My keycloak runs behind a reverse proxy that does the TLS termination - and thereforce keycloak itself runs with KC_HTTP=true.

 KC_PROXY: edge
 KC_HTTP_ENABLED: "true"
 KC_HOSTNAME: "https://my-public-keycloak-url

Now I need to initiatize an auth-flow from inside an iframe.

Therefore the Auth-Flow-Cookies (e.g. AUTH_SESSION_ID) need to have "SameSite=None" and "secure".
According the code this already is intended:

But actually I get a "SameSite=Lax".
Probably because of this fallback here:

It seems that currently it is not possible to get "secure"/"SameSite=None" cookies when keyloak is running behind a reverse proxy that does the TSL termination ...?
(Which is no problem as long I don't try to login from within an iframe.)

If that's the case - I would like to propose that the following code to determine whether "secure" cookies may be used should be extended to also respect any proxy headers (X-Forwarded-Proto) that are present.

Or am I missing something and my problem lies somewhere else?