EqualifyEverything / equalify-reflow

Without ``--proxy-headers``, uvicorn ignores the X-Forwarded-Proto header set by an upstream reverse proxy (AWS ALB, Nginx, Cloudflare, …) and ``request.url.scheme`` inside the container reads "http" even when the user hit "https". Every scheme-aware code path then silently builds wrong URLs — most visibly the OIDC redirect_uri, which fails to match what's registered with the IdP. Entra returns AADSTS50011; Google / Okta / Auth0 surface equivalents. Login is dead on arrival. The fix is a one-line addition to the production CMD in Dockerfile. ``--forwarded-allow-ips=*`` is safe behind ECS+ALB (and any equivalent shape) because the network controls ensure only the proxy can reach :8080 and the proxy strips client-supplied X-Forwarded-* before forwarding. Caught while planning the UIC production rollout of PR2 (#129) before any wrong URI ever reached Entra. Also adds a "Behind a reverse proxy" section to the SSO how-to so other OSS operators don't rediscover this. The fix is now baked into the shipped Dockerfile, but operators who replace the CMD need to keep the flag. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>