fix(auth): require and seed client secrets for confidential OpenIddict clients

Diogo-Ferraz · Diogo-Ferraz · commit c8a1b6ae8e30 · 2026-03-04T15:25:28.000+01:00
diff --git a/src/TaskManagement.Auth/Features/Authorization/Services/OpenIddictClientSeeder.cs b/src/TaskManagement.Auth/Features/Authorization/Services/OpenIddictClientSeeder.cs
@@ -29,10 +29,12 @@ public async Task StartAsync(CancellationToken cancellationToken)
             foreach (var clientSettings in _clientSettings.Clients)
             {
                 var resolvedClientType = ResolveClientType(clientSettings);
+                var resolvedClientSecret = ResolveClientSecret(clientSettings, resolvedClientType);
                 var applicationDescriptor = new OpenIddictApplicationDescriptor
                 {
                     ClientId = clientSettings.ClientId,
                     ClientType = resolvedClientType,
+                    ClientSecret = resolvedClientSecret,
                     ConsentType = ConsentTypes.Explicit,
                     DisplayName = clientSettings.DisplayName,
                     Permissions =
@@ -103,5 +105,21 @@ private static string ResolveClientType(ClientSettingsOptions clientSettings)
                     $"Unsupported OpenIddict client type '{clientSettings.ClientType}' for client '{clientSettings.ClientId}'.")
             };
         }
+
+        private static string? ResolveClientSecret(ClientSettingsOptions clientSettings, string resolvedClientType)
+        {
+            if (resolvedClientType == ClientTypes.Public)
+            {
+                return null;
+            }
+
+            if (!string.IsNullOrWhiteSpace(clientSettings.ClientSecret))
+            {
+                return clientSettings.ClientSecret;
+            }
+
+            throw new InvalidOperationException(
+                $"Client '{clientSettings.ClientId}' is configured as confidential but has no client secret.");
+        }
     }
 }
diff --git a/src/TaskManagement.Auth/Infrastructure/Common/Settings/ClientSettings.cs b/src/TaskManagement.Auth/Infrastructure/Common/Settings/ClientSettings.cs
@@ -9,6 +9,7 @@ public class ClientSettingsOptions
     {
         public string ClientId { get; set; } = string.Empty;
         public string ClientType { get; set; } = string.Empty;
+        public string ClientSecret { get; set; } = string.Empty;
         public string DisplayName { get; set; } = string.Empty;
         public List<string> RedirectUris { get; set; } = [];
         public List<string> PostLogoutRedirectUris { get; set; } = [];

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ public class ClientSettingsOptions`
`9`	`9`	`{`
`10`	`10`	`public string ClientId { get; set; } = string.Empty;`
`11`	`11`	`public string ClientType { get; set; } = string.Empty;`
	`12`	`+ public string ClientSecret { get; set; } = string.Empty;`
`12`	`13`	`public string DisplayName { get; set; } = string.Empty;`
`13`	`14`	`public List<string> RedirectUris { get; set; } = [];`
`14`	`15`	`public List<string> PostLogoutRedirectUris { get; set; } = [];`