admin/pos-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): allow HTTP OIDC discovery for K8s internal authority
Some checks failed
Build & Deploy to K8s / build-and-deploy (push) Failing after 12m20s
Details

Browse Source 
Services in K8s use `Jwt__Authority=http://iam-service:8080` (internal)
but RequireHttpsMetadata was hardcoded to `!IsDevelopment()` which
crashes in Staging with "The MetadataAddress or Authority must use HTTPS".

Fix: Read RequireHttpsMetadata from config + auto-detect HTTP authority.
Affected: merchant-service, ads-billing, ads-serving, ads-tracking.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ho Ngoc Hai
2026-04-12 00:24:48 +07:00
parent 8a5b25936d
commit b2a5bde40a
4 changed files with 16 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
services/ads-billing-service-net/src/AdsBillingService.API/Program.cs
View File

@@ -93,9 +93,10 @@ try
.AddJwtBearer(options => .AddJwtBearer(options =>
{ {
options.Authority = jwtAuthority; options.Authority = jwtAuthority;
// EN: Only allow HTTP metadata in local development (IAM runs on http://localhost) // EN: Allow HTTP metadata when Authority is http:// (K8s internal) or in Development
// VI: Chỉ cho phép HTTP metadata trong local development (IAM chạy trên http://localhost) // VI: Cho phép HTTP metadata khi Authority là http:// (K8s internal) hoặc Development
options.RequireHttpsMetadata = !builder.Environment.IsDevelopment(); var requireHttps = builder.Configuration.GetValue("Jwt:RequireHttpsMetadata", !builder.Environment.IsDevelopment());
options.RequireHttpsMetadata = requireHttps && jwtAuthority.StartsWith("https://", StringComparison.OrdinalIgnoreCase);
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{ {
ValidateIssuer = false, ValidateIssuer = false,

7
services/ads-serving-service-net/src/AdsServingService.API/Program.cs
View File

@@ -98,9 +98,10 @@ try
.AddJwtBearer(options => .AddJwtBearer(options =>
{ {
options.Authority = jwtAuthority; options.Authority = jwtAuthority;
// EN: Only allow HTTP metadata in local development (IAM runs on http://localhost) // EN: Allow HTTP metadata when Authority is http:// (K8s internal) or in Development
// VI: Chỉ cho phép HTTP metadata trong local development (IAM chạy trên http://localhost) // VI: Cho phép HTTP metadata khi Authority là http:// (K8s internal) hoặc Development
options.RequireHttpsMetadata = !builder.Environment.IsDevelopment(); var requireHttps = builder.Configuration.GetValue("Jwt:RequireHttpsMetadata", !builder.Environment.IsDevelopment());
options.RequireHttpsMetadata = requireHttps && jwtAuthority.StartsWith("https://", StringComparison.OrdinalIgnoreCase);
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{ {
ValidateIssuer = false, ValidateIssuer = false,

7
services/ads-tracking-service-net/src/AdsTrackingService.API/Program.cs
View File

@@ -93,9 +93,10 @@ try
.AddJwtBearer(options => .AddJwtBearer(options =>
{ {
options.Authority = jwtAuthority; options.Authority = jwtAuthority;
// EN: Only allow HTTP metadata in local development (IAM runs on http://localhost) // EN: Allow HTTP metadata when Authority is http:// (K8s internal) or in Development
// VI: Chỉ cho phép HTTP metadata trong local development (IAM chạy trên http://localhost) // VI: Cho phép HTTP metadata khi Authority là http:// (K8s internal) hoặc Development
options.RequireHttpsMetadata = !builder.Environment.IsDevelopment(); var requireHttps = builder.Configuration.GetValue("Jwt:RequireHttpsMetadata", !builder.Environment.IsDevelopment());
options.RequireHttpsMetadata = requireHttps && jwtAuthority.StartsWith("https://", StringComparison.OrdinalIgnoreCase);
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{ {
ValidateIssuer = false, ValidateIssuer = false,

7
services/merchant-service-net/src/MerchantService.API/Program.cs
View File

@@ -81,9 +81,10 @@ try
.AddJwtBearer(options => .AddJwtBearer(options =>
{ {
options.Authority = jwtAuthority; options.Authority = jwtAuthority;
// EN: Only allow HTTP metadata in local development (IAM runs on http://localhost) // EN: Allow HTTP metadata when Authority is http:// (K8s internal) or in Development
// VI: Chỉ cho phép HTTP metadata trong local development (IAM chạy trên http://localhost) // VI: Cho phép HTTP metadata khi Authority là http:// (K8s internal) hoặc Development
options.RequireHttpsMetadata = !builder.Environment.IsDevelopment(); var requireHttps = builder.Configuration.GetValue("Jwt:RequireHttpsMetadata", !builder.Environment.IsDevelopment());
options.RequireHttpsMetadata = requireHttps && jwtAuthority.StartsWith("https://", StringComparison.OrdinalIgnoreCase);
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{ {
ValidateIssuer = false, ValidateIssuer = false,