The problem is indeed the web site calling the web API on the local intranet connection. My gateway to the Internet would be at 192.168.1.1 and my web server at 192.160.1.100 and has a second network connection at 192.168.50.100 to a second gateway at 192.168.50.1 with a Web API at 192.168.50.120 and thus I have two internal networks. The Web API has no access to the Internet and should never have direct access to the Internet.
But the Web API also needs to handle all user information while the website just sees an encrypted token. Any information the site needs about the user needs to be retrieved from the API and each access gets logged.
Which causes a bigger issue as the OpenID authentication is between user and website, but does not get passed on to the Web API. It needs a reliable link to a user in the Web API in some way. But the OpenAI authentication would not be available in the API so somehow, the website needs to link it to an API account.
But the website is not allowed to store any data outside the API.
Also, there is no .well-known url on my Web API as it’s an internal service only, running only internally on a special port without HTTPS. The whole system was internal-use-only but we want to extend functionality to the outside World, in a secure way. Which is why the website gets near the gate to the outside Internet and this one does use SSL and a .well-known folder.
So the problem is that the API knows all the security parts but has no access to the Internet. And the site has access to the Internet but can’t easily access the secure data. There’s the challenge.