fix(auth): separate pkce and headless trusted rp config

2026-03-31 10:44:04 +09:00
parent 4b34ab8161
commit 33afe1eddf
8 changed files with 274 additions and 62 deletions
--- a/backend/internal/handler/auth_handler_login_test.go
+++ b/backend/internal/handler/auth_handler_login_test.go
@@ -306,11 +306,12 @@ func TestHeadlessPasswordLogin_TrustedClientSuccess(t *testing.T) {
 				Challenge: "challenge-123",
 				Client: domain.HydraClient{
 					ClientID:                "trusted-rp",
-					TokenEndpointAuthMethod: "private_key_jwt",
-					JWKSUri:                 jwksServer.URL + "/.well-known/jwks.json",
+					TokenEndpointAuthMethod: "none",
 					Metadata: map[string]interface{}{
-						"status":                 "active",
-						"headless_login_enabled": true,
+						"status":                              "active",
+						"headless_login_enabled":              true,
+						"headless_token_endpoint_auth_method": "private_key_jwt",
+						"headless_jwks_uri":                   jwksServer.URL + "/.well-known/jwks.json",
 					},
 				},
 			})
@@ -524,10 +525,11 @@ func TestHeadlessPasswordLogin_HeadlessDisabledRejected(t *testing.T) {
 				Challenge: "challenge-123",
 				Client: domain.HydraClient{
 					ClientID:                "trusted-rp",
-					TokenEndpointAuthMethod: "private_key_jwt",
-					JWKSUri:                 "https://rp.example.com/.well-known/jwks.json",
+					TokenEndpointAuthMethod: "none",
 					Metadata: map[string]interface{}{
-						"status": "active",
+						"status":                              "active",
+						"headless_jwks_uri":                   "https://rp.example.com/.well-known/jwks.json",
+						"headless_token_endpoint_auth_method": "private_key_jwt",
 					},
 				},
 			})
@@ -576,11 +578,12 @@ func TestHeadlessPasswordLogin_ClientIDMismatchRejected(t *testing.T) {
 				Challenge: "challenge-123",
 				Client: domain.HydraClient{
 					ClientID:                "other-rp",
-					TokenEndpointAuthMethod: "private_key_jwt",
-					JWKSUri:                 "https://rp.example.com/.well-known/jwks.json",
+					TokenEndpointAuthMethod: "none",
 					Metadata: map[string]interface{}{
-						"status":                 "active",
-						"headless_login_enabled": true,
+						"status":                              "active",
+						"headless_login_enabled":              true,
+						"headless_token_endpoint_auth_method": "private_key_jwt",
+						"headless_jwks_uri":                   "https://rp.example.com/.well-known/jwks.json",
 					},
 				},
 			})