ae1d9fa4db
Logto validates M2M tokens by fetching its own JWKS from the ENDPOINT URL (e.g. https://app.cameleer.io/oidc/jwks). Behind a Cloudflare tunnel, that hostname resolves to Cloudflare's IP and the container can't route back through the tunnel — the fetch times out (ETIMEDOUT), causing all Management API calls to return 500. Adding extra_hosts maps AUTH_HOST to host-gateway so the request goes to the Docker host, which has Traefik on :443, which routes back to Logto internally. This hairpin works because NODE_TLS_REJECT=0 accepts the self-signed cert. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
7.8 KiB
7.8 KiB