From 3a93b68ea580bc01c4289ae4b271b55cdca88362 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Sun, 5 Apr 2026 17:16:04 +0200
Subject: [PATCH] fix: split JWK fetch (Docker-internal) from issuer validation
 (localhost)

crypto.subtle requires a secure context, so the browser must access
everything via localhost. The custom JwtDecoder already supports this
split: jwk-set-uri uses Docker-internal logto:3001 for network fetch,
while issuer-uri uses localhost:3001 for string-only claim validation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 1dce499..ac9c384 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -106,7 +106,7 @@ services:
       LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001}
       LOGTO_PUBLIC_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3001
       LOGTO_ISSUER_URI: http://${PUBLIC_HOST:-localhost}:3001/oidc
-      LOGTO_JWK_SET_URI: http://${PUBLIC_HOST:-localhost}:3001/oidc/jwks
+      LOGTO_JWK_SET_URI: ${LOGTO_ENDPOINT:-http://logto:3001}/oidc/jwks
       LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-}
       LOGTO_M2M_CLIENT_SECRET: ${LOGTO_M2M_CLIENT_SECRET:-}
       CAMELEER3_SERVER_ENDPOINT: http://cameleer3-server:8081