save changes

src/Router/StellaOps.Gateway.WebService/Program.cs

@@ -124,7 +124,11 @@ builder.Services.AddSingleton<IDpopProofValidator, DpopProofValidator>();
 builder.Services.AddSingleton(new IdentityHeaderPolicyOptions
 {
     EnableLegacyHeaders = bootstrapOptions.Auth.EnableLegacyHeaders,
-    AllowScopeHeaderOverride = bootstrapOptions.Auth.AllowScopeHeader
+    AllowScopeHeaderOverride = bootstrapOptions.Auth.AllowScopeHeader,
+    JwtPassthroughPrefixes = bootstrapOptions.Routes
+        .Where(r => r.PreserveAuthHeaders)
+        .Select(r => r.Path)
+        .ToList()
 });
 
 // Route table: resolver + error routes + HTTP client for reverse proxy
@@ -222,6 +226,20 @@ static void ConfigureAuthentication(WebApplicationBuilder builder, GatewayOption
                 }
             });
 
+        // Configure the OIDC metadata HTTP client to accept self-signed certificates
+        // (Authority uses a dev cert in Docker)
+        if (!authOptions.Authority.RequireHttpsMetadata)
+        {
+            builder.Services.ConfigureHttpClientDefaults(clientBuilder =>
+            {
+                clientBuilder.ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
+                {
+                    ServerCertificateCustomValidationCallback =
+                        HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
+                });
+            });
+        }
+
         if (authOptions.Authority.RequiredScopes.Count > 0)
         {
             builder.Services.AddAuthorization(config =>