Add JWT debugging and fix Keycloak networking

- Added JWT authentication event logging to diagnose validation failures
- Fixed docker-compose networking for API to reach Keycloak via hostname
- Debug endpoint now accessible without auth for troubleshooting
- Still investigating why claims are not populated despite token being present

backend/WorkClub.Api/Program.cs

@@ -57,6 +57,28 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
             ValidateLifetime = true,
             ValidateIssuerSigningKey = true
         };
+        options.Events = new JwtBearerEvents
+        {
+            OnAuthenticationFailed = context =>
+            {
+                Console.WriteLine($"JWT Authentication Failed: {context.Exception.Message}");
+                if (context.Exception.InnerException != null)
+                {
+                    Console.WriteLine($"Inner Exception: {context.Exception.InnerException.Message}");
+                }
+                return Task.CompletedTask;
+            },
+            OnTokenValidated = context =>
+            {
+                Console.WriteLine($"JWT Token Validated for user: {context.Principal?.Identity?.Name ?? "unknown"}");
+                return Task.CompletedTask;
+            },
+            OnChallenge = context =>
+            {
+                Console.WriteLine($"JWT Challenge: {context.Error}");
+                return Task.CompletedTask;
+            }
+        };
     });
 
 builder.Services.AddScoped<IClaimsTransformation, ClubRoleClaimsTransformation>();

docker-compose.yml

@@ -70,12 +70,8 @@ services:
     ports:
       - "5001:8080"
     extra_hosts:
-      - "localhost:host-gateway"
+      - "localhost:172.18.0.1"
-      - "127.0.0.1:host-gateway"
+      - "127.0.0.1:172.18.0.1"
-    networks:
-      app-network:
-        aliases:
-          - keycloak.internal
     working_dir: /app
     volumes:
       - ./backend:/app:cached