stwaddle/budget
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move OIDC config to appsettings.json and add MetadataAddress

Browse Source 
Authority, Audience, and MetadataAddress are not secrets so they belong
in committed config rather than runtime env vars. MetadataAddress points
to the internal Docker URL for JWKS fetch, avoiding nginx hairpinning;
it is blanked in Development so the JWT middleware falls back to
Authority-based discovery. RequireHttpsMetadata is disabled only when
MetadataAddress is set (internal http URL).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Spencer Twaddle
2026-05-02 15:54:39 -05:00
parent 71bd88ace9
commit 489f376253
4 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
-4
View File
@@ -5,10 +5,6 @@ POSTGRES_DB=budget
POSTGRES_USER=budget
POSTGRES_PASSWORD=changeme
# Auth
AUTH__AUTHORITY=https://auth.stwaddle.com
AUTH__AUDIENCE=budget_api
# Client (baked into Vite build)
VITE_AUTH_AUTHORITY=https://auth.stwaddle.com
VITE_AUTH_CLIENT_ID=budget-client
src/Budget.Api/Program.cs
+9 -2
View File
@@ -17,12 +17,19 @@ var connStr = builder.Configuration.GetConnectionString("DefaultConnection")
builder.Services.AddDbContext<AppDbContext>(opt => opt.UseNpgsql(connStr));
var oidc = builder.Configuration.GetSection("Oidc");
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = builder.Configuration["AUTH__AUTHORITY"];
options.Audience = builder.Configuration["AUTH__AUDIENCE"];
options.Authority = oidc["Authority"];
options.Audience = oidc["Audience"];
options.MapInboundClaims = false;
var metadataAddress = oidc["MetadataAddress"];
if (!string.IsNullOrEmpty(metadataAddress))
{
options.MetadataAddress = metadataAddress;
options.RequireHttpsMetadata = false;
}
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
src/Budget.Api/appsettings.Development.json
+3
View File
@@ -4,5 +4,8 @@
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"Oidc": {
"MetadataAddress": ""
}
}
src/Budget.Api/appsettings.json
+5
View File
@@ -8,5 +8,10 @@
"AllowedHosts": "*",
"ConnectionStrings": {
"DefaultConnection": ""
},
"Oidc": {
"Authority": "https://auth.stwaddle.com",
"MetadataAddress": "http://auth:8080/.well-known/openid-configuration",
"Audience": "budget_api"
}
}