OpenID redirects are whitelisted based on the spec. Getting in the business of specifying a redirect to the authorize route and modifying it once we return is definitely something that breaks OpenID spec compliance.
Out of curiosity, is there any reason why you can’t specify the https redirect URL for the authorize route?
Are you using ASP.NET Core’s OpenID Connect package? The callback path uses the application’s base path, so you just need to set that to https, and I think you would be set.
Let me know any questions.
Thanks,
Tom