TransactionProcessing · StuartFerguson · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/EstateReportingAPI/Bootstrapper/MiddlewareRegistry.cs b/EstateReportingAPI/Bootstrapper/MiddlewareRegistry.cs
@@ -1,20 +1,20 @@
 using Microsoft.OpenApi;
-using OpenIddict.Client;
 using Shared.Middleware;
 
 namespace EstateReportingAPI.Bootstrapper{
-    using System.Diagnostics.CodeAnalysis;
-    using System.Net.Security;
-    using System.Reflection;
     using Common;
     using Lamar;
     using Microsoft.AspNetCore.Authentication.JwtBearer;
     using Microsoft.Extensions.Diagnostics.HealthChecks;
     using Microsoft.IdentityModel.Tokens;
     using Newtonsoft.Json;
     using Newtonsoft.Json.Serialization;
+    using OpenIddict.Validation.AspNetCore;
     using Shared.General;
     using Swashbuckle.AspNetCore.Filters;
+    using System.Diagnostics.CodeAnalysis;
+    using System.Net.Security;
+    using System.Reflection;
 
     [ExcludeFromCodeCoverage]
     public class MiddlewareRegistry : ServiceRegistry{
@@ -81,24 +81,35 @@ private void ConfigureSwagger(){
         private void ConfigureAuthentication(){
             String? inTestMode = Environment.GetEnvironmentVariable("InTestMode");
             if (String.Compare(inTestMode, Boolean.TrueString, StringComparison.InvariantCultureIgnoreCase) != 0){
+                this.AddAuthentication(options =>
+                {
+                    options.DefaultScheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
+                });
+
                 this.AddOpenIddict()
-                    // Register the OpenIddict client components.
-                    .AddClient(options => {
-                        // Allow grant_type=client_credentials to be negotiated.
-                        options.AllowClientCredentialsFlow();
-
-                        // Disable token storage, which is not necessary for non-interactive flows like
-                        // grant_type=password, grant_type=client_credentials or grant_type=refresh_token.
-                        options.DisableTokenStorage();
-
-                        // Register the System.Net.Http integration and use the identity of the current
-                        // assembly as a more specific user agent, which can be useful when dealing with
-                        // providers that use the user agent as a way to throttle requests (e.g Reddit).
-                        options.UseSystemNetHttp().SetProductInformation(typeof(Program).Assembly);
-
-                        // Add a client registration matching the client application definition in the server project.
-                        options.AddRegistration(new OpenIddictClientRegistration { Issuer = new Uri(ConfigurationReader.GetValue("SecurityConfiguration", "Authority"), UriKind.Absolute), ClientId = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName") });
+                    .AddValidation(options =>
+                    {
+                        // Same as your Authority
+                        options.SetIssuer(new Uri(ConfigurationReader.GetValue("SecurityConfiguration", "Authority")));
+
+                        // Enables discovery and HTTP backchannel support
+                        options.UseSystemNetHttp()
+                            .ConfigureHttpClientHandler(handler =>
+                            {
+                                // DEV ONLY: bypass all certificate errors
+                                handler.ServerCertificateCustomValidationCallback =
+                                    HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
+                            });
+
+                        // Register the ASP.NET Core integration
+                        options.UseAspNetCore();
+
+                        // Optionally set expected audience(s):
+                        options.AddAudiences(ConfigurationReader.GetValue("SecurityConfiguration", "ApiName"));
+
                     });
+
+                this.AddAuthorization();
             }
         }
 

diff --git a/EstateReportingAPI/EstateReportingAPI.csproj b/EstateReportingAPI/EstateReportingAPI.csproj
@@ -18,7 +18,8 @@
   </ItemGroup>
 
 	<ItemGroup>
-		<PackageReference Include="OpenIddict.Client.SystemNetHttp" Version="7.4.0" />
+		<PackageReference Include="OpenIddict.Validation.AspNetCore" Version="7.4.0" />
+		<PackageReference Include="OpenIddict.Validation.SystemNetHttp" Version="7.4.0" />
 		<PackageReference Include="Lamar" Version="15.0.1" />
 		<PackageReference Include="Lamar.Microsoft.DependencyInjection" Version="15.0.1" />
 		<PackageReference Include="NLog.Extensions.Logging" Version="6.1.2" />