I think we were seeing the same issue and have been able to solve it, or at least work around it.
TL;DR: Use this in your nginx config:
proxy_redirect http://$host https://$host;
We are using SAML for authentication with our SQ 8.8 instance. The issue we saw was that the POST request to the callback url (https://<sonar-url>/oauth2/callback/saml) was answered with a 302 redirect to http://<sonar-url>/<the-rest>.
So we went digging. The issue, I think, is that the construction of the redirect URL is mostly handled by Catalina, which, unlike SonarQube, does not handle the X-Forwarded-Proto header, but instead just copies the scheme from the request (see org.apache.catalina.connector.Response#toAbsolute. callchain starts at org.sonar.server.authentication.OAuth2ContextFactory.OAuthContextImpl#redirectToRequestedPage).
The solution was, as described in the TL;DR above, to rewrite all redirect locations to SQ with nginx to use https instead. See also Module ngx_http_proxy_module.
Not sure if this can be classified as a bug in SQ, or Catalina, or anywhere.