fix(headless-login): honor public base url for audience checks

- resolve headless audience against BACKEND_PUBLIC_URL first - keep forwarded header support for https absolute audiences - add regression tests for https success and http mismatch rejection - write BACKEND_PUBLIC_URL into staging workflow env generation
2026-04-01 21:05:41 +09:00
parent 3186fab596
commit 71a006cd7b
8 changed files with 372 additions and 19 deletions
--- a/.env.sample
+++ b/.env.sample
@@ -61,6 +61,7 @@ ADMIN_PASSWORD=adminPasswordIsNotSimple
 USERFRONT_URL=https://sso.hmac.kr

 # Services proxied via Nginx
+BACKEND_PUBLIC_URL=${USERFRONT_URL}
 BACKEND_URL=${USERFRONT_URL}
 OATHKEEPER_PUBLIC_URL=${USERFRONT_URL}