Oathkeeper v26.2.0 redirect error handler drops https

[akrause-cel]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Hi all, when upgrading to Oathkeeper v26.2.0 from v25.4.0 I see a weird redirection behavior with session authentication. I have setup the following

errors:
fallback:
- redirect
handlers:
redirect:
enabled: true
config:
to: https://blub.bla/login
return_to_query_param: return_to

and also configured:

serve:
proxy:
port: 4455
trust_forwarded_headers: true

I am certain my ingress (contour) correctly sets the X-Forwarded-Proto header to https. But since the upgrade all my redirects are redirecting to http instead of https.

My suspicion is this commit Only use X-Forwarded-Proto header when trusted e9acca1 is causing the behavior. I just can't understand why, because I have configured  trust_forwarded_headers: true .
Thanks for checking! 

Reproducing the bug

Setup Oathkeeper with below container spec:

    - name: oathkeeper
      image: ory-oathkeeper-image-placeholder
      imagePullPolicy: IfNotPresent
      args:
        - serve
        - proxy
        - --config
        - /etc/config/oathkeeper.yaml
      resources:
        requests:
          cpu: 50m
          memory: 64Mi
        limits:
          cpu: 200m
          memory: 128Mi
      ports:
        - containerPort: 4455
          name: proxy-port
        - containerPort: 4456
          name: api-port
      
      volumeMounts:
        - name: oathkeeper-rules-vol
          mountPath: /etc/rules
          readOnly: true
        - name: oathkeeper-config-vol
          mountPath: /etc/config
          readOnly: true
          

      livenessProbe:
        httpGet:
          path: /health/alive
          port: 4456 
        initialDelaySeconds: 5
      readinessProbe:
        httpGet:
          path: /health/ready
          port: 4456
        initialDelaySeconds: 5

Relevant log output

N/A

Relevant configuration

log:
  level: error
  leak_sensitive_values: false
serve:
  proxy:
    port: 4455
    trust_forwarded_headers: true

access_rules:
  repositories:
    - file:///etc/rules/access-rules.json

errors:
  fallback:
    - redirect
  handlers:
    redirect:
      enabled: true
      config:
        to: https://myloginapp.secret
        return_to_query_param: return_to
    json:
      enabled: true
      config:
        verbose: true

mutators:
  noop:
    enabled: true
  header:
    enabled: true
    config:
      headers: {}

authorizers:
  allow:
    enabled: true
  deny:
    enabled: true

authenticators:
  noop:
    enabled: true
  cookie_session:
    enabled: true
    config:
      check_session_url: http://kratos-public.cluster.local:80/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session
  oauth2_introspection:
    enabled: true
    config:
      introspection_url: http://hydra-admin.svc.cluster.local:4445/admin/oauth2/introspect
      preserve_host: true
      scope_strategy: exact
      introspection_request_headers:
        "x-forwarded-proto": "https"
      required_scope:
        - "test"
      target_audience:
        - "hellohello"
      trusted_issuers:
        - "https://scammer.org/"

Version

v26.2.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

Kubernetes

Additional Context

No response