From 87c315c6fd6d2a180a5b73f8da0c63f3c254268a Mon Sep 17 00:00:00 2001 From: WorkClub Automation Date: Fri, 20 Mar 2026 10:49:55 +0100 Subject: [PATCH] Fix Keycloak hostname configuration for Docker internal communication - Add MetadataAddress configuration to JWT middleware for internal Docker URLs - Add KC_HOSTNAME_ADMIN and KC_SPI_HOSTNAME_DEFAULT_ADMIN to Keycloak env - This ensures API can fetch JWKS from Keycloak via internal Docker network - Tests passing: 63/63 --- backend/WorkClub.Api/Program.cs | 9 +++++++++ docker-compose.yml | 3 +++ 2 files changed, 12 insertions(+) diff --git a/backend/WorkClub.Api/Program.cs b/backend/WorkClub.Api/Program.cs index 1cbe477..0382631 100644 --- a/backend/WorkClub.Api/Program.cs +++ b/backend/WorkClub.Api/Program.cs @@ -50,6 +50,15 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) options.Audience = builder.Configuration["Keycloak:Audience"]; options.RequireHttpsMetadata = false; options.MapInboundClaims = false; + + // For Docker internal communication, use the direct Keycloak URL for metadata + // This bypasses the hostname mismatch in Keycloak's discovery endpoint + var keycloakAuthority = builder.Configuration["Keycloak:Authority"]; + if (keycloakAuthority?.Contains("keycloak:") == true) + { + options.MetadataAddress = $"{keycloakAuthority}/.well-known/openid-configuration"; + } + options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = false, // Disabled for local dev - external clients use localhost:8080, internal use keycloak:8080 diff --git a/docker-compose.yml b/docker-compose.yml index a0f8439..77bcb3f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -43,6 +43,9 @@ services: KC_HOSTNAME_STRICT: "false" KC_PROXY: "edge" KC_HTTP_PORT: "8081" + # Additional hostname for internal Docker communication + KC_HOSTNAME_ADMIN: "http://keycloak:8081" + KC_SPI_HOSTNAME_DEFAULT_ADMIN: "keycloak:8081" ports: - "8080:8081" volumes: