backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs

@@ -22,10 +22,11 @@ public class TenantValidationMiddleware
             return;
         }
 
-    // Exempt bootstrap, admin, and debug endpoints from tenant validation
+    // Exempt bootstrap, admin, debug, and Keycloak OIDC endpoints from tenant validation
     if (context.Request.Path.StartsWithSegments("/api/clubs/me") ||
         context.Request.Path.StartsWithSegments("/api/admin") ||
-        context.Request.Path.StartsWithSegments("/api/debug"))
+        context.Request.Path.StartsWithSegments("/api/debug") ||
+        context.Request.Path.StartsWithSegments("/realms"))
     {
       _logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path);
       await _next(context);

backend/WorkClub.Api/Program.cs

@@ -147,9 +147,12 @@ app.UseHttpsRedirection();
 
 app.UseCors("AllowFrontend");
 
+// IMPORTANT: Order matters! 
+// 1. Authentication must come before tenant validation so JWT middleware can fetch JWKS
+// 2. Tenant validation should come after auth but before endpoints
 app.UseAuthentication();
-app.UseAuthorization();
 app.UseMiddleware<TenantValidationMiddleware>();
+app.UseAuthorization();
 app.UseMiddleware<MemberSyncMiddleware>();
 
 app.MapHealthChecks("/health/live", new Microsoft.AspNetCore.Diagnostics.HealthChecks.HealthCheckOptions