fix(auth): register and seed OpenIddict API scopes to resolve invalid_scope for angular-client

Diogo-Ferraz · Diogo-Ferraz · commit f0021f6a2b81 · 2026-02-20T11:00:23.000Z
diff --git a/src/TaskManagement.Auth/Features/Authorization/Configuration/OpenIddictConfiguration.cs b/src/TaskManagement.Auth/Features/Authorization/Configuration/OpenIddictConfiguration.cs
@@ -53,7 +53,20 @@ private static IServiceCollection AddOpenIddictServices(IServiceCollection servi
                        .SetIssuer(new Uri(openIddictSettings.Issuer))
                        .SetUserInfoEndpointUris("connect/userinfo");
 
-                    options.RegisterScopes(Scopes.Email, Scopes.Profile, Scopes.Roles);
+                    var configuredScopes = builder.Configuration
+                        .GetSection("ClientSettings:Clients")
+                        .Get<ClientSettingsOptions[]>()?
+                        .SelectMany(client => client.AllowedScopes)
+                        .Where(scope => !string.IsNullOrWhiteSpace(scope))
+                        .Distinct(StringComparer.OrdinalIgnoreCase)
+                        .ToArray() ?? [];
+
+                    var registeredScopes = new[] { Scopes.Email, Scopes.Profile, Scopes.Roles }
+                        .Concat(configuredScopes)
+                        .Distinct(StringComparer.OrdinalIgnoreCase)
+                        .ToArray();
+
+                    options.RegisterScopes(registeredScopes);
 
                     options.AllowAuthorizationCodeFlow();
 
@@ -93,6 +106,7 @@ private static IServiceCollection AddOpenIddictServices(IServiceCollection servi
 
             // Register the worker responsible for seeding the database.
             // Note: in a real world application, this step should be part of a setup script.
+            services.AddHostedService<OpenIddictScopeSeeder>();
             services.AddHostedService<OpenIddictClientSeeder>();
 
             return services;
diff --git a/src/TaskManagement.Auth/Features/Authorization/Services/OpenIddictScopeSeeder.cs b/src/TaskManagement.Auth/Features/Authorization/Services/OpenIddictScopeSeeder.cs
@@ -0,0 +1,60 @@
+﻿using Microsoft.Extensions.Options;
+using OpenIddict.Abstractions;
+using TaskManagement.Auth.Infrastructure.Common.Settings;
+
+namespace TaskManagement.Auth.Features.Authorization.Services
+{
+    public class OpenIddictScopeSeeder : IHostedService
+    {
+        private readonly IServiceProvider _serviceProvider;
+        private readonly ClientSettings _clientSettings;
+        private readonly OpenIddictSettings _openIddictSettings;
+
+        public OpenIddictScopeSeeder(
+            IServiceProvider serviceProvider,
+            IOptions<ClientSettings> clientSettings,
+            IOptions<OpenIddictSettings> openIddictSettings)
+        {
+            _serviceProvider = serviceProvider;
+            _clientSettings = clientSettings.Value;
+            _openIddictSettings = openIddictSettings.Value;
+        }
+
+        public async Task StartAsync(CancellationToken cancellationToken)
+        {
+            await using var scope = _serviceProvider.CreateAsyncScope();
+            var manager = scope.ServiceProvider.GetRequiredService<IOpenIddictScopeManager>();
+
+            var allowedScopes = _clientSettings.Clients
+                .SelectMany(client => client.AllowedScopes)
+                .Where(scopeName => !string.IsNullOrWhiteSpace(scopeName))
+                .Distinct(StringComparer.OrdinalIgnoreCase)
+                .ToList();
+
+            foreach (var scopeName in allowedScopes)
+            {
+                var descriptor = new OpenIddictScopeDescriptor
+                {
+                    Name = scopeName,
+                    DisplayName = $"{scopeName} scope"
+                };
+
+                if (!string.IsNullOrWhiteSpace(_openIddictSettings.Audience))
+                {
+                    descriptor.Resources.Add(_openIddictSettings.Audience);
+                }
+
+                var existingScope = await manager.FindByNameAsync(scopeName, cancellationToken);
+                if (existingScope is null)
+                {
+                    await manager.CreateAsync(descriptor, cancellationToken);
+                    continue;
+                }
+
+                await manager.UpdateAsync(existingScope, descriptor, cancellationToken);
+            }
+        }
+
+        public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+    }
+}
