TransactionProcessing · StuartFerguson · Mar 28, 2026 · Mar 28, 2026 · Mar 28, 2026 · Mar 28, 2026
diff --git a/SecurityService.IntegrationTests/Users/Users.feature.cs b/SecurityService.IntegrationTests/Users/Users.feature.cs
diff --git a/SecurityService/Oidc/OidcEndpoints.cs b/SecurityService/Oidc/OidcEndpoints.cs
@@ -138,7 +138,7 @@ public static async Task<IResult> TokenAsync(
             {
                 return InvalidGrant("The token is no longer valid.");
             }
-
+            
             var principal = await OidcHelpers.CreatePrincipalAsync(
                 user,
                 userManager,
@@ -175,8 +175,10 @@ await scopeManager.ListResourcesAsync(ImmutableArray.CreateRange(authenticationR
                 return InvalidGrant();
             }
 
-            var resources = await scopeManager.ListResourcesAsync(ImmutableArray.CreateRange(request.GetScopes()), cancellationToken).ToListAsync(cancellationToken);
-            var principal = await OidcHelpers.CreatePrincipalAsync(user, userManager, request.GetScopes(), resources, authorizationId: null);
+            var grantedScopes = await ResolveClientCredentialsScopesAsync(request, dbContext, cancellationToken);
+
+            var resources = await scopeManager.ListResourcesAsync(ImmutableArray.CreateRange(grantedScopes), cancellationToken).ToListAsync(cancellationToken);
+            var principal = await OidcHelpers.CreatePrincipalAsync(user, userManager, grantedScopes, resources, authorizationId: null);
             return Results.SignIn(principal, authenticationScheme: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
         }
 

diff --git a/SecurityService/Oidc/OidcHelpers.cs b/SecurityService/Oidc/OidcHelpers.cs
@@ -50,7 +50,8 @@ public static async Task<ClaimsPrincipal> CreatePrincipalAsync(
         identity.SetClaim(Claims.Subject, user.Id)
                 .SetClaim(Claims.Email, user.Email)
                 .SetClaim(Claims.Name, user.UserName)
-                .SetClaim(Claims.PreferredUsername, user.UserName);
+                .SetClaim(Claims.PreferredUsername, user.UserName)
+                .SetClaim(ClaimTypes.NameIdentifier, user.Id);
 
         if (string.IsNullOrWhiteSpace(user.GivenName) == false)
         {

diff --git a/SecurityService/Services/GrantService.cs b/SecurityService/Services/GrantService.cs
@@ -3,7 +3,6 @@
 using SecurityService.Models;
 using SimpleResults;
 using System.IdentityModel.Tokens.Jwt;
-using System.Security.Claims;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 
 namespace SecurityService.Services;
@@ -76,6 +75,4 @@ public async Task<Result> RevokeAsync(string userId, string authorizationId, Can
             ? Result.Success()
             : Result.Failure("The authorization could not be revoked.");
     }
-}
-
-
+}
diff --git a/SecurityService/appsettings.json b/SecurityService/appsettings.json
@@ -1,17 +1,7 @@
 {
   "ConnectionStrings": {
-    "AuthenticationDbContext": "Server=127.0.0.1;Database=NewSecurityService;user id=sa;password=sp1ttal;Encrypt=false"
+    "AuthenticationDbContext": "Server=127.0.0.1;Database=SecurityService;user id=sa;password=sp1ttal;Encrypt=false"
   },
-  //"SecurityService": {
-  //  "UseInMemoryDatabase": false,
-  //  "InMemoryDatabaseName": "NewSecurityService",
-  //  "DatabaseProvider": "SqlServer",
-  //  "IssuerUrl": "https://localhost:5001/",
-  //  "SeedDefaultScopes": true,    
-  //  "PublicOrigin": "https://localhost:5001/",
-  //  "ExternalProviders": [],
-  //  "SignInOptions"
-  //},
   "ServiceOptions": {
     "SeedDefaultScopes": false,
     "PublicOrigin": "https://127.0.0.1:50001",