fix(auth): separate pkce and headless trusted rp config

2026-03-31 10:44:04 +09:00
parent 4b34ab8161
commit 33afe1eddf
8 changed files with 274 additions and 62 deletions
--- a/backend/internal/domain/hydra_models_test.go
+++ b/backend/internal/domain/hydra_models_test.go
@@ -3,6 +3,28 @@ package domain
 import "testing"

 func TestHydraClient_TrustedRPFlags(t *testing.T) {
+	t.Run("metadata-backed headless trusted rp is supported", func(t *testing.T) {
+		client := HydraClient{
+			TokenEndpointAuthMethod: "none",
+			Metadata: map[string]any{
+				"headless_login_enabled":              true,
+				"headless_token_endpoint_auth_method": "private_key_jwt",
+				"headless_jwks": map[string]any{
+					"keys": []map[string]any{{
+						"kty": "RSA",
+					}},
+				},
+			},
+		}
+
+		if !client.IsTrustedRP() {
+			t.Fatalf("expected metadata-backed trusted rp")
+		}
+		if !client.IsHeadlessLoginEnabled() {
+			t.Fatalf("expected metadata-backed headless login enabled")
+		}
+	})
+
 	t.Run("inline jwks with private_key_jwt and headless enabled", func(t *testing.T) {
 		client := HydraClient{
 			TokenEndpointAuthMethod: "private_key_jwt",