diff --git a/packages/worker/src/api/controllers/admin/auth.js b/packages/worker/src/api/controllers/admin/auth.js
index 2a641e6194..3cdfc1b774 100644
--- a/packages/worker/src/api/controllers/admin/auth.js
+++ b/packages/worker/src/api/controllers/admin/auth.js
@@ -144,7 +144,9 @@ async function oidcStrategyFactory(ctx, configId) {
 
   const chosenConfig = config.configs.filter(c => c.uuid === configId)[0]
 
-  const callbackUrl = `${ctx.protocol}://${ctx.host}/api/admin/auth/oidc/callback`
+  // require https callback in production
+  const protocol = process.env.NODE_ENV === "production" ? "https" : "http"
+  const callbackUrl = `${protocol}://${ctx.host}/api/admin/auth/oidc/callback`
 
   return oidc.strategyFactory(chosenConfig, callbackUrl)
 }