Add internal Authentik URL for server-to-server communication

This fixes ETIMEDOUT errors when exchanging OAuth tokens. The container
now uses the Docker internal service name (authentiknucleo-server-1:9000)
for server-to-server API calls while keeping the public URL for browser
redirects.

Changes:
- Add NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL env var
- Use internal URL for token exchange and userinfo endpoints
- Update docker-compose.yml and Gitea workflow

.gitea/workflows/build-and-deploy.yml

@@ -37,6 +37,7 @@ jobs:
       NUXT_OAUTH_AUTHENTIK_CLIENT_ID: ${{ secrets.NUXT_OAUTH_AUTHENTIK_CLIENT_ID }}
       NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET: ${{ secrets.NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET }}
       NUXT_OAUTH_AUTHENTIK_SERVER_URL: ${{ vars.NUXT_OAUTH_AUTHENTIK_SERVER_URL }}
+      NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL: ${{ vars.NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL }}
       NUXT_OAUTH_AUTHENTIK_REDIRECT_URL: ${{ vars.NUXT_OAUTH_AUTHENTIK_REDIRECT_URL }}
       NUXT_PUBLIC_APP_URL: ${{ vars.NUXT_PUBLIC_APP_URL }}
       NUXT_SESSION_PASSWORD: ${{ secrets.NUXT_SESSION_PASSWORD }}

docker-compose.yml

@@ -10,6 +10,7 @@ services:
       - NUXT_OAUTH_AUTHENTIK_CLIENT_ID=${NUXT_OAUTH_AUTHENTIK_CLIENT_ID}
       - NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET=${NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET}
       - NUXT_OAUTH_AUTHENTIK_SERVER_URL=${NUXT_OAUTH_AUTHENTIK_SERVER_URL}
+      - NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL=${NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL}
       - NUXT_OAUTH_AUTHENTIK_REDIRECT_URL=${NUXT_OAUTH_AUTHENTIK_REDIRECT_URL}
       # Public URL
       - NUXT_PUBLIC_APP_URL=${NUXT_PUBLIC_APP_URL}

nuxt4-app/nuxt.config.ts

@@ -17,6 +17,7 @@ export default defineNuxtConfig({
         clientId: process.env.NUXT_OAUTH_AUTHENTIK_CLIENT_ID || '',
         clientSecret: process.env.NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET || '',
         serverUrl: process.env.NUXT_OAUTH_AUTHENTIK_SERVER_URL || '',
+        serverUrlInternal: process.env.NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL || '',
         redirectURL: process.env.NUXT_OAUTH_AUTHENTIK_REDIRECT_URL || ''
       }
     },

nuxt4-app/server/api/auth/authentik.get.ts

@@ -16,12 +16,14 @@ export default defineEventHandler(async (event) => {
     clientId: runtimeConfig.oauth.authentik.clientId,
     clientSecret: runtimeConfig.oauth.authentik.clientSecret,
     serverUrl: runtimeConfig.oauth.authentik.serverUrl,
+    serverUrlInternal: runtimeConfig.oauth.authentik.serverUrlInternal || runtimeConfig.oauth.authentik.serverUrl,
     redirectURL: runtimeConfig.oauth.authentik.redirectURL,
     scope: ['openid', 'profile', 'email'],
   }
 
   console.log('OAuth Authentik - Iniciando flujo:', {
     serverUrl: config.serverUrl,
+    serverUrlInternal: config.serverUrlInternal,
     redirectURL: config.redirectURL,
     hasCode: !!query.code
   })
@@ -29,8 +31,8 @@ export default defineEventHandler(async (event) => {
   // Handle OAuth callback
   if (query.code) {
     try {
-      // Exchange code for tokens
-      const tokenUrl = `${config.serverUrl}/application/o/token/`
+      // Exchange code for tokens (usar URL interna para comunicación servidor-a-servidor)
+      const tokenUrl = `${config.serverUrlInternal}/application/o/token/`
       const tokenResponse = await $fetch(tokenUrl, {
         method: 'POST',
         headers: {
@@ -47,8 +49,8 @@ export default defineEventHandler(async (event) => {
 
       const tokens = tokenResponse as any
 
-      // Get user info
-      const userInfoUrl = `${config.serverUrl}/application/o/userinfo/`
+      // Get user info (usar URL interna para comunicación servidor-a-servidor)
+      const userInfoUrl = `${config.serverUrlInternal}/application/o/userinfo/`
       const user = await $fetch(userInfoUrl, {
         headers: {
           Authorization: `Bearer ${tokens.access_token}`,