Update

config/traefik/dynamic/tls.yml

@@ -1,2 +1,11 @@
-# TLS-Konfiguration deaktiviert fuer Alpha/Dev (IP-basierter HTTP-Zugang).
+# TLS-Konfiguration fuer HTTPS (Self-Signed fuer Dev/Alpha)
-# Wird reaktiviert wenn DNS + HTTPS eingerichtet wird.
+# Benötigt fuer Microsoft Entra ID SSO Callback (Azure erfordert HTTPS Redirect URIs)
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /certs/server.crt
+        keyFile: /certs/server.key
+  certificates:
+    - certFile: /certs/server.crt
+      keyFile: /certs/server.key

docker-compose.yml

@@ -45,8 +45,9 @@ services:
       # API & Dashboard
       - "--api.dashboard=true"
       - "--api.insecure=true"
-      # Entrypoints (nur HTTP fuer Alpha/Dev mit IP-Zugang)
+      # Entrypoints
       - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
       # Docker Provider
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
@@ -66,6 +67,7 @@ services:
       - "--entrypoints.metrics.address=:8082"
     ports:
       - "80:80"
+      - "443:443"      # HTTPS (benötigt für SSO Callback)
       - "8080:8080"    # Dashboard (nur intern)
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -266,6 +268,12 @@ services:
       - "traefik.http.routers.core-api.rule=Host(`172.20.10.59`) && PathPrefix(`/api`)"
       - "traefik.http.routers.core-api.entrypoints=web"
       - "traefik.http.routers.core-api.service=core-api"
+      # HTTPS Router fuer SSO Callback
+      - "traefik.http.routers.core-api-secure.rule=Host(`172.20.10.59`) && PathPrefix(`/api`)"
+      - "traefik.http.routers.core-api-secure.entrypoints=websecure"
+      - "traefik.http.routers.core-api-secure.service=core-api"
+      - "traefik.http.routers.core-api-secure.tls=true"
+      - "traefik.http.routers.core-api-secure.middlewares=api-ratelimit"
       - "traefik.http.services.core-api.loadbalancer.server.port=3000"
       # Health-Endpunkt (ohne Auth)
       - "traefik.http.routers.core-health.rule=Host(`172.20.10.59`) && Path(`/health`)"
@@ -301,6 +309,12 @@ services:
       - "traefik.http.routers.frontend.entrypoints=web"
       - "traefik.http.routers.frontend.service=frontend"
       - "traefik.http.routers.frontend.priority=1"
+      # HTTPS Frontend Router
+      - "traefik.http.routers.frontend-secure.rule=Host(`172.20.10.59`)"
+      - "traefik.http.routers.frontend-secure.entrypoints=websecure"
+      - "traefik.http.routers.frontend-secure.service=frontend"
+      - "traefik.http.routers.frontend-secure.tls=true"
+      - "traefik.http.routers.frontend-secure.priority=1"
       - "traefik.http.services.frontend.loadbalancer.server.port=8080"
     healthcheck:
       test: ["CMD-SHELL", "wget -qO- http://localhost:8080/ || exit 1"]

docs/lexware_office.md

@@ -0,0 +1 @@
+API Key: jRDQJzRkDy896VabAjpougl3evlrAtV5ZFJZeBJY.J2doohK

packages/core-service/src/core/auth/sso/entra-id.service.ts

@@ -90,7 +90,7 @@ export class EntraIdService implements OnModuleInit {
         clientSecret,
         redirectUri:
           redirectUri ||
-          'http://localhost/api/v1/auth/sso/microsoft/callback',
+          'https://localhost/api/v1/auth/sso/microsoft/callback',
       });
       this.logger.log(
         'Microsoft Entra ID SSO aus Umgebungsvariablen initialisiert',
@@ -190,7 +190,7 @@ export class EntraIdService implements OnModuleInit {
         clientId,
         redirectUri:
           redirectUri ||
-          'http://localhost/api/v1/auth/sso/microsoft/callback',
+          'https://localhost/api/v1/auth/sso/microsoft/callback',
         clientSecretMasked: this.maskSecret(clientSecret),
       };
     }