sharang
8ab82c8b37
Capture the redirect_uri gotcha from the live-stack smoke. .env.example pins AUTH_URL to acme.localhost:3000 with a long-form comment; README gets an 'AUTH_URL gotcha' callout. Refs: M5.1 follow-up
33 lines
1.5 KiB
Bash
33 lines
1.5 KiB
Bash
# portal — local dev environment.
|
|
# Copy to .env.local (gitignored).
|
|
|
|
# Tenant Registry — see platform/tenant-registry. Run `make dev` there.
|
|
TENANT_REGISTRY_URL=http://localhost:8090
|
|
|
|
# Keycloak (dev stack from platform/orca-platform/dev).
|
|
KEYCLOAK_ISSUER=http://localhost:8080/realms/breakpilot-dev
|
|
KEYCLOAK_CLIENT_ID=dev-portal
|
|
# Public PKCE client — secret is structurally required by Auth.js but unused
|
|
# at the OAuth code-exchange step. Any non-empty placeholder works in dev.
|
|
KEYCLOAK_CLIENT_SECRET=unused-public-client
|
|
|
|
# Auth.js v5 — required for JWT signing.
|
|
# Generate with: openssl rand -base64 32 (keep stable across restarts or
|
|
# every dev login invalidates the existing session).
|
|
AUTH_SECRET=dev-secret-change-me-do-not-ship-replace-with-32-byte-random
|
|
|
|
# IMPORTANT: AUTH_URL must match the exact subdomain you're using in the
|
|
# browser. Auth.js v5 builds the OAuth redirect_uri from this value (NOT
|
|
# from the request Host header, even with AUTH_TRUST_HOST=true). If you
|
|
# visit http://acme.localhost:3000 but AUTH_URL is http://localhost:3000,
|
|
# the PKCE cookie set on acme.localhost won't be readable at the localhost
|
|
# callback, and Keycloak rejects the token exchange with
|
|
# 'invalid_grant: Incorrect redirect_uri'.
|
|
#
|
|
# For a single tenant dev flow, pin AUTH_URL to the subdomain you use:
|
|
AUTH_URL=http://acme.localhost:3000
|
|
|
|
# AUTH_TRUST_HOST is on so this still works behind orca-proxy in stage/prod
|
|
# (where the actual host is known via X-Forwarded-Host).
|
|
AUTH_TRUST_HOST=true
|