fix: register API resource in Logto for JWT access tokens

Logto returns opaque access tokens when no resource is specified. Added API resource creation to bootstrap, included resource indicator in /api/config, and SPA now passes resource parameter in auth request. Also fixed issuer-uri to match Logto's public endpoint. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 01:01:32 +02:00
parent 6764f981d2
commit 84667170f1
5 changed files with 39 additions and 10 deletions
--- a/ui/src/auth/LoginPage.tsx
+++ b/ui/src/auth/LoginPage.tsx
@@ -4,7 +4,7 @@ import { fetchConfig } from '../config';
 import { generatePkce, storeCodeVerifier } from './pkce';

 export function LoginPage() {
-  const [config, setConfig] = useState<{ logtoEndpoint: string; logtoClientId: string } | null>(null);
+  const [config, setConfig] = useState<{ logtoEndpoint: string; logtoClientId: string; logtoResource: string } | null>(null);
  const [loading, setLoading] = useState(true);

  useEffect(() => {
@@ -35,6 +35,9 @@ export function LoginPage() {
      code_challenge: codeChallenge,
      code_challenge_method: 'S256',
    });
+    if (config.logtoResource) {
+      params.set('resource', config.logtoResource);
+    }
    window.location.href = `${config.logtoEndpoint}/oidc/auth?${params}`;
  };

--- a/ui/src/config.ts
+++ b/ui/src/config.ts
@@ -1,6 +1,7 @@
 interface AppConfig {
  logtoEndpoint: string;
  logtoClientId: string;
+  logtoResource: string;
 }

 let cached: AppConfig | null = null;
@@ -22,6 +23,7 @@ export async function fetchConfig(): Promise<AppConfig> {
  cached = {
    logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || 'http://localhost:3001',
    logtoClientId: import.meta.env.VITE_LOGTO_CLIENT_ID || '',
+    logtoResource: import.meta.env.VITE_LOGTO_RESOURCE || '',
  };
  return cached;
 }