From b2a5bde40a1c9f65fb01de9c09d70abbc86e898f Mon Sep 17 00:00:00 2001 From: Ho Ngoc Hai Date: Sun, 12 Apr 2026 00:24:48 +0700 Subject: [PATCH] fix(auth): allow HTTP OIDC discovery for K8s internal authority Services in K8s use `Jwt__Authority=http://iam-service:8080` (internal) but RequireHttpsMetadata was hardcoded to `!IsDevelopment()` which crashes in Staging with "The MetadataAddress or Authority must use HTTPS". Fix: Read RequireHttpsMetadata from config + auto-detect HTTP authority. Affected: merchant-service, ads-billing, ads-serving, ads-tracking. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../src/AdsBillingService.API/Program.cs | 7 ++++--- .../src/AdsServingService.API/Program.cs | 7 ++++--- .../src/AdsTrackingService.API/Program.cs | 7 ++++--- .../src/MerchantService.API/Program.cs | 7 ++++--- 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/services/ads-billing-service-net/src/AdsBillingService.API/Program.cs b/services/ads-billing-service-net/src/AdsBillingService.API/Program.cs index 091e6aed..255b84f5 100644 --- a/services/ads-billing-service-net/src/AdsBillingService.API/Program.cs +++ b/services/ads-billing-service-net/src/AdsBillingService.API/Program.cs @@ -93,9 +93,10 @@ try .AddJwtBearer(options => { options.Authority = jwtAuthority; - // EN: Only allow HTTP metadata in local development (IAM runs on http://localhost) - // VI: Chỉ cho phép HTTP metadata trong local development (IAM chạy trên http://localhost) - options.RequireHttpsMetadata = !builder.Environment.IsDevelopment(); + // EN: Allow HTTP metadata when Authority is http:// (K8s internal) or in Development + // VI: Cho phép HTTP metadata khi Authority là http:// (K8s internal) hoặc Development + var requireHttps = builder.Configuration.GetValue("Jwt:RequireHttpsMetadata", !builder.Environment.IsDevelopment()); + options.RequireHttpsMetadata = requireHttps && jwtAuthority.StartsWith("https://", StringComparison.OrdinalIgnoreCase); options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = false, diff --git a/services/ads-serving-service-net/src/AdsServingService.API/Program.cs b/services/ads-serving-service-net/src/AdsServingService.API/Program.cs index 9d2a5a6f..67b16939 100644 --- a/services/ads-serving-service-net/src/AdsServingService.API/Program.cs +++ b/services/ads-serving-service-net/src/AdsServingService.API/Program.cs @@ -98,9 +98,10 @@ try .AddJwtBearer(options => { options.Authority = jwtAuthority; - // EN: Only allow HTTP metadata in local development (IAM runs on http://localhost) - // VI: Chỉ cho phép HTTP metadata trong local development (IAM chạy trên http://localhost) - options.RequireHttpsMetadata = !builder.Environment.IsDevelopment(); + // EN: Allow HTTP metadata when Authority is http:// (K8s internal) or in Development + // VI: Cho phép HTTP metadata khi Authority là http:// (K8s internal) hoặc Development + var requireHttps = builder.Configuration.GetValue("Jwt:RequireHttpsMetadata", !builder.Environment.IsDevelopment()); + options.RequireHttpsMetadata = requireHttps && jwtAuthority.StartsWith("https://", StringComparison.OrdinalIgnoreCase); options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = false, diff --git a/services/ads-tracking-service-net/src/AdsTrackingService.API/Program.cs b/services/ads-tracking-service-net/src/AdsTrackingService.API/Program.cs index 9fa6245c..e0139ff5 100644 --- a/services/ads-tracking-service-net/src/AdsTrackingService.API/Program.cs +++ b/services/ads-tracking-service-net/src/AdsTrackingService.API/Program.cs @@ -93,9 +93,10 @@ try .AddJwtBearer(options => { options.Authority = jwtAuthority; - // EN: Only allow HTTP metadata in local development (IAM runs on http://localhost) - // VI: Chỉ cho phép HTTP metadata trong local development (IAM chạy trên http://localhost) - options.RequireHttpsMetadata = !builder.Environment.IsDevelopment(); + // EN: Allow HTTP metadata when Authority is http:// (K8s internal) or in Development + // VI: Cho phép HTTP metadata khi Authority là http:// (K8s internal) hoặc Development + var requireHttps = builder.Configuration.GetValue("Jwt:RequireHttpsMetadata", !builder.Environment.IsDevelopment()); + options.RequireHttpsMetadata = requireHttps && jwtAuthority.StartsWith("https://", StringComparison.OrdinalIgnoreCase); options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = false, diff --git a/services/merchant-service-net/src/MerchantService.API/Program.cs b/services/merchant-service-net/src/MerchantService.API/Program.cs index 0bcd0b59..57f1feac 100644 --- a/services/merchant-service-net/src/MerchantService.API/Program.cs +++ b/services/merchant-service-net/src/MerchantService.API/Program.cs @@ -81,9 +81,10 @@ try .AddJwtBearer(options => { options.Authority = jwtAuthority; - // EN: Only allow HTTP metadata in local development (IAM runs on http://localhost) - // VI: Chỉ cho phép HTTP metadata trong local development (IAM chạy trên http://localhost) - options.RequireHttpsMetadata = !builder.Environment.IsDevelopment(); + // EN: Allow HTTP metadata when Authority is http:// (K8s internal) or in Development + // VI: Cho phép HTTP metadata khi Authority là http:// (K8s internal) hoặc Development + var requireHttps = builder.Configuration.GetValue("Jwt:RequireHttpsMetadata", !builder.Environment.IsDevelopment()); + options.RequireHttpsMetadata = requireHttps && jwtAuthority.StartsWith("https://", StringComparison.OrdinalIgnoreCase); options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = false,