fix(auth): separate pkce and headless trusted rp config

2026-03-31 10:44:04 +09:00
parent 4b34ab8161
commit 33afe1eddf
8 changed files with 274 additions and 62 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -1699,14 +1699,14 @@ func containsHeadlessAudience(expected []string, actual headlessAssertionAud) bo
 func (h *AuthHandler) loadHeadlessJWKS(ctx context.Context, client domain.HydraClient) (*jose.JSONWebKeySet, error) {
 	var raw []byte
 	switch {
-	case client.JWKS != nil:
-		data, err := json.Marshal(client.JWKS)
+	case client.HeadlessJWKS() != nil:
+		data, err := json.Marshal(client.HeadlessJWKS())
 		if err != nil {
 			return nil, fmt.Errorf("failed to encode jwks: %w", err)
 		}
 		raw = data
-	case strings.TrimSpace(client.JWKSUri) != "":
-		req, err := http.NewRequestWithContext(ctx, http.MethodGet, strings.TrimSpace(client.JWKSUri), nil)
+	case client.HeadlessJWKSURI() != "":
+		req, err := http.NewRequestWithContext(ctx, http.MethodGet, client.HeadlessJWKSURI(), nil)
 		if err != nil {
 			return nil, fmt.Errorf("failed to build jwks request: %w", err)
 		}