diff --git a/src/main/java/eu/mulk/mulkcms2/benki/login/RoleAugmentor.java b/src/main/java/eu/mulk/mulkcms2/benki/login/RoleAugmentor.java
index 3aafc0e..37d865f 100644
--- a/src/main/java/eu/mulk/mulkcms2/benki/login/RoleAugmentor.java
+++ b/src/main/java/eu/mulk/mulkcms2/benki/login/RoleAugmentor.java
@@ -30,7 +30,6 @@
     return augmentWithRoles(identity, context);
   }
 
-  @Transactional
   Uni<SecurityIdentity> augmentWithRoles(
       SecurityIdentity identity, AuthenticationRequestContext context) {
     return context.runBlocking(
@@ -41,6 +40,7 @@
   }
 
   @CacheResult(cacheName = "login-role-cache")
+  @Transactional
   Set<String> getUserLoginRoles(String userNickname) {
     var user = User.findByNicknameWithRoles(userNickname);
     return user.effectiveRoles.stream()
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 53233ba..bbffd39 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -32,6 +32,7 @@
 quarkus.http.auth.proactive = true
 
 quarkus.oidc.auth-server-url = https://login.benkard.de/auth/realms/master
+quarkus.oidc.authentication.force-redirect-https-scheme = true
 quarkus.oidc.client-id = mulkcms
 quarkus.oidc.application-type = web-app
 quarkus.oidc.token.principal-claim = preferred_username