From bea066c7f8cd3e4749d64f4d2482bae195a2dccb Mon Sep 17 00:00:00 2001
From: Till-JS <101404291+Till-JS@users.noreply.github.com>
Date: Wed, 28 Jan 2026 17:13:28 +0100
Subject: [PATCH] fix(auth): correct JWKS route mapping for OIDC

JWKS is at /api/auth/jwks, not /api/auth/oauth2/jwks.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../mana-core-auth/src/auth/services/better-auth.service.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/services/mana-core-auth/src/auth/services/better-auth.service.ts b/services/mana-core-auth/src/auth/services/better-auth.service.ts
index 0943ee3d3..4621974df 100644
--- a/services/mana-core-auth/src/auth/services/better-auth.service.ts
+++ b/services/mana-core-auth/src/auth/services/better-auth.service.ts
@@ -1201,7 +1201,7 @@ export class BetterAuthService {
 	 * - /api/oidc/authorize → /api/auth/oauth2/authorize
 	 * - /api/oidc/token → /api/auth/oauth2/token
 	 * - /api/oidc/userinfo → /api/auth/oauth2/userinfo
-	 * - /api/oidc/jwks → /api/auth/oauth2/jwks
+	 * - /api/oidc/jwks → /api/auth/jwks (JWKS is at basePath, not oauth2)
 	 *
 	 * @param req - Express request
 	 * @returns Response data from Better Auth
@@ -1220,6 +1220,10 @@ export class BetterAuthService {
 			if (mappedPath.startsWith('/.well-known/')) {
 				mappedPath = `/api/auth${mappedPath}`;
 			}
+			// Map /api/oidc/jwks to /api/auth/jwks (JWKS is not under oauth2)
+			else if (mappedPath.startsWith('/api/oidc/jwks')) {
+				mappedPath = mappedPath.replace('/api/oidc/jwks', '/api/auth/jwks');
+			}
 			// Map /api/oidc/* to /api/auth/oauth2/*
 			else if (mappedPath.startsWith('/api/oidc/')) {
 				mappedPath = mappedPath.replace('/api/oidc/', '/api/auth/oauth2/');