Skip to content

Commit 74f42be

Browse files
committed
fix e2e test issues
1 parent 402a2a2 commit 74f42be

7 files changed

Lines changed: 30 additions & 7 deletions

File tree

docker-compose.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -463,6 +463,13 @@ services:
463463

464464
# External service configuration
465465
CATALOGUE_BASE_URL: http://sticker-catalogue:8080
466+
467+
# OAuth/JWT configuration
468+
# OAUTH_ISSUER: The issuer claim expected in JWT tokens (matches what user-management sets)
469+
# Note: OpenIddict adds trailing slash to issuer, so we must include it here
470+
# OAUTH_JWKS_URL: Internal Docker network URL to fetch JWKS for token validation
471+
OAUTH_ISSUER: ${DEPLOYMENT_HOST_URL}/
472+
OAUTH_JWKS_URL: http://user-management:8080/.well-known/jwks
466473
healthcheck:
467474
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/health"]
468475
interval: 1s

sticker-award/infra/aws/lib/api.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,7 @@ export class Api extends Construct {
8686
MESSAGING_PROVIDER: "aws",
8787
CATALOGUE_BASE_URL: `https://${props.serviceProps.cloudfrontDistribution.distributionDomainName}`,
8888
USER_REGISTERED_QUEUE_URL: userRegisteredQueue.queueUrl,
89+
OAUTH_ISSUER: `https://${props.serviceProps.cloudfrontDistribution.distributionDomainName}`,
8990
...props.serviceProps.messagingConfiguration.asEnvironmentVariables(),
9091
},
9192
secrets: secrets,

sticker-award/internal/api/middleware/jwt.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ func NewJWTValidator(cfg *config.AuthConfig) (*JWTValidator, error) {
4040
ctx, cancel := context.WithCancel(context.Background())
4141

4242
// Create JWKS keyfunc with background refresh
43-
jwks, err := keyfunc.NewDefaultCtx(ctx, []string{cfg.JWKSUrl})
43+
jwks, err := keyfunc.NewDefaultCtx(ctx, []string{cfg.JWKSUrl()})
4444
if err != nil {
4545
cancel()
4646
return nil, err

sticker-award/internal/config/config.go

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,11 +37,19 @@ type Config struct {
3737

3838
// AuthConfig holds JWT authentication configuration
3939
type AuthConfig struct {
40-
JWKSUrl string `mapstructure:"jwks_url"`
4140
Issuer string `mapstructure:"issuer"`
41+
JwksUrl string `mapstructure:"jwks_url"`
4242
ClockSkew int `mapstructure:"clock_skew"`
4343
}
4444

45+
// JWKSUrl returns the JWKS URL - uses explicit jwks_url if set, otherwise derives from issuer
46+
func (a *AuthConfig) JWKSUrl() string {
47+
if a.JwksUrl != "" {
48+
return a.JwksUrl
49+
}
50+
return a.Issuer + "/.well-known/jwks"
51+
}
52+
4553
// ServerConfig holds HTTP server configuration
4654
type ServerConfig struct {
4755
Port string `mapstructure:"port"`
@@ -229,14 +237,14 @@ func setDefaults() {
229237
viper.SetDefault("logging.level", "info")
230238
viper.SetDefault("logging.format", "json")
231239

232-
// Auth defaults
233-
viper.SetDefault("auth.jwks_url", "http://user-management:8080/.well-known/jwks")
240+
// Auth defaults - JWKS URL can be set separately from issuer for Docker networking
234241
viper.SetDefault("auth.issuer", "http://user-management:8080")
242+
viper.SetDefault("auth.jwks_url", "") // Empty means derive from issuer
235243
viper.SetDefault("auth.clock_skew", 30)
236244

237245
// Explicit env var bindings for auth config
238-
_ = viper.BindEnv("auth.jwks_url", "JWKS_URI")
239246
_ = viper.BindEnv("auth.issuer", "OAUTH_ISSUER")
247+
_ = viper.BindEnv("auth.jwks_url", "OAUTH_JWKS_URL")
240248
}
241249

242250
// ConnectionString returns the database connection string

sticker-catalogue/infra/aws/lib/api.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@ export class Api extends Construct {
7777
QUARKUS_DATASOURCE_JDBC_ACQUISITION_TIMEOUT: "30S",
7878
QUARKUS_S3_PATH_STYLE_ACCESS: "true",
7979
STICKER_IMAGES_BUCKET: props.stickerImagesBucket.bucketName,
80+
OAUTH_ISSUER: `https://${props.serviceProps.cloudfrontDistribution.distributionDomainName}`,
8081
...props.serviceProps.messagingProps.asEnvironmentVariables(),
8182
},
8283
secrets: secrets,

sticker-catalogue/src/main/resources/application.properties

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,9 @@ MESSAGING_PROVIDER=kafka
3232
quarkus.eventbridge.aws.region=${AWS_REGION:us-east-1}
3333
quarkus.eventbridge.aws.credentials.type=default
3434

35-
# JWT Configuration
35+
# JWT Configuration - JWKS URL derived from issuer
3636
mp.jwt.verify.issuer=${OAUTH_ISSUER:http://user-management:8080}
37-
mp.jwt.verify.publickey.location=${JWKS_URI:http://user-management:8080/.well-known/jwks}
37+
mp.jwt.verify.publickey.location=${OAUTH_ISSUER:http://user-management:8080}/.well-known/jwks
3838
smallrye.jwt.clock.skew=30
3939

4040
# Dev profile JWT overrides

user-management/src/Stickerlandia.UserManagement.Auth/AuthServiceExtensions.cs

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,12 @@ public static IServiceCollection AddCoreAuthentication(this IServiceCollection s
5151
options.AddDevelopmentEncryptionCertificate()
5252
.AddDevelopmentSigningCertificate();
5353

54+
// Disable access token encryption to allow external services to validate tokens.
55+
// This makes tokens transparent (signed JWTs) instead of encrypted JWEs.
56+
// Required for services like sticker-award and sticker-catalogue that validate
57+
// tokens using the JWKS endpoint.
58+
options.DisableAccessTokenEncryption();
59+
5460
// Register the ASP.NET Core host and configure the ASP.NET Core options.
5561
if (disableSsl)
5662
options.UseAspNetCore()

0 commit comments

Comments
 (0)