DFE-Digital · gunndabad · Apr 10, 2024 · Apr 10, 2024
diff --git a/...hingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs b/...hingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs
@@ -25,6 +25,18 @@ public async Task<IActionResult> Authorize()
         var request = HttpContext.GetOpenIddictServerRequest() ??
             throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");
 
+        if (!request.HasScope(CustomScopes.TeachingRecord))
+        {
+            return Forbid(
+                authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
+                properties: new AuthenticationProperties(new Dictionary<string, string?>()
+                {
+                    [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidRequest,
+                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] =
+                        $"Requests must include the {CustomScopes.TeachingRecord} scope."
+                }));
+        }
+
         var clientId = request.ClientId!;
         var client = await dbContext.ApplicationUsers.SingleAsync(u => u.ClientId == clientId);
 

diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/CustomScopes.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/CustomScopes.cs
@@ -0,0 +1,6 @@
+namespace TeachingRecordSystem.AuthorizeAccess;
+
+public static class CustomScopes
+{
+    public const string TeachingRecord = "teaching_record";
+}
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs
@@ -81,8 +81,7 @@
             .SetTokenEndpointUris("oauth2/token")
             .SetUserinfoEndpointUris("oauth2/userinfo");
 
-        // TODO - add teaching record scopes
-        options.RegisterScopes(Scopes.Email, Scopes.Profile);
+        options.RegisterScopes(Scopes.Email, Scopes.Profile, CustomScopes.TeachingRecord);
 
         options.AllowAuthorizationCodeFlow();
 

diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs
@@ -35,6 +35,7 @@ public static WebApplicationBuilder AddTestApp(this WebApplicationBuilder builde
                     options.Scope.Add("openid");
                     options.Scope.Add("email");
                     options.Scope.Add("profile");
+                    options.Scope.Add(CustomScopes.TeachingRecord);
                 });
         }
         else

diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs
@@ -105,7 +105,8 @@ public void EnsureConfiguredForOneLogin()
                 Permissions.GrantTypes.AuthorizationCode,
                 Permissions.ResponseTypes.Code,
                 Permissions.Scopes.Email,
-                Permissions.Scopes.Profile),
+                Permissions.Scopes.Profile,
+                $"{Permissions.Prefixes.Scope}teaching_record"),
             RedirectUris = CreateJsonArray(RedirectUris!.ToArray()),
             PostLogoutRedirectUris = CreateJsonArray(PostLogoutRedirectUris!.ToArray()),
             Requirements = CreateJsonArray(Requirements.Features.ProofKeyForCodeExchange)