Module request_base_url 

Request-derived base URL for OAuth discovery responses.

RFC 9728 implementations identify themselves coherently from the host the client actually dialled. A single gateway reachable via both 127.0.0.1 and localhost must echo whichever the client used in every URL it returns (issuer, authorization_endpoint, token_endpoint, resource…), otherwise the client’s RFC 8707 resource indicator won’t round-trip against the configured api_external_url origin.

RequestBaseUrl is an axum extractor that resolves scheme://host[:port] from the incoming request, validating the host against a small allowlist seeded from api_external_url. On allowlist miss or missing/invalid header it falls back to api_external_url — the gateway never advertises a hostname an attacker fabricated via Host header injection.

Structs

RequestBaseUrl

Functions

resolve

Resolve a RequestBaseUrl from an optional Host header and configured api_external_url.