2026-03-20 11:55:38 +01:00
1 changed files with 41 additions and 9 deletions
@@ -51,21 +51,53 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        options.RequireHttpsMetadata = false;
        options.MapInboundClaims = false;
        
-        // For Docker internal communication, use the direct Keycloak URL for metadata
-        // This bypasses the hostname mismatch in Keycloak's discovery endpoint
+        // For Docker internal communication, configure metadata and signing key resolution
+        // to bypass the hostname mismatch in Keycloak's discovery endpoint
        var keycloakAuthority = builder.Configuration["Keycloak:Authority"];
+        var keycloakInternalUrl = "http://keycloak:8081";
+        
        if (keycloakAuthority?.Contains("keycloak:") == true)
        {
+            // Set metadata address to internal Keycloak URL
            options.MetadataAddress = $"{keycloakAuthority}/.well-known/openid-configuration";
+            
+            // Configure custom signing key resolver to fetch from internal Keycloak URL
+            // This overrides the URLs returned in the discovery document
+            var httpClient = new HttpClient();
+            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+            {
+                ValidateIssuer = false,
+                ValidateAudience = true,
+                ValidateLifetime = true,
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKeyResolver = (token, securityToken, kid, validationParameters) =>
+                {
+                    // Fetch JWKS from internal Keycloak URL
+                    var jwksUrl = $"{keycloakInternalUrl}/realms/workclub/protocol/openid-connect/certs";
+                    try
+                    {
+                        var response = httpClient.GetStringAsync(jwksUrl).GetAwaiter().GetResult();
+                        var jwks = new Microsoft.IdentityModel.Tokens.JsonWebKeySet(response);
+                        return jwks.Keys;
+                    }
+                    catch (Exception ex)
+                    {
+                        Console.WriteLine($"Failed to fetch JWKS from {jwksUrl}: {ex.Message}");
+                        return Array.Empty<Microsoft.IdentityModel.Tokens.SecurityKey>();
+                    }
+                }
+            };
        }
-        
-        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+        else
        {
-            ValidateIssuer = false, // Disabled for local dev - external clients use localhost:8080, internal use keycloak:8080
-            ValidateAudience = true,
-            ValidateLifetime = true,
-            ValidateIssuerSigningKey = true
-        };
+            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+            {
+                ValidateIssuer = false,
+                ValidateAudience = true,
+                ValidateLifetime = true,
+                ValidateIssuerSigningKey = true
+            };
+        }
        options.Events = new JwtBearerEvents
        {
            OnAuthenticationFailed = context =>