: string }>(event)
 
@@ -65,8 +66,8 @@ export function defineOAuthZitadelEventHandler({ config, onSuccess, onError }: O
       return handleMissingConfiguration(event, 'zitadel', ['clientId', 'domain'], onError)
     }
 
-    const authorizationURL = `https://${config.domain}/oauth/v2/authorize`
-    const tokenURL = `https://${config.domain}/oauth/v2/token`
+    const authorizationURL = `${domain}/oauth/v2/authorize`
+    const tokenURL = `${domain}/oauth/v2/token`
     const redirectURL = config.redirectURL || getOAuthRedirectURL(event)
 
     // Create pkce verifier
@@ -123,7 +124,7 @@ export function defineOAuthZitadelEventHandler({ config, onSuccess, onError }: O
     const accessToken = tokens.access_token
     // Fetch user info
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const user: any = await $fetch(`https://${config.domain}/oidc/v1/userinfo`, {
+    const user: any = await $fetch(`${domain}/oidc/v1/userinfo`, {
       headers: {
         Authorization: `Bearer ${accessToken}`,
         Accept: 'application/json',

From 825de6ad22a4bb0aae6233ac170afc739e4149a8 Mon Sep 17 00:00:00 2001
From: Yaroslav Semennikov <52397003+ysemennikov@users.noreply.github.com>
Date: Tue, 2 Dec 2025 10:06:30 +0100
Subject: [PATCH 2/3] fix(zitadel): fix TS issue

---
 src/runtime/server/lib/oauth/zitadel.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/runtime/server/lib/oauth/zitadel.ts b/src/runtime/server/lib/oauth/zitadel.ts
index 7afa0ada..f9d5a588 100644
--- a/src/runtime/server/lib/oauth/zitadel.ts
+++ b/src/runtime/server/lib/oauth/zitadel.ts
@@ -48,7 +48,6 @@ export function defineOAuthZitadelEventHandler({ config, onSuccess, onError }: O
     config = defu(config, useRuntimeConfig(event).oauth?.zitadel, {
       authorizationParams: {},
     }) as OAuthZitadelConfig
-    const domain = hasProtocol(config.domain) ? config.domain : `https://${config.domain}`
 
     const query = getQuery<{ code?: string, state?: string, error?: string }>(event)
 
@@ -66,6 +65,7 @@ export function defineOAuthZitadelEventHandler({ config, onSuccess, onError }: O
       return handleMissingConfiguration(event, 'zitadel', ['clientId', 'domain'], onError)
     }
 
+    const domain = hasProtocol(config.domain) ? config.domain : `https://${config.domain}`
     const authorizationURL = `${domain}/oauth/v2/authorize`
     const tokenURL = `${domain}/oauth/v2/token`
     const redirectURL = config.redirectURL || getOAuthRedirectURL(event)

From 58077552ce9fdbba14af9ae3f39c2e78b22c5533 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Chopin?= <atinux@gmail.com>
Date: Tue, 2 Dec 2025 10:16:01 +0100
Subject: [PATCH 3/3] Apply suggestion from @atinux

---
 src/runtime/server/lib/oauth/zitadel.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/runtime/server/lib/oauth/zitadel.ts b/src/runtime/server/lib/oauth/zitadel.ts
index f9d5a588..52610aac 100644
--- a/src/runtime/server/lib/oauth/zitadel.ts
+++ b/src/runtime/server/lib/oauth/zitadel.ts
@@ -65,7 +65,7 @@ export function defineOAuthZitadelEventHandler({ config, onSuccess, onError }: O
       return handleMissingConfiguration(event, 'zitadel', ['clientId', 'domain'], onError)
     }
 
-    const domain = hasProtocol(config.domain) ? config.domain : `https://${config.domain}`
+    const domain = hasProtocol(config.domain as string) ? config.domain : `https://${config.domain}`
     const authorizationURL = `${domain}/oauth/v2/authorize`
     const tokenURL = `${domain}/oauth/v2/token`
     const redirectURL = config.redirectURL || getOAuthRedirectURL(event)