fix(auth): add JWT audience claim and disable issuer validation

- Added Keycloak audience protocol mapper to workclub-app client - Maps 'workclub-api' to aud claim in access tokens - Disabled issuer validation in API for local dev - External clients use localhost:8080, internal use keycloak:8080 - Prevents validation mismatch in Docker network environment This resolves 401 Unauthorized errors on all authenticated endpoints. Ref: .sisyphus/evidence/final-f3-manual-qa.md lines 418-444
2026-03-05 14:12:53 +01:00
parent 8643c3dfa7
commit b813043195
2 changed files with 2 additions and 1 deletions
--- a/backend/WorkClub.Api/Program.cs
+++ b/backend/WorkClub.Api/Program.cs
@@ -47,7 +47,7 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        options.RequireHttpsMetadata = false;
        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
        {
-            ValidateIssuer = true,
+            ValidateIssuer = false,  // Disabled for local dev - external clients use localhost:8080, internal use keycloak:8080
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -63,6 +63,7 @@ services:
      ConnectionStrings__DefaultConnection: "Host=postgres;Port=5432;Database=workclub;Username=workclub;Password=dev_password_change_in_production"
      Keycloak__Authority: "http://keycloak:8080/realms/workclub"
      Keycloak__Audience: "workclub-api"
      Keycloak__TokenValidationParameters__ValidateIssuer: "false"
    ports:
      - "5001:8080"
    volumes: