Ensure redirect URI always has a scheme

oauthproxy.go

@@ -35,6 +35,7 @@ import (
 )
 
 const (
+	schemeHTTP      = "http"
 	schemeHTTPS     = "https"
 	applicationJSON = "application/json"
 )
@@ -971,6 +972,11 @@ func (p *OAuthProxy) getOAuthRedirectURI(req *http.Request) string {
 	rd.Host = requestutil.GetRequestHost(req)
 	rd.Scheme = requestutil.GetRequestProto(req)
 
+	// If there's no scheme in the request, we should still include one
+	if rd.Scheme == "" {
+		rd.Scheme = schemeHTTP
+	}
+
 	// If CookieSecure is true, return `https` no matter what
 	// Not all reverse proxies set X-Forwarded-Proto
 	if p.CookieSecure {