Move OIDC config to appsettings.json and add MetadataAddress

Authority, Audience, and MetadataAddress are not secrets so they belong in committed config rather than runtime env vars. MetadataAddress points to the internal Docker URL for JWKS fetch, avoiding nginx hairpinning; it is blanked in Development so the JWT middleware falls back to Authority-based discovery. RequireHttpsMetadata is disabled only when MetadataAddress is set (internal http URL). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-02 15:54:39 -05:00
parent 71bd88ace9
commit 489f376253
4 changed files with 17 additions and 6 deletions
@@ -8,5 +8,10 @@
  "AllowedHosts": "*",
  "ConnectionStrings": {
    "DefaultConnection": ""
+  },
+  "Oidc": {
+    "Authority": "https://auth.stwaddle.com",
+    "MetadataAddress": "http://auth:8080/.well-known/openid-configuration",
+    "Audience": "budget_api"
  }
 }