Using zammad behind nginx reverse proxy - Unable to login/sign up with Microsoft

Question

All zammad functionality is working fine except for login/signup with Microsoft

Error:

My nginx reverse proxy config is:

# Settings for a TLS enabled server.
upstream backend
{
    server 192.168.99.99:443;
}


server
{
    ssl on;
    listen 9443 ssl http2 default_server;

    ssl_certificate "/etc/pki/nginx/bundle.pem";
    ssl_certificate_key "/etc/pki/nginx/private/tpsonline.com.key";


    location /
    {
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header Host $host;
        proxy_pass https://backend;
    }

}

}

My nginx config from zammad-helm is:

server_tokens off;

upstream zammad-railsserver {
    server localhost:3000;
}

upstream zammad-websocket {
    server localhost:6042;
}

server {
    listen 8080;

    server_name _;

    root /opt/zammad/public;

    access_log /dev/stdout;
    error_log  /dev/stderr;

    client_max_body_size 50M;

    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
        expires max;
    }

    location /ws {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 86400;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_pass http://zammad-websocket;
    }

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 180;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_pass http://zammad-railsserver;

        gzip on;
        gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
        gzip_proxied any;
    }
}

What could be the reason that only functionality that's not working is sign up with microsoft?

p.s. i did follow these carefully: https://admin-docs.zammad.org/en/3.6/settings/security/third-party/microsoft.html

I did set headers as described in previous zammad issue https://github.com/zammad/zammad/issues/2758#issuecomment-536465142 but still no luck.