From 489f376253f29804548cef3e5ff43159a3e2c29c Mon Sep 17 00:00:00 2001
From: Spencer Twaddle <7374698+stwaddle@users.noreply.github.com>
Date: Sat, 2 May 2026 15:54:39 -0500
Subject: [PATCH] Move OIDC config to appsettings.json and add MetadataAddress

Authority, Audience, and MetadataAddress are not secrets so they belong
in committed config rather than runtime env vars. MetadataAddress points
to the internal Docker URL for JWKS fetch, avoiding nginx hairpinning;
it is blanked in Development so the JWT middleware falls back to
Authority-based discovery. RequireHttpsMetadata is disabled only when
MetadataAddress is set (internal http URL).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .env.example                                |  4 ----
 src/Budget.Api/Program.cs                   | 11 +++++++++--
 src/Budget.Api/appsettings.Development.json |  3 +++
 src/Budget.Api/appsettings.json             |  5 +++++
 4 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/.env.example b/.env.example
index 9a91fed..1fdbfb0 100644
--- a/.env.example
+++ b/.env.example
@@ -5,10 +5,6 @@ POSTGRES_DB=budget
 POSTGRES_USER=budget
 POSTGRES_PASSWORD=changeme
 
-# Auth
-AUTH__AUTHORITY=https://auth.stwaddle.com
-AUTH__AUDIENCE=budget_api
-
 # Client (baked into Vite build)
 VITE_AUTH_AUTHORITY=https://auth.stwaddle.com
 VITE_AUTH_CLIENT_ID=budget-client
diff --git a/src/Budget.Api/Program.cs b/src/Budget.Api/Program.cs
index 7dd64be..61327de 100644
--- a/src/Budget.Api/Program.cs
+++ b/src/Budget.Api/Program.cs
@@ -17,12 +17,19 @@ var connStr = builder.Configuration.GetConnectionString("DefaultConnection")
 
 builder.Services.AddDbContext<AppDbContext>(opt => opt.UseNpgsql(connStr));
 
+var oidc = builder.Configuration.GetSection("Oidc");
 builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
     .AddJwtBearer(options =>
     {
-        options.Authority = builder.Configuration["AUTH__AUTHORITY"];
-        options.Audience = builder.Configuration["AUTH__AUDIENCE"];
+        options.Authority = oidc["Authority"];
+        options.Audience = oidc["Audience"];
         options.MapInboundClaims = false;
+        var metadataAddress = oidc["MetadataAddress"];
+        if (!string.IsNullOrEmpty(metadataAddress))
+        {
+            options.MetadataAddress = metadataAddress;
+            options.RequireHttpsMetadata = false;
+        }
         options.TokenValidationParameters = new TokenValidationParameters
         {
             ValidateIssuer = true,
diff --git a/src/Budget.Api/appsettings.Development.json b/src/Budget.Api/appsettings.Development.json
index 0c208ae..4524d6f 100644
--- a/src/Budget.Api/appsettings.Development.json
+++ b/src/Budget.Api/appsettings.Development.json
@@ -4,5 +4,8 @@
       "Default": "Information",
       "Microsoft.AspNetCore": "Warning"
     }
+  },
+  "Oidc": {
+    "MetadataAddress": ""
   }
 }
diff --git a/src/Budget.Api/appsettings.json b/src/Budget.Api/appsettings.json
index 64f2d8a..2932264 100644
--- a/src/Budget.Api/appsettings.json
+++ b/src/Budget.Api/appsettings.json
@@ -8,5 +8,10 @@
   "AllowedHosts": "*",
   "ConnectionStrings": {
     "DefaultConnection": ""
+  },
+  "Oidc": {
+    "Authority": "https://auth.stwaddle.com",
+    "MetadataAddress": "http://auth:8080/.well-known/openid-configuration",
+    "Audience": "budget_api"
   }
 }