From d295c9123e7049b0fe2edc52737ee97293864c6a Mon Sep 17 00:00:00 2001
From: WorkClub Automation <automation@workclub.local>
Date: Wed, 18 Mar 2026 14:47:57 +0100
Subject: [PATCH] feat: Configure Keycloak to use internal port 8081,
 explicitly define OIDC endpoints in NextAuth, and update API service Keycloak
 authority.

---
 docker-compose.yml        | 10 ++++++----
 frontend/src/auth/auth.ts | 10 +++++++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 480ec44..fdcee81 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -42,8 +42,9 @@ services:
       KC_HOSTNAME: "http://localhost:8080"
       KC_HOSTNAME_STRICT: "false"
       KC_PROXY: "edge"
+      KC_HTTP_PORT: "8081"
     ports:
-      - "8080:8080"
+      - "8080:8081"
     volumes:
       - ./infra/keycloak:/opt/keycloak/data/import
     depends_on:
@@ -62,20 +63,21 @@ services:
     container_name: workclub_api
     environment:
       ASPNETCORE_ENVIRONMENT: Development
-      ASPNETCORE_URLS: "http://+:8080"
       ConnectionStrings__DefaultConnection: "Host=postgres;Port=5432;Database=workclub;Username=workclub;Password=dev_password_change_in_production"
-      Keycloak__Authority: "http://keycloak:8080/realms/workclub"
+      Keycloak__Authority: "http://192.168.65.254:8080/realms/workclub"
       Keycloak__Audience: "workclub-api"
       Keycloak__TokenValidationParameters__ValidateIssuer: "false"
     ports:
       - "5001:8080"
     extra_hosts:
       - "localhost:host-gateway"
+    working_dir: /app
     volumes:
       - ./backend:/app:cached
     depends_on:
       postgres:
         condition: service_healthy
+    command: watch run WorkClub.Api/WorkClub.Api.csproj
     networks:
       - app-network
 
@@ -95,7 +97,7 @@ services:
       KEYCLOAK_CLIENT_ID: "workclub-app"
       KEYCLOAK_CLIENT_SECRET: "dev-secret-workclub-api-change-in-production"
       KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
-      KEYCLOAK_ISSUER_INTERNAL: "http://keycloak:8080/realms/workclub"
+      KEYCLOAK_ISSUER_INTERNAL: "http://keycloak:8081/realms/workclub"
       NEXT_PUBLIC_KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
     ports:
       - "3000:3000"
diff --git a/frontend/src/auth/auth.ts b/frontend/src/auth/auth.ts
index 53aac4b..8f2460c 100644
--- a/frontend/src/auth/auth.ts
+++ b/frontend/src/auth/auth.ts
@@ -27,15 +27,23 @@ declare module "next-auth" {
 const issuerPublic = process.env.KEYCLOAK_ISSUER!
 const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL || issuerPublic
 const oidcPublic = `${issuerPublic}/protocol/openid-connect`
-const oidcInternal = `${issuerInternal}/protocol/openid-connect`
+const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openid-connect`
 
 export const { handlers, signIn, signOut, auth } = NextAuth({
   providers: [
     KeycloakProvider({
       clientId: process.env.KEYCLOAK_CLIENT_ID!,
       issuer: issuerPublic,
+      authorization: {
+        url: `${oidcPublic}/auth`,
+        params: { scope: "openid email profile" },
+      },
+      token: `${oidcInternal}/token`,
+      userinfo: `${oidcInternal}/userinfo`,
+      jwks_endpoint: `${oidcInternal}/certs`,
     })
   ],
+  trustHost: true,
   cookies: {
     pkceCodeVerifier: {
       name: "authjs.pkce.code_verifier",