fix(auth): harden OpenIddict client seeding with explicit client type and self-heal for invalid existing clients

Diogo-Ferraz · Diogo-Ferraz · commit 5cc4d722ef4f · 2026-03-02T21:57:43.000+01:00
diff --git a/src/TaskManagement.Auth/Features/Authorization/Services/OpenIddictClientSeeder.cs b/src/TaskManagement.Auth/Features/Authorization/Services/OpenIddictClientSeeder.cs
@@ -28,9 +28,11 @@ public async Task StartAsync(CancellationToken cancellationToken)
 
             foreach (var clientSettings in _clientSettings.Clients)
             {
+                var resolvedClientType = ResolveClientType(clientSettings);
                 var applicationDescriptor = new OpenIddictApplicationDescriptor
                 {
                     ClientId = clientSettings.ClientId,
+                    ClientType = resolvedClientType,
                     ConsentType = ConsentTypes.Explicit,
                     DisplayName = clientSettings.DisplayName,
                     Permissions =
@@ -72,10 +74,34 @@ public async Task StartAsync(CancellationToken cancellationToken)
                     continue;
                 }
 
+                var existingClientType = await manager.GetClientTypeAsync(existingClient, cancellationToken);
+                if (string.IsNullOrWhiteSpace(existingClientType))
+                {
+                    await manager.DeleteAsync(existingClient, cancellationToken);
+                    await manager.CreateAsync(applicationDescriptor, cancellationToken);
+                    continue;
+                }
+
                 await manager.UpdateAsync(existingClient, applicationDescriptor, cancellationToken);
             }
         }
 
         public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+
+        private static string ResolveClientType(ClientSettingsOptions clientSettings)
+        {
+            if (string.IsNullOrWhiteSpace(clientSettings.ClientType))
+            {
+                return ClientTypes.Public;
+            }
+
+            return clientSettings.ClientType.Trim().ToLowerInvariant() switch
+            {
+                "public" => ClientTypes.Public,
+                "confidential" => ClientTypes.Confidential,
+                _ => throw new InvalidOperationException(
+                    $"Unsupported OpenIddict client type '{clientSettings.ClientType}' for client '{clientSettings.ClientId}'.")
+            };
+        }
     }
 }
diff --git a/src/TaskManagement.Auth/Infrastructure/Common/Settings/ClientSettings.cs b/src/TaskManagement.Auth/Infrastructure/Common/Settings/ClientSettings.cs
@@ -8,6 +8,7 @@ public class ClientSettings
     public class ClientSettingsOptions
     {
         public string ClientId { get; set; } = string.Empty;
+        public string ClientType { get; set; } = string.Empty;
         public string DisplayName { get; set; } = string.Empty;
         public List<string> RedirectUris { get; set; } = [];
         public List<string> PostLogoutRedirectUris { get; set; } = [];

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ public class ClientSettings`
`8`	`8`	`public class ClientSettingsOptions`
`9`	`9`	`{`
`10`	`10`	`public string ClientId { get; set; } = string.Empty;`
	`11`	`+ public string ClientType { get; set; } = string.Empty;`
`11`	`12`	`public string DisplayName { get; set; } = string.Empty;`
`12`	`13`	`public List<string> RedirectUris { get; set; } = [];`
`13`	`14`	`public List<string> PostLogoutRedirectUris { get; set; } = [];`