- Bypass NextAuth OIDC discovery with explicit token/userinfo endpoints using internal Docker DNS, avoiding 'issuer string did not match' errors.
- Fix next.config.ts API route interception that incorrectly forwarded NextAuth routes to backend by using 'fallback' rewrites.
- Add 'Use different credentials' button to login page and AuthGuard for clearing stale sessions.
- Add path exemption in TenantValidationMiddleware for /api/clubs/me
- Change authorization policy from RequireMember to RequireViewer
- Fix KEYCLOAK_CLIENT_ID in docker-compose.yml (workclub-app)
- Resolves frontend chicken-and-egg problem for club discovery
Verified:
- /api/clubs/me returns 200 OK without X-Tenant-Id header
- /api/tasks still requires X-Tenant-Id (400 Bad Request)
- Other endpoints unaffected
- Added Keycloak audience protocol mapper to workclub-app client
- Maps 'workclub-api' to aud claim in access tokens
- Disabled issuer validation in API for local dev
- External clients use localhost:8080, internal use keycloak:8080
- Prevents validation mismatch in Docker network environment
This resolves 401 Unauthorized errors on all authenticated endpoints.
Ref: .sisyphus/evidence/final-f3-manual-qa.md lines 418-444
- Changed KEYCLOAK_ID → KEYCLOAK_CLIENT_ID
- Changed KEYCLOAK_SECRET → KEYCLOAK_CLIENT_SECRET
- Fixes 'ClientFetchError: The string did not match the expected pattern'
- Frontend now loads successfully at http://localhost:3000
- Updated project summary to document fix (Blocker #5 resolved)
Implements Task 22: Docker Compose Full Stack with Hot Reload
Services added:
- dotnet-api: Builds from backend/Dockerfile.dev
- Port 5000→8080, volume mount for hot reload
- Development environment with database + Keycloak config
- Depends on: postgres (healthy), keycloak (healthy)
- nextjs: Builds from frontend/Dockerfile.dev
- Port 3000, volume mount with node_modules exclusion
- API URLs, NextAuth, Keycloak config
- Depends on: dotnet-api
Dependency chain: postgres → keycloak → dotnet-api → nextjs
Features:
- Hot reload enabled via volume mounts with :cached flag (macOS)
- Backend runs migrations + seed on startup (Development mode)
- dotnet watch monitors backend changes
- bun run dev monitors frontend changes
- All services on app-network bridge
Environment variables configured for local development.
Note: Docker build/runtime verification skipped (Docker daemon unavailable).
- Add docker-compose.yml (v3.9) with postgres:16-alpine and keycloak:26.1 services
- Configure PostgreSQL with separate workclub and keycloak databases
- Setup Keycloak with database backend, admin user, and realm import capability
- Create PostgreSQL init script to provision development databases and users
- Add placeholder realm-export.json for Keycloak realm configuration
- Configure healthchecks and app-network bridge for service discovery
- Document configuration and patterns in learnings.md
