sans-self.org
this repo has no description
Fix OAuth routing: send /oauth/* to PDS, not frontend
The IngressRoute was sending all /oauth/ paths to the frontend nginx,
which only serves static SPA files. OAuth protocol endpoints (PAR,
authorize, token, consent, etc.) need to reach the PDS backend.
Only /oauth/client-metadata.json stays on the frontend for hostname
substitution via sub_filter. All other /oauth/* falls through to the
PDS catch-all route.
+11
-2
+11
-2
k8s/pds/ingress.yaml
+11
-2
k8s/pds/ingress.yaml
···
45
45
services:
46
46
- name: tranquil-pds
47
47
port: 3000
48
-
# Frontend (account verification, settings, etc)
49
-
- match: Host(`sans-self.org`) && (PathPrefix(`/app`) || PathPrefix(`/assets`) || PathPrefix(`/oauth`))
48
+
# OAuth client metadata — static file served by frontend (with hostname substitution)
49
+
- match: Host(`sans-self.org`) && Path(`/oauth/client-metadata.json`)
50
+
kind: Rule
51
+
priority: 60
52
+
middlewares:
53
+
- name: strip-server-headers
54
+
services:
55
+
- name: tranquil-frontend
56
+
port: 80
57
+
# Frontend (SPA pages only)
58
+
- match: Host(`sans-self.org`) && (PathPrefix(`/app`) || PathPrefix(`/assets`))
50
59
kind: Rule
51
60
priority: 50
52
61
middlewares: