From f6a3aa9c46b4078500039b672ffa0680462df7dd Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sun, 10 Aug 2025 22:12:57 +0200
Subject: [PATCH 01/43] Remove IdentityServer4 packages

---
 SS14.Auth.Shared/SS14.Auth.Shared.csproj | 1 -
 SS14.Web/SS14.Web.csproj                 | 3 ---
 2 files changed, 4 deletions(-)

diff --git a/SS14.Auth.Shared/SS14.Auth.Shared.csproj b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
index 6acfab5..5fe2e54 100644
--- a/SS14.Auth.Shared/SS14.Auth.Shared.csproj
+++ b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
@@ -25,7 +25,6 @@
         <PackageReference Include="Serilog.Settings.Configuration" Version="3.3.0" />
         <PackageReference Include="Serilog.Sinks.Console" Version="4.0.1" />
         <PackageReference Include="Serilog.Sinks.Loki" Version="3.0.1-beta1" />
-        <PackageReference Include="IdentityServer4.EntityFramework.Storage" Version="4.1.2" />
         <PackageReference Include="Dapper" Version="2.0.123" />
         <PackageReference Include="Microsoft.Data.Sqlite" Version="6.0.3" />
     </ItemGroup>
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index 1b5c315..8e9acc8 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -6,9 +6,6 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="IdentityServer4" Version="4.1.2" />
-        <PackageReference Include="IdentityServer4.EntityFramework" Version="4.1.2" />
-        <PackageReference Include="IdentityServer4.AspNetIdentity" Version="4.1.2" />
         <PackageReference Include="AspNet.Security.OAuth.Patreon" Version="6.0.2" />
         <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="6.0.0" />
         <PackageReference Include="NetEscapades.Configuration.Yaml" Version="2.1.0" />

From 555ded668af503ed9d0e5c9d1dea8cd4d5ed5f52 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sun, 10 Aug 2025 22:47:49 +0200
Subject: [PATCH 02/43] Comment out IdentityServer4 code

---
 SS14.Auth.Shared/Data/ApplicationDbContext.cs | 21 +++---
 SS14.Auth.Shared/Data/UserOAuthClient.cs      | 11 +--
 .../Areas/Admin/Pages/Clients/Client.cshtml   | 23 ++++---
 .../Admin/Pages/Clients/Client.cshtml.cs      | 25 +++----
 .../Admin/Pages/Clients/ConfirmDelete.cshtml  | 10 +--
 .../Pages/Clients/ConfirmDelete.cshtml.cs     | 19 ++---
 .../Areas/Admin/Pages/Clients/Index.cshtml    |  7 +-
 .../Areas/Admin/Pages/Clients/Index.cshtml.cs | 26 ++++---
 .../Identity/Pages/Account/Consent.cshtml     | 22 +++---
 .../Identity/Pages/Account/Consent.cshtml.cs  | 35 +++++-----
 .../Pages/Account/Manage/Developer.cshtml     |  3 +-
 .../Pages/Account/Manage/Developer.cshtml.cs  |  6 +-
 .../Manage/OAuthApps/ConfirmDelete.cshtml     |  4 +-
 .../Manage/OAuthApps/ConfirmDelete.cshtml.cs  | 18 ++---
 .../Account/Manage/OAuthApps/Create.cshtml.cs | 13 ++--
 .../Account/Manage/OAuthApps/Manage.cshtml    | 12 ++--
 .../Account/Manage/OAuthApps/Manage.cshtml.cs | 69 +++++++++----------
 SS14.Web/PersonalDataCollector.cs             |  6 +-
 SS14.Web/Startup.cs                           | 30 ++++----
 19 files changed, 179 insertions(+), 181 deletions(-)

diff --git a/SS14.Auth.Shared/Data/ApplicationDbContext.cs b/SS14.Auth.Shared/Data/ApplicationDbContext.cs
index 3b3b507..de20479 100644
--- a/SS14.Auth.Shared/Data/ApplicationDbContext.cs
+++ b/SS14.Auth.Shared/Data/ApplicationDbContext.cs
@@ -1,19 +1,16 @@
 using System;
-using System.Threading.Tasks;
-using IdentityServer4.EntityFramework.Entities;
-using IdentityServer4.EntityFramework.Extensions;
-using IdentityServer4.EntityFramework.Interfaces;
-using IdentityServer4.EntityFramework.Options;
 using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
 using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore;
 
 namespace SS14.Auth.Shared.Data;
 
+// TODO: Replace identityserver4 code in this file
+
 public class ApplicationDbContext : IdentityDbContext<SpaceUser, SpaceRole, Guid>,
-    IDataProtectionKeyContext,
-    IConfigurationDbContext,
-    IPersistedGrantDbContext
+    IDataProtectionKeyContext //,
+    //IConfigurationDbContext,
+    //IPersistedGrantDbContext
 {
     public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options)
         : base(options)
@@ -73,7 +70,7 @@ protected override void OnModelCreating(ModelBuilder builder)
             .HasIndex(h => new { h.HwidId, h.SpaceUserId })
             .IsUnique();
 
-        var cfgStoreOptions = new ConfigurationStoreOptions
+        /*var cfgStoreOptions = new ConfigurationStoreOptions
         {
             IdentityResource = new TableConfiguration("IdentityResources", "IS4"),
             IdentityResourceClaim = new TableConfiguration("IdentityResourceClaims", "IS4"),
@@ -103,7 +100,7 @@ protected override void OnModelCreating(ModelBuilder builder)
         {
             PersistedGrants = new TableConfiguration("PersistedGrants", "IS4"),
             DeviceFlowCodes = new TableConfiguration("DeviceCodes", "IS4"),
-        });
+        });*/
     }
 
     public DbSet<LoginSession> ActiveSessions { get; set; }
@@ -120,7 +117,7 @@ protected override void OnModelCreating(ModelBuilder builder)
     public DbSet<HwidUser> HwidUsers { get; set; }
 
     // IS4 configuration.
-    public DbSet<Client> Clients { get; set; }
+    /*public DbSet<Client> Clients { get; set; }
     public DbSet<ClientSecret> ClientSecrets { get; set; }
     public DbSet<ClientCorsOrigin> ClientCorsOrigins { get; set; }
     public DbSet<IdentityResource> IdentityResources { get; set; }
@@ -134,5 +131,5 @@ protected override void OnModelCreating(ModelBuilder builder)
     Task<int> IPersistedGrantDbContext.SaveChangesAsync()
     {
         return base.SaveChangesAsync();
-    }
+    }*/
 }
diff --git a/SS14.Auth.Shared/Data/UserOAuthClient.cs b/SS14.Auth.Shared/Data/UserOAuthClient.cs
index 79258b6..70ffa70 100644
--- a/SS14.Auth.Shared/Data/UserOAuthClient.cs
+++ b/SS14.Auth.Shared/Data/UserOAuthClient.cs
@@ -1,16 +1,17 @@
 
 using System;
-using IdentityServer4.EntityFramework.Entities;
 
 namespace SS14.Auth.Shared.Data;
 
 public sealed class UserOAuthClient
 {
     public int UserOAuthClientId { get; set; }
-    
+
     public Guid SpaceUserId { get; set; }
     public int ClientId { get; set; }
-    
+
     public SpaceUser SpaceUser { get; set; }
-    public Client Client { get; set; }
-}
\ No newline at end of file
+    // TODO: Replace identityserver4 code in this file
+
+    //public Client Client { get; set; }
+}
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml
index 9a927ff..af46e15 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml
@@ -1,15 +1,17 @@
 @page
 @model SS14.Web.Areas.Admin.Pages.Clients.Client
-
+@* Oh god this file is going to be horrible to refactor for openiddict *@
 @{
-    ViewData["Title"] = $"OAuth Client: {Model.Title}";
+    // TODO: Replace identityserver4 code in this file
+
+    //ViewData["Title"] = $"OAuth Client: {Model.Title}";
 }
 
 <nav aria-label="breadcrumb">
     <ol class="breadcrumb">
         <li class="breadcrumb-item"><a asp-page="../Index">Hub Admin</a></li>
         <li class="breadcrumb-item"><a asp-page="./Index">OAuth Clients</a></li>
-        <li class="breadcrumb-item active" aria-current="page">@Model.Title</li>
+        @*<li class="breadcrumb-item active" aria-current="page">@Model.Title</li>*@
     </ol>
 </nav>
 
@@ -313,7 +315,7 @@
     <textarea asp-for="Input.IdentityProviderRestrictions" class="form-control col-sm-9"></textarea>
 </div>
 
-<button id="save-button" type="submit" asp-page-handler="Save" asp-route-id="@Model.DbClient.Id" class="btn btn-primary btn-sm">Save</button>
+@*<button id="save-button" type="submit" asp-page-handler="Save" asp-route-id="@Model.DbClient.Id" class="btn btn-primary btn-sm">Save</button>*@
 </form>
 
 <h5 class="mt-5">Secrets</h5>
@@ -328,7 +330,7 @@
     </tr>
     </thead>
     <tbody>
-    @foreach (var secret in Model.Secrets)
+    @*@foreach (var secret in Model.Secrets)
     {
         <tr>
             <td>@secret.Description</td>
@@ -337,12 +339,12 @@
             <td>
                 <form method="post">
                     <button type="submit"
-                            asp-page-handler="DeleteSecret" asp-route-secret="@secret.Id" 
+                            asp-page-handler="DeleteSecret" asp-route-secret="@secret.Id"
                             class="btn btn-danger">Delete</button>
                 </form>
             </td>
-        </tr>   
-    }
+        </tr>
+    }*@
     </tbody>
 </table>
 
@@ -354,10 +356,11 @@
         <input asp-for="CreateSecretInput.Value" class="form-control col-md-3" placeholder="Value">
         <label asp-for="CreateSecretInput.Type" class="col-form-label col-md-1"></label>
         <input asp-for="CreateSecretInput.Type" class="form-control col-md-2">
-        <button type="submit" asp-route-id="@Model.DbClient.Id" asp-page-handler="CreateSecret" class="btn btn-primary col-md-1">Create</button>
+        @*<button type="submit" asp-route-id="@Model.DbClient.Id" asp-page-handler="CreateSecret" class="btn btn-primary col-md-1">Create</button>*@
     </div>
 </form>
 
 <h5 class="mt-5">Actions</h5>
-
+@*
 <a asp-page="./ConfirmDelete" asp-route-id="@Model.DbClient.Id" class="btn btn-danger">Delete</a>
+*@
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
index 4f5ab11..25f79a5 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
@@ -1,19 +1,12 @@
-using System;
-using System.Collections.Generic;
-using System.ComponentModel.DataAnnotations;
-using System.Linq;
-using System.Security.Cryptography;
-using System.Threading.Tasks;
-using IdentityServer4.EntityFramework.Entities;
-using IdentityServer4.Models;
+using System.ComponentModel.DataAnnotations;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.EntityFrameworkCore;
 using SS14.Auth.Shared.Data;
-using DbClient = IdentityServer4.EntityFramework.Entities.Client;
 
 namespace SS14.Web.Areas.Admin.Pages.Clients;
 
+// TODO: Replace identityserver4 code in this file
+
 public class Client : PageModel
 {
     private readonly ApplicationDbContext _dbContext;
@@ -28,11 +21,11 @@ public Client(ApplicationDbContext dbContext)
 
     [TempData] public string StatusMessage { get; set; }
 
-    public DbClient DbClient { get; set; }
+    //public DbClient DbClient { get; set; }
 
-    public string Title => DbClient.ClientName ?? DbClient.ClientId;
+    //public string Title => DbClient.ClientName ?? DbClient.ClientId;
 
-    public IEnumerable<ClientSecret> Secrets { get; set; }
+    //public IEnumerable<ClientSecret> Secrets { get; set; }
 
     public sealed class CreateSecretModel
     {
@@ -99,7 +92,7 @@ public sealed class InputModel
         public string AllowedCorsOrigins { get; set; }
     }
 
-    public async Task<IActionResult> OnGetAsync(int id)
+    /*public async Task<IActionResult> OnGetAsync(int id)
     {
         DbClient = await _dbContext.Clients
             .Include(c => c.RedirectUris)
@@ -321,5 +314,5 @@ public async Task<IActionResult> OnPostDeleteSecretAsync(int secret)
         StatusMessage = "Secret deleted.";
 
         return RedirectToPage(new {id = dbSecret.ClientId});
-    }
-}
\ No newline at end of file
+    }*/
+}
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml
index b03013c..4bbb077 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml
+++ b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml
@@ -2,18 +2,20 @@
 @model SS14.Web.Areas.Admin.Pages.Clients.ConfirmDelete
 
 @{
-    ViewData["Title"] = $"Delete {Model.Title}?";
+    // TODO: Replace identityserver4 code in this file
+
+    //ViewData["Title"] = $"Delete {Model.Title}?";
 }
 
 <nav aria-label="breadcrumb">
     <ol class="breadcrumb">
         <li class="breadcrumb-item"><a asp-page="../Index">Hub Admin</a></li>
         <li class="breadcrumb-item"><a asp-page="./Index">OAuth Clients</a></li>
-        <li class="breadcrumb-item "><a asp-page="./ViewUser" asp-route-id="@Model.DbClient.Id">@Model.Title</a></li>
+        @*<li class="breadcrumb-item "><a asp-page="./ViewUser" asp-route-id="@Model.DbClient.Id">@Model.Title</a></li>*@
         <li class="breadcrumb-item active" aria-current="page">Confirm Deletion</li>
     </ol>
 </nav>
 
 <form method="post">
-    <button id="delete-button" type="submit" asp-page-handler="Delete" asp-route-id="@Model.DbClient.Id" class="btn btn-danger">Delete</button>
-</form>
\ No newline at end of file
+    @*<button id="delete-button" type="submit" asp-page-handler="Delete" asp-route-id="@Model.DbClient.Id" class="btn btn-danger">Delete</button>*@
+</form>
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
index 7f2921f..9c904a1 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
@@ -3,10 +3,11 @@
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
 using SS14.Auth.Shared.Data;
-using DbClient = IdentityServer4.EntityFramework.Entities.Client;
 
 namespace SS14.Web.Areas.Admin.Pages.Clients;
 
+// TODO: Replace identityserver4 code in this file
+
 public class ConfirmDelete : PageModel
 {
     private readonly ApplicationDbContext _dbContext;
@@ -16,24 +17,24 @@ public ConfirmDelete(ApplicationDbContext dbContext)
         _dbContext = dbContext;
     }
 
-    public DbClient DbClient { get; set; }
-    public string Title => DbClient.ClientName ?? DbClient.ClientId;
- 
+    //public DbClient DbClient { get; set; }
+    //public string Title => DbClient.ClientName ?? DbClient.ClientId;
+
     public async Task<IActionResult> OnGetAsync(int id)
     {
-        DbClient = await _dbContext.Clients.FirstOrDefaultAsync(c => c.Id == id);
+        /*DbClient = await _dbContext.Clients.FirstOrDefaultAsync(c => c.Id == id);
 
         if (DbClient == null)
         {
             return NotFound("Unknown client");
-        }
+        }*/
 
         return Page();
     }
 
     public async Task<IActionResult> OnPostDeleteAsync(int id)
     {
-        DbClient = await _dbContext.Clients.FirstOrDefaultAsync(c => c.Id == id);
+        /*DbClient = await _dbContext.Clients.FirstOrDefaultAsync(c => c.Id == id);
 
         if (DbClient == null)
         {
@@ -44,7 +45,7 @@ public async Task<IActionResult> OnPostDeleteAsync(int id)
 
         await _dbContext.SaveChangesAsync();
 
-        TempData["StatusMessage"] = "OAuth client deleted";
+        TempData["StatusMessage"] = "OAuth client deleted";*/
         return RedirectToPage("./Index");
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml
index 83e71c1..59809c2 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml
@@ -2,6 +2,7 @@
 @model SS14.Web.Areas.Admin.Pages.Clients.Index
 
 @{
+    // TODO: Replace identityserver4 code in this file
     ViewData["Title"] = "OAuth Clients";
 }
 <nav aria-label="breadcrumb">
@@ -13,7 +14,7 @@
 
 @if (TempData.ContainsKey("StatusMessage"))
 {
-    <partial name="_StatusMessage" model="@TempData["StatusMessage"]" />   
+    <partial name="_StatusMessage" model="@TempData["StatusMessage"]" />
 }
 
 <form asp-page-handler="NewClient" method="post">
@@ -30,7 +31,7 @@
     </tr>
     </thead>
     <tbody>
-        @foreach (var (client, userClient) in Model.Clients)
+        @*@foreach (var (client, userClient) in Model.Clients)
         {
             <tr>
                 <td>@client.ClientId</td>
@@ -45,7 +46,7 @@
                     <a asp-page="./Client" asp-route-id="@client.Id">View</a>
                 </td>
             </tr>
-        }
+        }*@
     </tbody>
 </table>
 
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
index affa465..5235a3d 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
@@ -1,20 +1,17 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.EntityFrameworkCore;
 using SS14.Auth.Shared.Data;
-using DbClient = IdentityServer4.EntityFramework.Entities.Client;
 
 namespace SS14.Web.Areas.Admin.Pages.Clients;
 
+// TODO: Replace identityserver4 code in this file
+
 public class Index : PageModel
 {
     private readonly ApplicationDbContext _dbContext;
 
-    public IEnumerable<(DbClient, UserOAuthClient)> Clients { get; set; }
+    //public IEnumerable<(DbClient, UserOAuthClient)> Clients { get; set; }
 
     public Index(ApplicationDbContext dbContext)
     {
@@ -23,28 +20,29 @@ public Index(ApplicationDbContext dbContext)
 
     public async Task OnGetAsync()
     {
-        // This is a left join
+        /*// This is a left join
         var query = from c in _dbContext.Clients
             join uc in _dbContext.UserOAuthClients.Include(c => c.SpaceUser)
                 on c.Id equals uc.ClientId into grouping
             from uc in grouping.DefaultIfEmpty()
             orderby c.Created
             select new { c, uc };
-            
-        Clients = (await query.ToListAsync()).Select(c => (c.c, c.uc));
+
+        Clients = (await query.ToListAsync()).Select(c => (c.c, c.uc));*/
     }
 
     public async Task<IActionResult> OnPostNewClientAsync()
     {
-        var client = new IdentityServer4.EntityFramework.Entities.Client
+        /*var client = new IdentityServer4.EntityFramework.Entities.Client
         {
             ClientId = Guid.NewGuid().ToString(),
         };
 
         // ReSharper disable once MethodHasAsyncOverload
-        _dbContext.Clients.Add(client);
+        _dbContext.Clients.Add(client);*/
         await _dbContext.SaveChangesAsync();
 
-        return RedirectToPage("./Client", new { id = client.Id });
+        //return RedirectToPage("./Client", new { id = client.Id });
+        return NotFound();
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
index 9f94a18..538f79e 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
@@ -4,7 +4,7 @@
 @{
     Layout = null;
 }
-
+@* TODO: Replace identityserver4 code in this file *@
 <!DOCTYPE html>
 <html lang="en">
 <head>
@@ -27,18 +27,18 @@
     </div>
     <div class="row">
         <div class="col d-flex align-items-center">
-            <h2 class="text-center flex-grow-1 m-3">Authorize @Model.AuthRequest.Client.ClientName</h2>
-            @if (!string.IsNullOrWhiteSpace(@Model.AuthRequest.Client.LogoUri))
+            <h2 class="text-center flex-grow-1 m-3">Authorize @*@Model.AuthRequest.Client.ClientName*@</h2>
+            @*@if (!string.IsNullOrWhiteSpace(@Model.AuthRequest.Client.LogoUri))
             {
                 <img class="rounded" height="48" src="@Model.AuthRequest.Client.LogoUri" alt="@Model.AuthRequest.Client.ClientName"/>
-            }
-        </div>  
+            }*@
+        </div>
     </div>
     <div class="row consent-wrap">
         <div class="col consent-contents">
             <div class="row mb-3">
                 <div class="col">
-                    <strong>@Model.AuthRequest.Client.ClientName</strong>
+                    @*<strong>@Model.AuthRequest.Client.ClientName</strong>*@
                     @if (Model.UserClient != null)
                     {
                         <span>
@@ -50,21 +50,21 @@
             </div>
             @{
                 // openid and profile are not worth showing.
-                var identityResources = Model.AuthRequest.ValidatedResources.Resources.IdentityResources
+                @*var identityResources = Model.AuthRequest.ValidatedResources.Resources.IdentityResources
                     .Where(c => c.Name != "openid" && c.Name != "profile")
-                    .ToArray();
+                    .ToArray();*@
             }
             <div class="row mb-3">
                 <div class="col">
                     <strong>Requested Account Information</strong>
                     <ul class="pl-3">
                         <li>Name and user ID</li>
-                        @foreach (var resource in identityResources)
+                        @*@foreach (var resource in identityResources)
                         {
                             <li>
                                 @resource.DisplayName
                             </li>
-                        }
+                        }*@
                     </ul>
                 </div>
             </div>
@@ -81,4 +81,4 @@
     </div>
 </form>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
index da4559e..125d4b0 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
@@ -1,25 +1,21 @@
-using System.Linq;
-using System.Threading.Tasks;
-using IdentityServer4.Models;
-using IdentityServer4.Services;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Logging;
 using SS14.Auth.Shared.Data;
 
 namespace SS14.Web.Areas.Identity.Pages.Account;
-
+// TODO: Replace identityserver4 code in this file
 public sealed class Consent : PageModel
 {
-    private readonly IIdentityServerInteractionService _interaction;
+    //private readonly IIdentityServerInteractionService _interaction;
     private readonly ApplicationDbContext _dbContext;
     private readonly ILogger<Consent> _logger;
 
-    public AuthorizationRequest AuthRequest { get; private set; }
+    //public AuthorizationRequest AuthRequest { get; private set; }
     public UserOAuthClient UserClient { get; private set; }
     public string ReturnUrl { get; set; }
-    
+
     [BindProperty] public InputModel Input { get; set; }
 
     [ValidateAntiForgeryToken]
@@ -28,32 +24,33 @@ public sealed class InputModel
         public string ReturnUrl { get; set; }
         public string Button { get; set; }
     }
-    
-    public Consent(IIdentityServerInteractionService interaction, ApplicationDbContext dbContext, ILogger<Consent> logger)
+
+    public Consent(/*IIdentityServerInteractionService interaction,*/ ApplicationDbContext dbContext, ILogger<Consent> logger)
     {
-        _interaction = interaction;
+        //_interaction = interaction;
         _dbContext = dbContext;
         _logger = logger;
     }
-    
+
     public async Task<IActionResult> OnGetAsync(string returnUrl)
     {
         ReturnUrl = returnUrl;
-        AuthRequest = await _interaction.GetAuthorizationContextAsync(returnUrl);
+        //AuthRequest = await _interaction.GetAuthorizationContextAsync(returnUrl);
 
         // Can be null if managed by hub admins.
         // Though I doubt we'll ever have consent pages for those.
-        UserClient = await _dbContext.UserOAuthClients
+        UserClient = null;/*await _dbContext.UserOAuthClients
             .Include(oauth => oauth.Client)
             .Include(oauth => oauth.SpaceUser)
             .SingleOrDefaultAsync(oauth => oauth.Client.ClientId == AuthRequest.Client.ClientId);
-
+*/
         return Page();
     }
 
     public async Task<IActionResult> OnPostAsync()
     {
-        var request = await _interaction.GetAuthorizationContextAsync(Input.ReturnUrl);
+        return NotFound();
+        /*var request = await _interaction.GetAuthorizationContextAsync(Input.ReturnUrl);
         if (request == null)
             return RedirectToAction("Error", "Home");
 
@@ -78,6 +75,6 @@ public async Task<IActionResult> OnPostAsync()
 
         await _interaction.GrantConsentAsync(request, response);
 
-        return Redirect(Input.ReturnUrl);
+        return Redirect(Input.ReturnUrl);*/
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml
index 2d4b3d1..9441661 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml
@@ -20,6 +20,7 @@
 <div class="list-group-flush">
     @foreach (var app in Model.OAuthClients)
     {
-        <a asp-page="./OAuthApps/Manage" asp-route-client="@app.UserOAuthClientId" class="list-group-item">@app.Client.ClientName</a>
+        @* TODO: Replace identityserver4 code in this file *@
+        @*<a asp-page="./OAuthApps/Manage" asp-route-client="@app.UserOAuthClientId" class="list-group-item">@app.Client.ClientName</a>*@
     }
 </div>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
index eb79a93..954785e 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
@@ -25,9 +25,9 @@ public async Task OnGetAsync()
     {
         var user = await _userManager.GetUserAsync(User);
 
-        OAuthClients = await _dbContext.UserOAuthClients
+        /*OAuthClients = await _dbContext.UserOAuthClients
             .Include(oa => oa.Client)
             .Where(oa => oa.SpaceUser == user)
-            .ToListAsync();
+            .ToListAsync();*/
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml
index d074d0b..f5e25ca 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml
@@ -3,7 +3,9 @@
 
 @{
     Layout = "/Views/Shared/_Layout.cshtml";
-    ViewData["Title"] = $"Delete OAuth app {Model.App.Client.ClientName}?";
+    // TODO: Replace identityserver4 code in this file
+
+    //ViewData["Title"] = $"Delete OAuth app {Model.App.Client.ClientName}?";
 }
 
 <div class="container">
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
index 26761b1..144d318 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
@@ -7,6 +7,8 @@
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
 
+// TODO: Replace identityserver4 code in this file
+
 public class ConfirmDelete : PageModel
 {
     private readonly ApplicationDbContext _dbContext;
@@ -23,8 +25,8 @@ public ConfirmDelete(ApplicationDbContext dbContext, UserManager<SpaceUser> user
     public async Task<IActionResult> OnGetAsync(int client)
     {
         var user = await _userManager.GetUserAsync(User);
-        App = await _dbContext.UserOAuthClients.Include(a => a.Client)
-            .SingleOrDefaultAsync(ac => ac.UserOAuthClientId == client);
+        //App = await _dbContext.UserOAuthClients.Include(a => a.Client)
+        //    .SingleOrDefaultAsync(ac => ac.UserOAuthClientId == client);
 
         if (App == null)
             return NotFound();
@@ -38,8 +40,8 @@ public async Task<IActionResult> OnGetAsync(int client)
     public async Task<IActionResult> OnPostDeleteAsync(int client)
     {
         var user = await _userManager.GetUserAsync(User);
-        App = await _dbContext.UserOAuthClients.Include(a => a.Client)
-            .SingleOrDefaultAsync(ac => ac.UserOAuthClientId == client);
+        //App = await _dbContext.UserOAuthClients.Include(a => a.Client)
+        //    .SingleOrDefaultAsync(ac => ac.UserOAuthClientId == client);
 
         if (App == null)
             return NotFound();
@@ -47,10 +49,10 @@ public async Task<IActionResult> OnPostDeleteAsync(int client)
         if (!Manage.VerifyAppAccess(user, App))
             return Forbid();
 
-        _dbContext.Remove(App.Client);
-        
+       // _dbContext.Remove(App.Client);
+
         await _dbContext.SaveChangesAsync();
-        
+
         return RedirectToPage("../Developer");
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
index ada6ff1..1d0198a 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
@@ -1,9 +1,6 @@
-using System;
-using System.Collections.Generic;
-using System.ComponentModel;
+using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
-using IdentityServer4.EntityFramework.Entities;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
@@ -47,8 +44,9 @@ public void OnGet()
     public async Task<IActionResult> OnPostAsync()
     {
         var user = await _userManager.GetUserAsync(User);
+        // TODO: Replace identityserver4 code in this file
 
-        var client = new Client
+        /*var client = new Client
         {
             ClientName = Input.Name,
             ClientId = Guid.NewGuid().ToString(),
@@ -82,6 +80,7 @@ public async Task<IActionResult> OnPostAsync()
 
         await _dbContext.SaveChangesAsync();
 
-        return RedirectToPage("Manage", new { client = userClient.UserOAuthClientId });
+        return RedirectToPage("Manage", new { client = userClient.UserOAuthClientId });*/
+        return NotFound();
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
index 11cdf3b..a7e0191 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
@@ -2,9 +2,11 @@
 @using SS14.Auth.Shared
 @model SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps.Manage
 
+@* TODO: Replace identityserver4 code in this file *@
+
 @{
     Layout = "/Views/Shared/_Layout.cshtml";
-    ViewData["Title"] = $"Manage OAuth app {Model.App.Client.ClientName}";
+    //ViewData["Title"] = $"Manage OAuth app {Model.App.Client.ClientName}";
 }
 
 <div class="container">
@@ -16,7 +18,7 @@
     </div>
     <div class="row mb-3">
         <div class="col">
-            <strong>Client ID:</strong> <span class="text-monospace">@Model.App.Client.ClientId</span><br/>
+            <strong>Client ID:</strong> <span class="text-monospace">@*@Model.App.Client.ClientId*@</span><br/>
             Only Authorization Code flow is accepted<br/>
             Available scopes are: <span class="text-monospace">openid</span>, <span class="text-monospace">profile</span>, <span class="text-monospace">email</span><br/>
             SS14 implements OpenID Connect via IdentityServer4. See <a class="text-monospace" href="@Url.Content("~/.well-known/openid-configuration")">.well-known/openid-configuration</a> for config and endpoints.
@@ -67,7 +69,7 @@
             <div class="row">
                 <div class="col">
                     <div class="list-group">
-                        @foreach (var secret in Model.App.Client.ClientSecrets.OrderByDescending(a => a.Created))
+                        @*@foreach (var secret in Model.App.Client.ClientSecrets.OrderByDescending(a => a.Created))
                         {
                             var show = Model.ShowSecret == secret.Id;
                             if (secret.Type != "SharedSecret")
@@ -87,7 +89,7 @@
                                     </button>
                                 </form>
                             </div>
-                        }
+                        }*@
                     </div>
                 </div>
             </div>
@@ -107,4 +109,4 @@
 
 @section Scripts {
     <partial name="_ValidationScriptsPartial"/>
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index a7c252f..fd25c85 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -2,11 +2,8 @@
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
-using System.Linq;
 using System.Security.Cryptography;
 using System.Threading.Tasks;
-using IdentityServer4.EntityFramework.Entities;
-using IdentityServer4.Models;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
@@ -15,6 +12,8 @@
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
 
+// TODO: Replace identityserver4 code in this file
+
 public class Manage : PageModel
 {
     private readonly ApplicationDbContext _dbContext;
@@ -44,7 +43,7 @@ public sealed class InputModel
         [Required]
         [DisplayName("Require PKCE")]
         public bool RequirePkce { get; set; }
-        
+
         [Required]
         [DisplayName("Allow PS256 signing")]
         public bool AllowPS256 { get; set; } = true;
@@ -63,11 +62,11 @@ public async Task<IActionResult> OnGetAsync(int client)
 
         Input = new InputModel
         {
-            Name = App.Client.ClientName,
-            CallbackUrl = App.Client.RedirectUris.FirstOrDefault()?.RedirectUri ?? "",
-            HomepageUrl = App.Client.ClientUri,
-            RequirePkce = App.Client.RequirePkce,
-            AllowPS256 = App.Client.AllowedIdentityTokenSigningAlgorithms?.Contains("PS256") ?? false
+            //Name = App.Client.ClientName,
+            //CallbackUrl = App.Client.RedirectUris.FirstOrDefault()?.RedirectUri ?? "",
+            //HomepageUrl = App.Client.ClientUri,
+            //RequirePkce = App.Client.RequirePkce,
+            //AllowPS256 = App.Client.AllowedIdentityTokenSigningAlgorithms?.Contains("PS256") ?? false
         };
 
         return Page();
@@ -78,11 +77,11 @@ public async Task<IActionResult> OnPostUpdateAsync(int client)
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
 
-        App.Client.ClientName = Input.Name;
-        App.Client.RedirectUris = new List<ClientRedirectUri> { new() { RedirectUri = Input.CallbackUrl } };
-        App.Client.ClientUri = Input.HomepageUrl;
-        App.Client.RequirePkce = Input.RequirePkce;
-        App.Client.AllowedIdentityTokenSigningAlgorithms = Input.AllowPS256 ? "PS256" : null;
+        //App.Client.ClientName = Input.Name;
+        //App.Client.RedirectUris = new List<ClientRedirectUri> { new() { RedirectUri = Input.CallbackUrl } };
+        //App.Client.ClientUri = Input.HomepageUrl;
+        //App.Client.RequirePkce = Input.RequirePkce;
+        //App.Client.AllowedIdentityTokenSigningAlgorithms = Input.AllowPS256 ? "PS256" : null;
 
         await _dbContext.SaveChangesAsync();
 
@@ -95,39 +94,39 @@ public async Task<IActionResult> OnPostCreateSecretAsync(int client)
             return err;
 
         var secretVal = Convert.ToBase64String(RandomNumberGenerator.GetBytes(36));
-        
-        var secret = new ClientSecret
+
+        /*var secret = new ClientSecret
         {
             Created = DateTime.UtcNow,
             Type = "SharedSecret",
             Description = $"*****{secretVal[^6..]}",
             Value = secretVal.Sha256()
-        };
-        
-        App.Client.ClientSecrets ??= new List<ClientSecret>();
-        App.Client.ClientSecrets.Add(secret);
+        };*/
+
+        //App.Client.ClientSecrets ??= new List<ClientSecret>();
+        //App.Client.ClientSecrets.Add(secret);
 
         await _dbContext.SaveChangesAsync();
 
-        ShowSecret = secret.Id;
+        //ShowSecret = secret.Id;
         ShowSecretValue = secretVal;
-        
+
         return RedirectToPage(new { client });
     }
-    
+
     public async Task<IActionResult> OnPostDeleteSecretAsync(int client, int secret)
     {
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
 
-        var dbSecret = App.Client.ClientSecrets.Find(p => p.Id == secret);
-        if (dbSecret == null)
-            return NotFound("Secret not found");
+        //var dbSecret = App.Client.ClientSecrets.Find(p => p.Id == secret);
+        //if (dbSecret == null)
+        //    return NotFound("Secret not found");
 
-        _dbContext.ClientSecrets.Remove(dbSecret);
+        //_dbContext.ClientSecrets.Remove(dbSecret);
 
         await _dbContext.SaveChangesAsync();
-        
+
         return RedirectToPage(new {id = client});
     }
 
@@ -135,12 +134,12 @@ public async Task<IActionResult> OnPostDeleteSecretAsync(int client, int secret)
     private async Task<IActionResult> GetAppAndVerifyAccess(int client)
     {
         var user = await _userManager.GetUserAsync(User);
-        App = await _dbContext.UserOAuthClients
-            .Include(c => c.Client)
-            .ThenInclude(c => c.RedirectUris)
-            .Include(c => c.Client)
-            .ThenInclude(c => c.ClientSecrets)
-            .SingleOrDefaultAsync(oa => oa.UserOAuthClientId == client);
+        //App = await _dbContext.UserOAuthClients
+        //    .Include(c => c.Client)
+        //    .ThenInclude(c => c.RedirectUris)
+        //    .Include(c => c.Client)
+        //    .ThenInclude(c => c.ClientSecrets)
+        //    .SingleOrDefaultAsync(oa => oa.UserOAuthClientId == client);
 
         if (App == null)
             return NotFound();
@@ -157,4 +156,4 @@ public static bool VerifyAppAccess(
     {
         return user == userClient.SpaceUser;
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/PersonalDataCollector.cs b/SS14.Web/PersonalDataCollector.cs
index 21d35ca..52067d8 100644
--- a/SS14.Web/PersonalDataCollector.cs
+++ b/SS14.Web/PersonalDataCollector.cs
@@ -171,9 +171,11 @@ private async Task CollectUserOAuthClients(ZipArchive zip, SpaceUser user, Cance
 
     private async Task CollectIS4PersistedGrants(ZipArchive zip, SpaceUser user, CancellationToken cancel)
     {
-        var grants = await dbContext.PersistedGrants.Where(x => x.SubjectId == user.Id.ToString()).ToListAsync(cancel);
+        // TODO: Replace identityserver4 code in this file
 
-        SerializeToFile(zip, "IS4.PersistedGrants.json", grants);
+        //var grants = await dbContext.PersistedGrants.Where(x => x.SubjectId == user.Id.ToString()).ToListAsync(cancel);
+
+        //SerializeToFile(zip, "IS4.PersistedGrants.json", grants);
     }
 
     private async Task CollectHwidUsers(ZipArchive zip, SpaceUser user, CancellationToken cancel)
diff --git a/SS14.Web/Startup.cs b/SS14.Web/Startup.cs
index 270f92d..0548a43 100644
--- a/SS14.Web/Startup.cs
+++ b/SS14.Web/Startup.cs
@@ -2,8 +2,6 @@
 using System.IO;
 using System.Net;
 using System.Security.Cryptography;
-using IdentityServer4;
-using IdentityServer4.Models;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.HttpOverrides;
@@ -126,8 +124,8 @@ public void ConfigureServices(IServiceCollection services)
                 });
         }
 
-
-        var builder = services.AddIdentityServer(options =>
+        //TODO: Replace identityserver4 code in this file
+        /*var builder = services.AddIdentityServer(options =>
             {
                 options.UserInteraction.ConsentUrl = "/Identity/Account/Consent";
             })
@@ -139,7 +137,7 @@ public void ConfigureServices(IServiceCollection services)
                 new IdentityResources.OpenId(),
                 new IdentityResources.Profile(),
                 new IdentityResources.Email(),
-            });
+            });*/
 
         var keyPath = Configuration.GetValue<string>("Is4SigningKeyPath");
         if (keyPath == null)
@@ -147,7 +145,7 @@ public void ConfigureServices(IServiceCollection services)
             if (Environment.IsDevelopment())
             {
                 Log.Debug("Using developer signing credentials");
-                builder.AddDeveloperSigningCredential();
+                //builder.AddDeveloperSigningCredential();
             }
             else
             {
@@ -160,9 +158,9 @@ public void ConfigureServices(IServiceCollection services)
             var key = ECDsa.Create();
             key.ImportFromPem(keyPem);
 
-            builder.AddSigningCredential(
-                new ECDsaSecurityKey(key),
-                IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
+            //builder.AddSigningCredential(
+            //    new ECDsaSecurityKey(key),
+            //    IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
         }
 
         var keyPathRsa = Configuration.GetValue<string>("Is4SigningKeyPathRsa");
@@ -172,12 +170,12 @@ public void ConfigureServices(IServiceCollection services)
             var key = RSA.Create();
             key.ImportFromPem(keyPem);
 
-            builder.AddSigningCredential(
-                new RsaSecurityKey(key),
-                IdentityServerConstants.RsaSigningAlgorithm.PS256);
-            builder.AddSigningCredential(
-                new RsaSecurityKey(key),
-                IdentityServerConstants.RsaSigningAlgorithm.RS256);
+            //builder.AddSigningCredential(
+            //    new RsaSecurityKey(key),
+            //    IdentityServerConstants.RsaSigningAlgorithm.PS256);
+            //builder.AddSigningCredential(
+            //    new RsaSecurityKey(key),
+            //    IdentityServerConstants.RsaSigningAlgorithm.RS256);
         }
 
         services.AddScoped<PersonalDataCollector>();
@@ -234,6 +232,6 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             endpoints.MapMetrics();
         });
 
-        app.UseIdentityServer();
+        //app.UseIdentityServer();
     }
 }

From bc2cd244528208ccd70fd973280401ac9a549d75 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sun, 10 Aug 2025 23:08:27 +0200
Subject: [PATCH 03/43] Upgrade to .net9 Upgrade nuget packages Fix npgsql
 errors from upgrade Note: (IpAddress, int) is now NpgsqlCidr

---
 OAuthTest/OAuthTest.csproj                    |  4 +--
 SS14.Auth.Shared/SS14.Auth.Shared.csproj      | 32 +++++++++----------
 SS14.Auth/SS14.Auth.csproj                    | 12 +++----
 SS14.ServerHub.Shared/CommunityMatcher.cs     |  7 ++--
 SS14.ServerHub.Shared/Data/HubDbContext.cs    |  6 ++--
 .../Data/NpgsqlTypeMapping.cs                 |  7 ++--
 .../Data/TrackedCommunityAddress.cs           |  9 +++---
 SS14.ServerHub.Shared/Helpers/IPHelper.cs     | 19 ++++++-----
 .../SS14.ServerHub.Shared.csproj              | 18 +++++------
 SS14.ServerHub/SS14.ServerHub.csproj          | 12 +++----
 SS14.Web.Tests/SS14.Web.Tests.csproj          | 15 +++++----
 SS14.Web/SS14.Web.csproj                      | 18 +++++------
 .../SS14.WebEverythingShared.csproj           |  2 +-
 13 files changed, 85 insertions(+), 76 deletions(-)

diff --git a/OAuthTest/OAuthTest.csproj b/OAuthTest/OAuthTest.csproj
index c606b82..afc0775 100644
--- a/OAuthTest/OAuthTest.csproj
+++ b/OAuthTest/OAuthTest.csproj
@@ -1,10 +1,10 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net7.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="6.0.1" />
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.8" />
     </ItemGroup>
 </Project>
diff --git a/SS14.Auth.Shared/SS14.Auth.Shared.csproj b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
index 5fe2e54..7abe58f 100644
--- a/SS14.Auth.Shared/SS14.Auth.Shared.csproj
+++ b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
@@ -1,32 +1,32 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net6.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
         <OutputType>Library</OutputType>
         <LangVersion>12</LangVersion>
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="JetBrains.Annotations" Version="2021.3.0" />
-        <PackageReference Include="MailKit" Version="3.0.0" />
-        <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="6.0.1" />
-        <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="6.0.1" />
-        <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="6.0.1" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="6.0.1">
+        <PackageReference Include="JetBrains.Annotations" Version="2025.2.0" />
+        <PackageReference Include="MailKit" Version="4.13.0" />
+        <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="9.0.8" />
+        <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="9.0.8" />
+        <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="9.0.8" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.8">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.4.0" />
-        <PackageReference Include="MimeKit" Version="3.0.0" />
-        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="6.0.2" />
+        <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.13.1" />
+        <PackageReference Include="MimeKit" Version="4.13.0" />
+        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
         <PackageReference Include="Robust.Shared.AuthLib" Version="0.1.2" />
-        <PackageReference Include="Serilog" Version="2.10.0" />
-        <PackageReference Include="Serilog.AspNetCore" Version="4.1.0" />
-        <PackageReference Include="Serilog.Settings.Configuration" Version="3.3.0" />
-        <PackageReference Include="Serilog.Sinks.Console" Version="4.0.1" />
+        <PackageReference Include="Serilog" Version="4.3.0" />
+        <PackageReference Include="Serilog.AspNetCore" Version="9.0.0" />
+        <PackageReference Include="Serilog.Settings.Configuration" Version="9.0.0" />
+        <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
         <PackageReference Include="Serilog.Sinks.Loki" Version="3.0.1-beta1" />
-        <PackageReference Include="Dapper" Version="2.0.123" />
-        <PackageReference Include="Microsoft.Data.Sqlite" Version="6.0.3" />
+        <PackageReference Include="Dapper" Version="2.1.66" />
+        <PackageReference Include="Microsoft.Data.Sqlite" Version="9.0.8" />
     </ItemGroup>
 
     <ItemGroup>
diff --git a/SS14.Auth/SS14.Auth.csproj b/SS14.Auth/SS14.Auth.csproj
index cd1b760..bf0b50c 100644
--- a/SS14.Auth/SS14.Auth.csproj
+++ b/SS14.Auth/SS14.Auth.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net8.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
         <Nullable>enable</Nullable>
     </PropertyGroup>
 
@@ -10,13 +10,13 @@
     </ItemGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="8.0.0" />
-        <PackageReference Include="NetEscapades.Configuration.Yaml" Version="2.1.0" />
+        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="9.0.8" />
+        <PackageReference Include="NetEscapades.Configuration.Yaml" Version="3.1.0" />
         <PackageReference Include="prometheus-net" Version="8.2.1" />
         <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
-        <PackageReference Include="Quartz" Version="3.9.0" />
-        <PackageReference Include="Quartz.Extensions.DependencyInjection" Version="3.9.0" />
-        <PackageReference Include="Quartz.Extensions.Hosting" Version="3.9.0" />
+        <PackageReference Include="Quartz" Version="3.15.0" />
+        <PackageReference Include="Quartz.Extensions.DependencyInjection" Version="3.15.0" />
+        <PackageReference Include="Quartz.Extensions.Hosting" Version="3.15.0" />
     </ItemGroup>
 
 
diff --git a/SS14.ServerHub.Shared/CommunityMatcher.cs b/SS14.ServerHub.Shared/CommunityMatcher.cs
index 7197081..d9b13b7 100644
--- a/SS14.ServerHub.Shared/CommunityMatcher.cs
+++ b/SS14.ServerHub.Shared/CommunityMatcher.cs
@@ -2,6 +2,7 @@
 using System.Net.Sockets;
 using DnsClient;
 using Microsoft.EntityFrameworkCore;
+using NpgsqlTypes;
 using SS14.ServerHub.Shared.Data;
 
 namespace SS14.ServerHub.Shared;
@@ -16,7 +17,7 @@ public static IQueryable<TrackedCommunityAddress> CheckIP(HubDbContext dbContext
         return dbContext.TrackedCommunityAddress
             .Where(c => EF.Functions.ContainsOrEqual(c.Address, address));
     }
-    
+
     public static IQueryable<TrackedCommunityDomain> CheckDomain(HubDbContext dbContext, string domain)
     {
         return dbContext.TrackedCommunityDomain
@@ -158,7 +159,7 @@ public sealed class FailedResolveException : Exception
     {
         public FailedResolveException(string message, Exception e) : base(message, e)
         {
-            
+
         }
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.ServerHub.Shared/Data/HubDbContext.cs b/SS14.ServerHub.Shared/Data/HubDbContext.cs
index 89cfe75..ec42551 100644
--- a/SS14.ServerHub.Shared/Data/HubDbContext.cs
+++ b/SS14.ServerHub.Shared/Data/HubDbContext.cs
@@ -12,8 +12,8 @@ public HubDbContext(DbContextOptions<HubDbContext> options) : base(options)
     protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
     {
         base.OnConfiguring(optionsBuilder);
-            
-        optionsBuilder.ReplaceService<IRelationalTypeMappingSource, CustomNpgsqlTypeMappingSource>();
+
+        //optionsBuilder.ReplaceService<IRelationalTypeMappingSource, CustomNpgsqlTypeMappingSource>();
     }
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)
@@ -51,4 +51,4 @@ protected override void OnModelCreating(ModelBuilder modelBuilder)
     public DbSet<ServerStatusArchive> ServerStatusArchive { get; set; } = default!;
     public DbSet<UniqueServerName> UniqueServerName { get; set; } = default!;
     public DbSet<HubAudit> HubAudit { get; set; } = default!;
-}
\ No newline at end of file
+}
diff --git a/SS14.ServerHub.Shared/Data/NpgsqlTypeMapping.cs b/SS14.ServerHub.Shared/Data/NpgsqlTypeMapping.cs
index 8b86586..82012d9 100644
--- a/SS14.ServerHub.Shared/Data/NpgsqlTypeMapping.cs
+++ b/SS14.ServerHub.Shared/Data/NpgsqlTypeMapping.cs
@@ -9,7 +9,7 @@
 namespace SS14.ServerHub.Shared.Data;
 
 #pragma warning disable EF1001
-
+/*
 // Taken from https://github.com/npgsql/efcore.pg/issues/1158
 // To support inet -> (IPAddress, int) mapping.
 public class CustomNpgsqlTypeMappingSource : NpgsqlTypeMappingSource
@@ -18,7 +18,7 @@ public CustomNpgsqlTypeMappingSource(
         TypeMappingSourceDependencies dependencies,
         RelationalTypeMappingSourceDependencies relationalDependencies,
         ISqlGenerationHelper sqlGenerationHelper,
-        INpgsqlOptions? npgsqlOptions = null)
+        INpgsqlSingletonOptions? npgsqlOptions = null)
         : base(dependencies, relationalDependencies, sqlGenerationHelper, npgsqlOptions)
     {
         StoreTypeMappings["inet"] =
@@ -64,4 +64,5 @@ public override Expression GenerateCodeLiteral(object value)
 
     static readonly ConstructorInfo Constructor =
         typeof((IPAddress, int)).GetConstructor(new[] { typeof(IPAddress), typeof(int) })!;
-}
\ No newline at end of file
+}
+*/
diff --git a/SS14.ServerHub.Shared/Data/TrackedCommunityAddress.cs b/SS14.ServerHub.Shared/Data/TrackedCommunityAddress.cs
index 4fb7cf4..4ee0478 100644
--- a/SS14.ServerHub.Shared/Data/TrackedCommunityAddress.cs
+++ b/SS14.ServerHub.Shared/Data/TrackedCommunityAddress.cs
@@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations.Schema;
 using System.Net;
+using NpgsqlTypes;
 
 namespace SS14.ServerHub.Shared.Data;
 
@@ -12,18 +13,18 @@ public class TrackedCommunityAddress
     /// The ID of this entity in the database.
     /// </summary>
     public int Id { get; set; }
-    
+
     /// <summary>
     /// The address range in question.
     /// </summary>
     [Column(TypeName = "inet")]
-    public (IPAddress, int) Address { get; set; }
+    public NpgsqlCidr Address { get; set; }
 
     /// <summary>
     /// The ID of the <see cref="TrackedCommunity"/> this address belongs to.
     /// </summary>
     public int TrackedCommunityId { get; set; }
-    
+
     // Navigation properties
     public TrackedCommunity TrackedCommunity { get; set; } = default!;
-}
\ No newline at end of file
+}
diff --git a/SS14.ServerHub.Shared/Helpers/IPHelper.cs b/SS14.ServerHub.Shared/Helpers/IPHelper.cs
index a0909ae..3e16604 100644
--- a/SS14.ServerHub.Shared/Helpers/IPHelper.cs
+++ b/SS14.ServerHub.Shared/Helpers/IPHelper.cs
@@ -1,5 +1,6 @@
 using System.Net;
 using System.Net.Sockets;
+using NpgsqlTypes;
 
 namespace SS14.ServerHub.Shared.Helpers;
 
@@ -8,15 +9,15 @@ namespace SS14.ServerHub.Shared.Helpers;
 /// </summary>
 public static class IPHelper
 {
-    public static bool TryParseIpOrCidr(string str, out (IPAddress, int) cidr)
+    public static bool TryParseIpOrCidr(string str, out NpgsqlCidr cidr)
     {
         if (IPAddress.TryParse(str, out var addr))
         {
-            cidr = (addr, addr.AddressFamily switch
+            cidr = new NpgsqlCidr(addr, addr.AddressFamily switch
             {
                 AddressFamily.InterNetwork => 32,
                 AddressFamily.InterNetworkV6 => 128,
-                _ => throw new ArgumentException(nameof(str))
+                _ => throw new ArgumentException(null, nameof(str)),
             });
             return true;
         }
@@ -24,7 +25,7 @@ public static bool TryParseIpOrCidr(string str, out (IPAddress, int) cidr)
         return TryParseCidr(str, out cidr);
     }
 
-    public static bool TryParseCidr(string str, out (IPAddress, int) cidr)
+    public static bool TryParseCidr(string str, out NpgsqlCidr cidr)
     {
         cidr = default;
 
@@ -32,19 +33,21 @@ public static bool TryParseCidr(string str, out (IPAddress, int) cidr)
         if (split.Length != 2)
             return false;
 
-        if (!IPAddress.TryParse(split[0], out cidr.Item1!))
+        if (!IPAddress.TryParse(split[0], out var address))
             return false;
 
-        if (!int.TryParse(split[1], out cidr.Item2))
+        if (!byte.TryParse(split[1], out var mask))
             return false;
 
+        cidr = new NpgsqlCidr(address, mask);
+
         return true;
     }
 
-    public static string FormatCidr(this (IPAddress, int) cidr)
+    public static string FormatCidr(this NpgsqlCidr cidr)
     {
         var (addr, range) = cidr;
 
         return $"{addr}/{range}";
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj b/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj
index b28561a..02f4f5d 100644
--- a/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj
+++ b/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj
@@ -1,25 +1,25 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net6.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
         <ImplicitUsings>enable</ImplicitUsings>
         <Nullable>enable</Nullable>
         <OutputType>Library</OutputType>
         <LangVersion>11</LangVersion>
-        
+
     </PropertyGroup>
-    
+
     <ItemGroup>
-        <PackageReference Include="JetBrains.Annotations" Version="2021.3.0" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="6.0.1" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="6.0.1">
+        <PackageReference Include="JetBrains.Annotations" Version="2025.2.0" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="9.0.8" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.8">
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="6.0.2" />
-        <PackageReference Include="DnsClient" Version="1.7.0" />
+        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
+        <PackageReference Include="DnsClient" Version="1.8.0" />
     </ItemGroup>
-    
+
     <ItemGroup>
       <ProjectReference Include="..\SS14.WebEverythingShared\SS14.WebEverythingShared.csproj" />
     </ItemGroup>
diff --git a/SS14.ServerHub/SS14.ServerHub.csproj b/SS14.ServerHub/SS14.ServerHub.csproj
index e8696c7..e09f77a 100644
--- a/SS14.ServerHub/SS14.ServerHub.csproj
+++ b/SS14.ServerHub/SS14.ServerHub.csproj
@@ -1,19 +1,19 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net8.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
         <Nullable>enable</Nullable>
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="6.0.1" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="6.0.1">
+        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="9.0.8" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.8">
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="8.0.0" />
-        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="6.0.2" />
-        <PackageReference Include="NetEscapades.Configuration.Yaml" Version="2.1.0" />
+        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="9.0.8" />
+        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
+        <PackageReference Include="NetEscapades.Configuration.Yaml" Version="3.1.0" />
         <PackageReference Include="prometheus-net" Version="8.2.1" />
         <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
     </ItemGroup>
diff --git a/SS14.Web.Tests/SS14.Web.Tests.csproj b/SS14.Web.Tests/SS14.Web.Tests.csproj
index 3f97dfd..97b7389 100644
--- a/SS14.Web.Tests/SS14.Web.Tests.csproj
+++ b/SS14.Web.Tests/SS14.Web.Tests.csproj
@@ -1,20 +1,23 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
     <PropertyGroup>
-        <TargetFramework>net8.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
 
         <IsPackable>false</IsPackable>
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.0.0" />
-        <PackageReference Include="NUnit" Version="3.13.2" />
-        <PackageReference Include="NUnit3TestAdapter" Version="4.2.0" />
-        <PackageReference Include="coverlet.collector" Version="3.1.0">
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
+        <PackageReference Include="NUnit" Version="4.4.0" />
+        <PackageReference Include="NUnit3TestAdapter" Version="5.1.0" />
+        <PackageReference Include="coverlet.collector" Version="6.0.4">
+          <PrivateAssets>all</PrivateAssets>
+          <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+        <PackageReference Include="NUnit.Analyzers" Version="4.10.0">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="NUnit.Analyzers" Version="3.3.0" />
     </ItemGroup>
 
     <ItemGroup>
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index 8e9acc8..8f53ddc 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -1,24 +1,24 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net6.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
         <LangVersion>12</LangVersion>
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="AspNet.Security.OAuth.Patreon" Version="6.0.2" />
-        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="6.0.0" />
-        <PackageReference Include="NetEscapades.Configuration.Yaml" Version="2.1.0" />
-        <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="6.0.1" Condition="'$(Configuration)' == 'Debug'" />
-        <PackageReference Include="prometheus-net" Version="7.0.0" />
-        <PackageReference Include="prometheus-net.AspNetCore" Version="7.0.0" />
+        <PackageReference Include="AspNet.Security.OAuth.Patreon" Version="9.4.0" />
+        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="9.0.8" />
+        <PackageReference Include="NetEscapades.Configuration.Yaml" Version="3.1.0" />
+        <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" Condition="'$(Configuration)' == 'Debug'" />
+        <PackageReference Include="prometheus-net" Version="8.2.1" />
+        <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
     </ItemGroup>
-    
+
     <ItemGroup>
       <ProjectReference Include="..\SS14.Auth.Shared\SS14.Auth.Shared.csproj" />
       <ProjectReference Include="..\SS14.ServerHub.Shared\SS14.ServerHub.Shared.csproj" />
     </ItemGroup>
-    
+
     <ItemGroup>
       <_ContentIncludedByDefault Remove="Areas\Admin\Pages\Servers\BannedAddresses\Index.cshtml" />
     </ItemGroup>
diff --git a/SS14.WebEverythingShared/SS14.WebEverythingShared.csproj b/SS14.WebEverythingShared/SS14.WebEverythingShared.csproj
index 57b0055..79c0aaf 100644
--- a/SS14.WebEverythingShared/SS14.WebEverythingShared.csproj
+++ b/SS14.WebEverythingShared/SS14.WebEverythingShared.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net6.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
         <ImplicitUsings>enable</ImplicitUsings>
         <Nullable>enable</Nullable>
         <LangVersion>12</LangVersion>

From 153928111b314db0b94655c205d477861ce9fda6 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sun, 10 Aug 2025 23:53:35 +0200
Subject: [PATCH 04/43] Refactor SS14.Web startup to program.cs

---
 SS14.Auth.Shared/StartupHelpers.cs      |  12 +-
 SS14.Web/Extensions/OpenIdExtension.cs  |  61 ++++++
 SS14.Web/Extensions/PatreonExtension.cs |  43 +++++
 SS14.Web/Program.cs                     | 155 ++++++++++++----
 SS14.Web/Startup.cs                     | 237 ------------------------
 5 files changed, 230 insertions(+), 278 deletions(-)
 create mode 100644 SS14.Web/Extensions/OpenIdExtension.cs
 create mode 100644 SS14.Web/Extensions/PatreonExtension.cs
 delete mode 100644 SS14.Web/Startup.cs

diff --git a/SS14.Auth.Shared/StartupHelpers.cs b/SS14.Auth.Shared/StartupHelpers.cs
index b8594bc..a5eb577 100644
--- a/SS14.Auth.Shared/StartupHelpers.cs
+++ b/SS14.Auth.Shared/StartupHelpers.cs
@@ -1,6 +1,7 @@
 using System;
 using System.IO;
 using System.Security.Cryptography;
+using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
@@ -21,6 +22,11 @@ namespace SS14.Auth.Shared;
 
 public static class StartupHelpers
 {
+    public static void AddShared(this WebApplicationBuilder builder)
+    {
+        AddShared(builder.Services, builder.Configuration);
+    }
+
     public static void AddShared(IServiceCollection services, IConfiguration config)
     {
         // Configure.
@@ -34,7 +40,7 @@ public static void AddShared(IServiceCollection services, IConfiguration config)
             // The fact that this isn't default absolutely baffles me.
             options.ValidationInterval = TimeSpan.FromSeconds(5);
         });
-            
+
         services.AddDbContext<ApplicationDbContext>(options =>
             options.UseNpgsql(
                 config.GetConnectionString("DefaultConnection")));
@@ -86,7 +92,7 @@ public static void AddShared(IServiceCollection services, IConfiguration config)
 
         services.AddTransient<MutexDatabase>();
     }
-        
+
     public static void SetupLoki(LoggerConfiguration log, IConfiguration cfg, string appName)
     {
         var dat = cfg.GetSection("Serilog:Loki").Get<LokiConfigurationData>();
@@ -123,4 +129,4 @@ private sealed class LokiConfigurationData
         public string Username { get; set; }
         public string Password { get; set; }
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Extensions/OpenIdExtension.cs b/SS14.Web/Extensions/OpenIdExtension.cs
new file mode 100644
index 0000000..19dee74
--- /dev/null
+++ b/SS14.Web/Extensions/OpenIdExtension.cs
@@ -0,0 +1,61 @@
+using System;
+using System.Configuration;
+using System.IO;
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Hosting;
+using Serilog;
+
+namespace SS14.Web.Extensions;
+
+public static class OpenIdExtension
+{
+    public static void AddOpenIdConnect(this WebApplicationBuilder builder)
+    {
+        var keyPath = builder.Configuration.GetValue<string>("Is4SigningKeyPath");
+        if (keyPath == null)
+        {
+            if (builder.Environment.IsDevelopment())
+            {
+                Log.Debug("Using developer signing credentials");
+                //builder.AddDeveloperSigningCredential();
+            }
+            else
+            {
+                throw new Exception("No key specified for IS4!");
+            }
+        }
+        else
+        {
+            var keyPem = File.ReadAllText(keyPath);
+            var key = ECDsa.Create();
+            key.ImportFromPem(keyPem);
+
+            //builder.AddSigningCredential(
+            //    new ECDsaSecurityKey(key),
+            //    IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
+        }
+
+        var keyPathRsa = builder.Configuration.GetValue<string>("Is4SigningKeyPathRsa");
+        if (keyPathRsa != null)
+        {
+            var keyPem = File.ReadAllText(keyPathRsa);
+            var key = RSA.Create();
+            key.ImportFromPem(keyPem);
+
+            //builder.AddSigningCredential(
+            //    new RsaSecurityKey(key),
+            //    IdentityServerConstants.RsaSigningAlgorithm.PS256);
+            //builder.AddSigningCredential(
+            //    new RsaSecurityKey(key),
+            //    IdentityServerConstants.RsaSigningAlgorithm.RS256);
+        }
+
+    }
+
+    public static void UseOpenIdConnect(this WebApplication app)
+    {
+
+    }
+}
diff --git a/SS14.Web/Extensions/PatreonExtension.cs b/SS14.Web/Extensions/PatreonExtension.cs
new file mode 100644
index 0000000..0fa0c4c
--- /dev/null
+++ b/SS14.Web/Extensions/PatreonExtension.cs
@@ -0,0 +1,43 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using SS14.Auth.Shared.Config;
+
+namespace SS14.Web.Extensions;
+
+public static class PatreonExtension
+{
+    public static void AddPatreon(this WebApplicationBuilder builder)
+    {
+        builder.Services.AddScoped<PatreonConnectionHandler>();
+        var patreonSection = builder.Configuration.GetSection("Patreon");
+        var patreonCfg = patreonSection.Get<PatreonConfiguration>();
+
+        if (patreonCfg?.ClientId == null || patreonCfg.ClientSecret == null)
+            return;
+
+        builder.Services.AddAuthentication()
+            // Rider is dumb that null is valid.
+            // It disables Patreon as an external login.
+            .AddPatreon("Patreon", null!, options =>
+            {
+                // Patreon docs lied you don't need this to see memberships to your own campaign.
+                // options.Scope.Add("identity.memberships");
+                options.Includes.Add("memberships.currently_entitled_tiers");
+                options.ClientId = patreonCfg.ClientId;
+                options.ClientSecret = patreonCfg.ClientSecret;
+
+                options.Events.OnCreatingTicket += context =>
+                {
+                    var handler = context.HttpContext.RequestServices.GetService<PatreonConnectionHandler>();
+                    return handler!.HookCreatingTicket(context);
+                };
+
+                options.Events.OnTicketReceived += context =>
+                {
+                    var handler = context.HttpContext.RequestServices.GetService<PatreonConnectionHandler>();
+                    return handler!.HookReceivedTicket(context);
+                };
+            });
+    }
+}
diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index 035b9b2..defdd74 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -1,48 +1,127 @@
-using System.Linq;
-using System.Runtime.CompilerServices;
-using Microsoft.AspNetCore.Hosting;
+using System;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Prometheus;
 using Serilog;
 using SS14.Auth.Shared;
+using SS14.ServerHub.Shared.Data;
+using SS14.Web;
+using SS14.Web.Data;
+using SS14.Web.Extensions;
+using SS14.Web.HCaptcha;
+using SS14.WebEverythingShared;
 
-[assembly: InternalsVisibleTo("SS14.Web.Tests")]
+var builder = WebApplication.CreateBuilder();
 
-namespace SS14.Web;
+// Configuration
+var env = builder.Environment;
+builder.Configuration.AddYamlFile("appsettings.yml", false, true);
+builder.Configuration.AddYamlFile($"appsettings.{env.EnvironmentName}.yml", true, true);
+builder.Configuration.AddYamlFile("appsettings.Secret.yml", true, true);
 
-public class Program
+builder.Services.Configure<AccountOptions>(builder.Configuration.GetSection("Account"));
+
+// Logging
+builder.Services.AddSerilog(config =>
 {
-    public static void Main(string[] args)
-    {
-        CreateHostBuilder(args).Build().Run();
-    }
+    config.ReadFrom.Configuration(builder.Configuration);
+    StartupHelpers.SetupLoki(config, builder.Configuration, "SS14.Web");
+});
+
+builder.Services.AddScoped<HubAuditLogManager>();
+
+// Database
+
+builder.Services.AddDbContext<HubDbContext>(options =>
+{
+    var connectionString = builder.Configuration.GetConnectionString("HubConnection")
+        ?? throw new InvalidOperationException("Must set HubConnection");
+
+    options.UseNpgsql(connectionString);
+});
+
+// Auth
+
+builder.Services.AddAuthorizationBuilder()
+   .AddPolicy(AuthConstants.PolicyAnyHubAdmin, policy => policy.RequireRole(AuthConstants.RoleSysAdmin, AuthConstants.RoleServerHubAdmin) )
+   .AddPolicy(AuthConstants.PolicySysAdmin, policy => policy.RequireRole(AuthConstants.RoleSysAdmin) )
+   .AddPolicy(AuthConstants.PolicyServerHubAdmin, policy => policy.RequireRole(AuthConstants.RoleServerHubAdmin) );
+
+builder.Services.ConfigureApplicationCookie(options =>
+{
+    options.LoginPath = $"/Identity/Account/Login";
+    options.LogoutPath = $"/Identity/Account/Logout";
+    options.AccessDeniedPath = $"/Identity/Account/AccessDenied";
+});
+
+// MVC
+
+builder.Services.AddMvc().AddRazorPagesOptions(options =>
+{
+    options.Conventions.AuthorizeAreaFolder("Identity", "/Account/Manage");
+    options.Conventions.AuthorizeAreaPage("Identity", "/Account/Logout");
+    options.Conventions.AuthorizeAreaFolder("Admin", "/", AuthConstants.PolicyAnyHubAdmin);
+    options.Conventions.AuthorizeAreaFolder("Admin", "/Clients", AuthConstants.PolicySysAdmin);
+    options.Conventions.AuthorizeAreaFolder("Admin", "/Users", AuthConstants.PolicySysAdmin);
+    options.Conventions.AuthorizeAreaFolder("Admin", "/Servers", AuthConstants.PolicyServerHubAdmin);
+});
+
+builder.Services.AddControllersWithViews();
+builder.Services.AddRazorPages();
 
-    public static IHostBuilder CreateHostBuilder(string[] args)
+// Services
+builder.Services.AddSystemd();
+HCaptchaService.RegisterServices(builder.Services, builder.Configuration);
+builder.AddPatreon();
+builder.AddOpenIdConnect();
+builder.Services.AddScoped<PersonalDataCollector>();
+builder.AddShared();
+
+var app = builder.Build();
+
+app.UseSerilogRequestLogging(options =>
+{
+    options.MessageTemplate = "HTTP {RequestMethod} {RequestPath} responded {StatusCode} in {Elapsed:0.0000} ms to {ClientAddress}";
+    options.EnrichDiagnosticContext = (context, httpContext) =>
     {
-        return Host.CreateDefaultBuilder(args)
-            .ConfigureAppConfiguration((context, builder) =>
-            {
-                var env = context.HostingEnvironment;
-                builder.AddYamlFile("appsettings.yml", false, true);
-                builder.AddYamlFile($"appsettings.{env.EnvironmentName}.yml", true, true);
-                builder.AddYamlFile("appsettings.Secret.yml", true, true);
-            })
-            .UseSerilog((ctx, cfg) =>
-            {
-                cfg.ReadFrom.Configuration(ctx.Configuration);
-
-                StartupHelpers.SetupLoki(cfg, ctx.Configuration, "SS14.Web");
-            })
-            .ConfigureWebHostDefaults(webBuilder =>
-            {
-                var webRoot = webBuilder.GetSetting("WEBROOT");
-                if (!string.IsNullOrEmpty(webRoot))
-                {
-                    webBuilder.UseWebRoot(webRoot);
-                }
-
-                webBuilder.UseStartup<Startup>();
-            })
-            .UseSystemd();
-    }
-}
\ No newline at end of file
+        context.Set("ClientAddress", httpContext.Connection.RemoteIpAddress);
+    };
+});
+
+if (app.Environment.IsDevelopment())
+{
+    app.UseDeveloperExceptionPage();
+    app.UseMigrationsEndPoint();
+}
+else
+{
+    app.UseExceptionHandler("/Home/Error");
+    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
+    app.UseHsts();
+}
+
+MoreStartupHelpers.AddForwardedSupport(app, app.Configuration);
+
+var pathBase = app.Configuration.GetValue<string>("PathBase");
+if (!string.IsNullOrEmpty(pathBase))
+    app.UsePathBase(pathBase);
+
+app.UseStaticFiles();
+
+app.UseRouting();
+
+app.UseHttpMetrics();
+
+app.UseAuthentication();
+app.UseAuthorization();
+
+app.MapDefaultControllerRoute();
+app.MapRazorPages();
+app.MapMetrics();
+
+app.UseOpenIdConnect();
+
+app.Run();
diff --git a/SS14.Web/Startup.cs b/SS14.Web/Startup.cs
deleted file mode 100644
index 0548a43..0000000
--- a/SS14.Web/Startup.cs
+++ /dev/null
@@ -1,237 +0,0 @@
-using System;
-using System.IO;
-using System.Net;
-using System.Security.Cryptography;
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Hosting;
-using Microsoft.AspNetCore.HttpOverrides;
-using Microsoft.AspNetCore.Identity;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Hosting;
-using Microsoft.IdentityModel.Tokens;
-using Prometheus;
-using Serilog;
-using SS14.Auth.Shared;
-using SS14.Auth.Shared.Config;
-using SS14.Auth.Shared.Data;
-using SS14.ServerHub.Shared.Data;
-using SS14.Web.Data;
-using SS14.Web.HCaptcha;
-using SS14.WebEverythingShared;
-
-namespace SS14.Web;
-
-public class Startup
-{
-    public Startup(IConfiguration configuration, IWebHostEnvironment environment)
-    {
-        Configuration = configuration;
-        Environment = environment;
-    }
-
-    public IConfiguration Configuration { get; }
-    public IWebHostEnvironment Environment { get; }
-
-    // This method gets called by the runtime. Use this method to add services to the container.
-    public void ConfigureServices(IServiceCollection services)
-    {
-        services.AddScoped<HubAuditLogManager>();
-
-        services.Configure<AccountOptions>(Configuration.GetSection("Account"));
-        HCaptchaService.RegisterServices(services, Configuration);
-
-        services.AddDatabaseDeveloperPageExceptionFilter();
-        StartupHelpers.AddShared(services, Configuration);
-
-        services.AddDbContext<HubDbContext>(options =>
-        {
-            var connectionString = Configuration.GetConnectionString("HubConnection") ?? throw new InvalidOperationException("Must set HubConnection");
-            options.UseNpgsql(connectionString);
-        });
-
-        services.AddAuthorization(options =>
-        {
-            options.AddPolicy(
-                AuthConstants.PolicyAnyHubAdmin,
-                policy => policy.RequireRole(AuthConstants.RoleSysAdmin, AuthConstants.RoleServerHubAdmin)
-            );
-
-            options.AddPolicy(
-                AuthConstants.PolicySysAdmin,
-                policy => policy.RequireRole(AuthConstants.RoleSysAdmin)
-            );
-
-            options.AddPolicy(
-                AuthConstants.PolicyServerHubAdmin,
-                policy => policy.RequireRole(AuthConstants.RoleServerHubAdmin)
-            );
-        });
-
-        services.AddMvc()
-            .AddRazorPagesOptions(options =>
-            {
-                options.Conventions.AuthorizeAreaFolder("Identity", "/Account/Manage");
-                options.Conventions.AuthorizeAreaPage("Identity", "/Account/Logout");
-                options.Conventions.AuthorizeAreaFolder("Admin", "/", AuthConstants.PolicyAnyHubAdmin);
-                options.Conventions.AuthorizeAreaFolder("Admin", "/Clients", AuthConstants.PolicySysAdmin);
-                options.Conventions.AuthorizeAreaFolder("Admin", "/Users", AuthConstants.PolicySysAdmin);
-                options.Conventions.AuthorizeAreaFolder("Admin", "/Servers", AuthConstants.PolicyServerHubAdmin);
-            });
-
-        services.ConfigureApplicationCookie(options =>
-        {
-            options.LoginPath = $"/Identity/Account/Login";
-            options.LogoutPath = $"/Identity/Account/Logout";
-            options.AccessDeniedPath = $"/Identity/Account/AccessDenied";
-        });
-
-        services.AddControllersWithViews();
-        services.AddRazorPages();
-
-        services.AddScoped<PatreonConnectionHandler>();
-
-        var patreonSection = Configuration.GetSection("Patreon");
-        var patreonCfg = patreonSection.Get<PatreonConfiguration>();
-
-        services.AddAuthentication(options => options.DefaultScheme = IdentityConstants.ApplicationScheme);
-
-        if (patreonCfg?.ClientId != null && patreonCfg.ClientSecret != null)
-        {
-            services.AddAuthentication()
-                // Rider is dumb that null is valid.
-                // It disables Patreon as an external login.
-                .AddPatreon("Patreon", null!, options =>
-                {
-                    // Patreon docs lied you don't need this to see memberships to your own campaign.
-                    // options.Scope.Add("identity.memberships");
-                    options.Includes.Add("memberships.currently_entitled_tiers");
-                    options.ClientId = patreonCfg.ClientId;
-                    options.ClientSecret = patreonCfg.ClientSecret;
-
-                    options.Events.OnCreatingTicket += context =>
-                    {
-                        var handler = context.HttpContext.RequestServices.GetService<PatreonConnectionHandler>();
-                        return handler!.HookCreatingTicket(context);
-                    };
-
-                    options.Events.OnTicketReceived += context =>
-                    {
-                        var handler = context.HttpContext.RequestServices.GetService<PatreonConnectionHandler>();
-                        return handler!.HookReceivedTicket(context);
-                    };
-                });
-        }
-
-        //TODO: Replace identityserver4 code in this file
-        /*var builder = services.AddIdentityServer(options =>
-            {
-                options.UserInteraction.ConsentUrl = "/Identity/Account/Consent";
-            })
-            .AddAspNetIdentity<SpaceUser>()
-            .AddOperationalStore<ApplicationDbContext>()
-            .AddConfigurationStore<ApplicationDbContext>()
-            .AddInMemoryIdentityResources(new IdentityResource[]
-            {
-                new IdentityResources.OpenId(),
-                new IdentityResources.Profile(),
-                new IdentityResources.Email(),
-            });*/
-
-        var keyPath = Configuration.GetValue<string>("Is4SigningKeyPath");
-        if (keyPath == null)
-        {
-            if (Environment.IsDevelopment())
-            {
-                Log.Debug("Using developer signing credentials");
-                //builder.AddDeveloperSigningCredential();
-            }
-            else
-            {
-                throw new Exception("No key specified for IS4!");
-            }
-        }
-        else
-        {
-            var keyPem = File.ReadAllText(keyPath);
-            var key = ECDsa.Create();
-            key.ImportFromPem(keyPem);
-
-            //builder.AddSigningCredential(
-            //    new ECDsaSecurityKey(key),
-            //    IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
-        }
-
-        var keyPathRsa = Configuration.GetValue<string>("Is4SigningKeyPathRsa");
-        if (keyPathRsa != null)
-        {
-            var keyPem = File.ReadAllText(keyPathRsa);
-            var key = RSA.Create();
-            key.ImportFromPem(keyPem);
-
-            //builder.AddSigningCredential(
-            //    new RsaSecurityKey(key),
-            //    IdentityServerConstants.RsaSigningAlgorithm.PS256);
-            //builder.AddSigningCredential(
-            //    new RsaSecurityKey(key),
-            //    IdentityServerConstants.RsaSigningAlgorithm.RS256);
-        }
-
-        services.AddScoped<PersonalDataCollector>();
-    }
-
-    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
-    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
-    {
-        app.UseSerilogRequestLogging(options =>
-        {
-            options.MessageTemplate = "HTTP {RequestMethod} {RequestPath} responded {StatusCode} in {Elapsed:0.0000} ms to {ClientAddress}";
-            options.EnrichDiagnosticContext = (context, httpContext) =>
-            {
-                context.Set("ClientAddress", httpContext.Connection.RemoteIpAddress);
-            };
-        });
-
-        if (env.IsDevelopment())
-        {
-            app.UseDeveloperExceptionPage();
-            app.UseMigrationsEndPoint();
-        }
-        else
-        {
-            app.UseExceptionHandler("/Home/Error");
-            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
-            app.UseHsts();
-        }
-
-        MoreStartupHelpers.AddForwardedSupport(app, Configuration);
-
-        var pathBase = Configuration.GetValue<string>("PathBase");
-        if (!string.IsNullOrEmpty(pathBase))
-        {
-            app.UsePathBase(pathBase);
-        }
-
-        //app.UseHttpsRedirection();
-        app.UseStaticFiles();
-
-        app.UseRouting();
-
-        app.UseHttpMetrics();
-
-        app.UseAuthentication();
-        app.UseAuthorization();
-
-        app.UseEndpoints(endpoints =>
-        {
-            endpoints.MapControllerRoute(
-                name: "default",
-                pattern: "{controller=Home}/{action=Index}/{id?}");
-            endpoints.MapRazorPages();
-            endpoints.MapMetrics();
-        });
-
-        //app.UseIdentityServer();
-    }
-}

From e9eddaa5415fd9fa98cf6f0fbfe190ebf4fed39c Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 11 Aug 2025 00:13:15 +0200
Subject: [PATCH 05/43] Work on adding OpenIddict to program.cs

---
 SS14.Web/Extensions/OpenIdExtension.cs | 51 ++++++++++++++++++++++----
 SS14.Web/Program.cs                    |  3 +-
 SS14.Web/SS14.Web.csproj               |  2 +
 3 files changed, 48 insertions(+), 8 deletions(-)

diff --git a/SS14.Web/Extensions/OpenIdExtension.cs b/SS14.Web/Extensions/OpenIdExtension.cs
index 19dee74..059c7a2 100644
--- a/SS14.Web/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/Extensions/OpenIdExtension.cs
@@ -4,8 +4,11 @@
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
 using Serilog;
+using SS14.ServerHub.Shared.Data;
 
 namespace SS14.Web.Extensions;
 
@@ -13,7 +16,41 @@ public static class OpenIdExtension
 {
     public static void AddOpenIdConnect(this WebApplicationBuilder builder)
     {
-        var keyPath = builder.Configuration.GetValue<string>("Is4SigningKeyPath");
+        builder.Services.AddOpenIddict()
+            .AddCore(options => options.UseEntityFrameworkCore().UseDbContext<HubDbContext>())
+            .AddServer(options =>
+            {
+                options.SetAuthorizationEndpointUris("connect/authorize", "connect/authorize/accept", "connect/authorize/deny")
+                    .SetTokenEndpointUris("connect/token")
+                    .SetEndSessionEndpointUris("connect/endsession")
+                    .SetUserInfoEndpointUris("connect/userinfo")
+                    .SetIntrospectionEndpointUris("connect/introspect");
+
+                options.AllowAuthorizationCodeFlow();
+
+                options.ConfigureKeys(builder);
+
+            })
+            .AddValidation(options =>
+            {
+                options.UseLocalServer();
+                options.UseAspNetCore();
+            });
+    }
+
+    public static void UseOpenIdConnect(this WebApplication app)
+    {
+
+    }
+
+    private static void ConfigureKeys(this OpenIddictServerBuilder options,  WebApplicationBuilder builder)
+    {
+        var deprecatedKeyPath = builder.Configuration.GetValue<string>("Is4SigningKeyPath");
+        if (deprecatedKeyPath != null)
+            Log.Warning("Using deprecated Is4SigningKeyPath. Use OidcSigningKeyPath instead.");
+
+        var keyPath = deprecatedKeyPath ?? builder.Configuration.GetValue<string>("OidcSigningKeyPath");
+
         if (keyPath == null)
         {
             if (builder.Environment.IsDevelopment())
@@ -37,7 +74,12 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
             //    IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
         }
 
-        var keyPathRsa = builder.Configuration.GetValue<string>("Is4SigningKeyPathRsa");
+        var deprecatedKeyPathRsa = builder.Configuration.GetValue<string>("Is4SigningKeyPathRsa");
+        if (deprecatedKeyPathRsa != null)
+            Log.Warning("Using deprecated Is4SigningKeyPathRsa. Use OidcSigningKeyPathRsa instead.");
+
+        var keyPathRsa = deprecatedKeyPathRsa ?? builder.Configuration.GetValue<string>("OidcSigningKeyPathRsa");
+
         if (keyPathRsa != null)
         {
             var keyPem = File.ReadAllText(keyPathRsa);
@@ -53,9 +95,4 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
         }
 
     }
-
-    public static void UseOpenIdConnect(this WebApplication app)
-    {
-
-    }
 }
diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index defdd74..8718a26 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -87,7 +87,8 @@
     options.MessageTemplate = "HTTP {RequestMethod} {RequestPath} responded {StatusCode} in {Elapsed:0.0000} ms to {ClientAddress}";
     options.EnrichDiagnosticContext = (context, httpContext) =>
     {
-        context.Set("ClientAddress", httpContext.Connection.RemoteIpAddress);
+        if (httpContext.Connection.RemoteIpAddress != null)
+            context.Set("ClientAddress", httpContext.Connection.RemoteIpAddress);
     };
 });
 
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index 8f53ddc..73a77bd 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -10,6 +10,8 @@
         <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="9.0.8" />
         <PackageReference Include="NetEscapades.Configuration.Yaml" Version="3.1.0" />
         <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" Condition="'$(Configuration)' == 'Debug'" />
+        <PackageReference Include="OpenIddict.AspNetCore" Version="7.0.0" />
+        <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="7.0.0" />
         <PackageReference Include="prometheus-net" Version="8.2.1" />
         <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
     </ItemGroup>

From 0167585252c6ac2383e10e23c80c3c0681825a4f Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 11 Aug 2025 20:30:52 +0200
Subject: [PATCH 06/43] Implement OpenIddict configuration

---
 .../OpenIdCertificateConfiguration.cs         | 12 +++
 SS14.Web/Extensions/OpenIdExtension.cs        | 83 +++++--------------
 SS14.Web/Program.cs                           |  1 +
 SS14.Web/appsettings.yml                      | 18 +++-
 4 files changed, 52 insertions(+), 62 deletions(-)
 create mode 100644 SS14.Web/Configuration/OpenIdCertificateConfiguration.cs

diff --git a/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs b/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
new file mode 100644
index 0000000..2bf0983
--- /dev/null
+++ b/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
@@ -0,0 +1,12 @@
+namespace SS14.Web.Configuration;
+
+public sealed class OpenIdCertificateConfiguration
+{
+    public const string Name = "Certificates";
+
+    public string? EncryptionCertificatePath { get; set; }
+    public string? EncryptionCertificatePassword { get; set; }
+
+    public string? SigningCertificatePath { get; set; }
+    public string? SigningCertificatePassword { get; set; }
+}
diff --git a/SS14.Web/Extensions/OpenIdExtension.cs b/SS14.Web/Extensions/OpenIdExtension.cs
index 059c7a2..755efc4 100644
--- a/SS14.Web/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/Extensions/OpenIdExtension.cs
@@ -9,6 +9,7 @@
 using Microsoft.Extensions.Logging;
 using Serilog;
 using SS14.ServerHub.Shared.Data;
+using SS14.Web.Configuration;
 
 namespace SS14.Web.Extensions;
 
@@ -16,26 +17,17 @@ public static class OpenIdExtension
 {
     public static void AddOpenIdConnect(this WebApplicationBuilder builder)
     {
-        builder.Services.AddOpenIddict()
-            .AddCore(options => options.UseEntityFrameworkCore().UseDbContext<HubDbContext>())
-            .AddServer(options =>
-            {
-                options.SetAuthorizationEndpointUris("connect/authorize", "connect/authorize/accept", "connect/authorize/deny")
-                    .SetTokenEndpointUris("connect/token")
-                    .SetEndSessionEndpointUris("connect/endsession")
-                    .SetUserInfoEndpointUris("connect/userinfo")
-                    .SetIntrospectionEndpointUris("connect/introspect");
+        var openId = builder.Services.AddOpenIddict();
+        openId.AddCore(options => options.UseEntityFrameworkCore().UseDbContext<HubDbContext>());
 
-                options.AllowAuthorizationCodeFlow();
+        openId.AddValidation().UseLocalServer();
+        openId.AddValidation().UseAspNetCore();
+
+        openId.AddServer().Configure(config => builder.Configuration.Bind("OpenId:Server", config));
+        openId.AddServer().UseAspNetCore().EnableAuthorizationEndpointPassthrough().EnableStatusCodePagesIntegration();
+        ConfigureCertificates(openId, builder);
 
-                options.ConfigureKeys(builder);
 
-            })
-            .AddValidation(options =>
-            {
-                options.UseLocalServer();
-                options.UseAspNetCore();
-            });
     }
 
     public static void UseOpenIdConnect(this WebApplication app)
@@ -43,56 +35,25 @@ public static void UseOpenIdConnect(this WebApplication app)
 
     }
 
-    private static void ConfigureKeys(this OpenIddictServerBuilder options,  WebApplicationBuilder builder)
+    private static void ConfigureCertificates(OpenIddictBuilder openId, WebApplicationBuilder builder)
     {
-        var deprecatedKeyPath = builder.Configuration.GetValue<string>("Is4SigningKeyPath");
-        if (deprecatedKeyPath != null)
-            Log.Warning("Using deprecated Is4SigningKeyPath. Use OidcSigningKeyPath instead.");
-
-        var keyPath = deprecatedKeyPath ?? builder.Configuration.GetValue<string>("OidcSigningKeyPath");
-
-        if (keyPath == null)
+        if (builder.Environment.IsDevelopment())
         {
-            if (builder.Environment.IsDevelopment())
-            {
-                Log.Debug("Using developer signing credentials");
-                //builder.AddDeveloperSigningCredential();
-            }
-            else
-            {
-                throw new Exception("No key specified for IS4!");
-            }
+            openId.AddServer().AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();
+            return;
         }
-        else
-        {
-            var keyPem = File.ReadAllText(keyPath);
-            var key = ECDsa.Create();
-            key.ImportFromPem(keyPem);
 
-            //builder.AddSigningCredential(
-            //    new ECDsaSecurityKey(key),
-            //    IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
-        }
+        var config = builder.Configuration
+            .GetSection("OpenId")
+            .GetSection(OpenIdCertificateConfiguration.Name).Get<OpenIdCertificateConfiguration>();
 
-        var deprecatedKeyPathRsa = builder.Configuration.GetValue<string>("Is4SigningKeyPathRsa");
-        if (deprecatedKeyPathRsa != null)
-            Log.Warning("Using deprecated Is4SigningKeyPathRsa. Use OidcSigningKeyPathRsa instead.");
+        if (config?.EncryptionCertificatePath == null || config.SigningCertificatePath == null)
+            throw new InvalidOperationException("Encryption and signing certificates not configured");
 
-        var keyPathRsa = deprecatedKeyPathRsa ?? builder.Configuration.GetValue<string>("OidcSigningKeyPathRsa");
-
-        if (keyPathRsa != null)
-        {
-            var keyPem = File.ReadAllText(keyPathRsa);
-            var key = RSA.Create();
-            key.ImportFromPem(keyPem);
-
-            //builder.AddSigningCredential(
-            //    new RsaSecurityKey(key),
-            //    IdentityServerConstants.RsaSigningAlgorithm.PS256);
-            //builder.AddSigningCredential(
-            //    new RsaSecurityKey(key),
-            //    IdentityServerConstants.RsaSigningAlgorithm.RS256);
-        }
+        using var encryptionCert = File.OpenRead(config.EncryptionCertificatePath);
+        openId.AddServer().AddEncryptionCertificate(encryptionCert, config.EncryptionCertificatePassword);
 
+        using var signingCert = File.OpenRead(config.SigningCertificatePath);
+        openId.AddServer().AddSigningCertificate(signingCert, config.SigningCertificatePassword);
     }
 }
diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index 8718a26..57416cc 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -41,6 +41,7 @@
         ?? throw new InvalidOperationException("Must set HubConnection");
 
     options.UseNpgsql(connectionString);
+    options.UseOpenIddict();
 });
 
 // Auth
diff --git a/SS14.Web/appsettings.yml b/SS14.Web/appsettings.yml
index 65336d0..c6fe967 100644
--- a/SS14.Web/appsettings.yml
+++ b/SS14.Web/appsettings.yml
@@ -26,4 +26,20 @@ ForwardProxies:
 AllowedHosts: "*"
 
 Account:
-  UsernameChangeDays: 30
\ No newline at end of file
+  UsernameChangeDays: 30
+
+OpenId:
+  Server:
+    AuthorizationEndpointUris:
+    - connect/authorize
+    - connect/authorize/accept
+    - connect/authorize/deny
+    TokenEndpointUris: [ connect/token ]
+    EndSessionEndpointUris: [ connect/endsession ]
+    UserInfoEndpointUris: [ connect/userinfo ]
+    IntrospectionEndpointUris: [ connect/introspect ]
+    GrantTypes:
+    - authorization_code
+    - refresh_token
+    ResponseTypes: [ code ]
+    Scopes: [ openid, profile, email, roles, offline_access ]

From 7b0520a9f95fc67b04458a77b6a69b0943ed9283 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Tue, 12 Aug 2025 00:02:43 +0200
Subject: [PATCH 07/43] Implement custom application entity Migrate to nullable

---
 .../Data/OpeniddictDefaultTypes.cs            |  11 +
 SS14.Auth.Shared/Data/SpaceApplication.cs     |  11 +
 SS14.Auth.Shared/Data/UserOAuthClient.cs      |   1 +
 SS14.Auth.Shared/SS14.Auth.Shared.csproj      |   1 +
 SS14.Web/AccountOptions.cs                    |   3 +-
 .../Admin/Pages/Clients/Client.cshtml.cs      |   3 +-
 .../Pages/Clients/ConfirmDelete.cshtml.cs     |   3 +-
 .../Areas/Admin/Pages/Clients/Index.cshtml.cs |   3 +-
 SS14.Web/Areas/Admin/Pages/Index.cshtml.cs    |   3 +-
 .../Admin/Pages/Servers/AuditLog.cshtml.cs    |   3 +-
 .../Communities/ConfirmDelete.cshtml.cs       |   3 +-
 .../Pages/Servers/Communities/Index.cshtml.cs |   3 +-
 .../Pages/Servers/Communities/View.cshtml.cs  |   3 +-
 .../Areas/Admin/Pages/Servers/Index.cshtml.cs |   3 +-
 .../Admin/Pages/Servers/ListActive.cshtml.cs  |   3 +-
 .../Admin/Pages/Servers/ListNames.cshtml.cs   |   3 +-
 .../Admin/Pages/Servers/Server.cshtml.cs      |   6 +-
 .../Pages/Servers/TestInfoMatch.cshtml.cs     |   5 +-
 .../Pages/Users/ConfirmClearTfa.cshtml.cs     |   3 +-
 .../Admin/Pages/Users/ConfirmDelete.cshtml.cs |   3 +-
 .../Pages/Users/CreateReserved.cshtml.cs      |   3 +-
 .../Admin/Pages/Users/EditPassword.cshtml.cs  |   1 +
 .../Areas/Admin/Pages/Users/Index.cshtml.cs   |   5 +-
 .../Admin/Pages/Users/ViewUser.cshtml.cs      |   3 +-
 .../Areas/Identity/IdentityHostingStartup.cs  |   1 +
 .../Pages/Account/AccessDenied.cshtml.cs      |   1 +
 .../Pages/Account/AdminLocked.cshtml.cs       |   1 +
 .../Pages/Account/ConfirmEmail.cshtml.cs      |   3 +-
 .../Account/ConfirmEmailChange.cshtml.cs      |   3 +-
 .../Identity/Pages/Account/Consent.cshtml.cs  |  58 ++++--
 .../Pages/Account/ExternalLogin.cshtml.cs     |   5 +-
 .../Pages/Account/ForgotPassword.cshtml.cs    |   1 +
 .../ForgotPasswordConfirmation.cshtml.cs      |   1 +
 .../Identity/Pages/Account/Lockout.cshtml.cs  |   1 +
 .../Identity/Pages/Account/Login.cshtml.cs    |   1 +
 .../Pages/Account/LoginWith2fa.cshtml.cs      |   3 +-
 .../Account/LoginWithRecoveryCode.cshtml.cs   |   5 +-
 .../Identity/Pages/Account/Logout.cshtml.cs   |   3 +-
 .../Account/Manage/ChangePassword.cshtml.cs   |   1 +
 .../Manage/DeletePersonalData.cshtml.cs       |   1 +
 .../Pages/Account/Manage/Developer.cshtml.cs  |   3 +-
 .../Pages/Account/Manage/Disable2fa.cshtml.cs |   1 +
 .../Pages/Account/Manage/Email.cshtml.cs      |   1 +
 .../Manage/EnableAuthenticator.cshtml.cs      |   1 +
 .../Account/Manage/ExternalLogins.cshtml.cs   |   1 +
 .../Manage/GenerateRecoveryCodes.cshtml.cs    |   1 +
 .../Pages/Account/Manage/Index.cshtml.cs      |   1 +
 .../Pages/Account/Manage/ManageNavPages.cs    |  23 +-
 .../Account/Manage/ManagePatreon.cshtml.cs    |   3 +-
 .../Manage/OAuthApps/ConfirmDelete.cshtml.cs  |   3 +-
 .../Account/Manage/OAuthApps/Create.cshtml.cs |   3 +-
 .../Account/Manage/OAuthApps/Manage.cshtml.cs |   5 +-
 .../Account/Manage/PersonalData.cshtml.cs     |   1 +
 .../Manage/ResetAuthenticator.cshtml.cs       |   1 +
 .../Account/Manage/SetPassword.cshtml.cs      |   1 +
 .../Manage/ShowRecoveryCodes.cshtml.cs        |   1 +
 .../Manage/TwoFactorAuthentication.cshtml.cs  |   1 +
 .../Identity/Pages/Account/Register.cshtml.cs |   7 +-
 .../Account/RegisterConfirmation.cshtml.cs    |   3 +-
 .../Account/ResendEmailConfirmation.cshtml.cs |   1 +
 .../Pages/Account/ResetPassword.cshtml.cs     |   3 +-
 .../ResetPasswordConfirmation.cshtml.cs       |   1 +
 .../OpenIdCertificateConfiguration.cs         |   3 +-
 SS14.Web/Controllers/HomeController.cs        |   3 +-
 SS14.Web/Data/HubAuditLogManager.cs           |   3 +-
 .../Extensions/AsyncEnumerableExtension.cs    |  21 ++
 SS14.Web/Extensions/OpenIdExtension.cs        |  15 +-
 SS14.Web/Extensions/PatreonExtension.cs       |   3 +-
 SS14.Web/HCaptcha/HCaptchaOptions.cs          |   3 +-
 SS14.Web/HCaptcha/HCaptchaService.cs          |   3 +-
 SS14.Web/Helpers/CollectionHelper.cs          |   3 +-
 SS14.Web/Helpers/DestinationHelper.cs         |  45 ++++
 SS14.Web/Helpers/FormHiddenRoutes.cs          |   3 +-
 SS14.Web/Helpers/MustBeTrueAttribute.cs       |   3 +-
 SS14.Web/Helpers/PaginatedList.cs             |   3 +-
 SS14.Web/Helpers/PaginationState.cs           |   3 +-
 SS14.Web/Helpers/SearchHelper.cs              |   3 +-
 SS14.Web/Helpers/SortState.cs                 |   3 +-
 SS14.Web/Models/ErrorViewModel.cs             |   1 +
 .../Types/AuthenticationValidationFailure.cs  |  16 ++
 SS14.Web/Models/Types/AuthorizationResult.cs  |  41 ++++
 SS14.Web/Models/Types/ConsentResult.cs        |  18 ++
 SS14.Web/Models/Types/Result.cs               |  38 ++++
 SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs |   1 +
 SS14.Web/PatreonConnectionHandler.cs          |   5 +-
 SS14.Web/PersonalDataCollector.cs             |   3 +-
 SS14.Web/Program.cs                           |   3 +-
 SS14.Web/Properties/AssemblyInfo.cs           |   1 +
 SS14.Web/SS14.Web.csproj                      |   1 +
 SS14.Web/Services/IdentityClaimsProvider.cs   |  68 ++++++
 SS14.Web/Services/OpenIdActionService.cs      | 196 ++++++++++++++++++
 SS14.Web/Services/SignedInIdentityService.cs  |  43 ++++
 92 files changed, 704 insertions(+), 95 deletions(-)
 create mode 100644 SS14.Auth.Shared/Data/OpeniddictDefaultTypes.cs
 create mode 100644 SS14.Auth.Shared/Data/SpaceApplication.cs
 create mode 100644 SS14.Web/Extensions/AsyncEnumerableExtension.cs
 create mode 100644 SS14.Web/Helpers/DestinationHelper.cs
 create mode 100644 SS14.Web/Models/Types/AuthenticationValidationFailure.cs
 create mode 100644 SS14.Web/Models/Types/AuthorizationResult.cs
 create mode 100644 SS14.Web/Models/Types/ConsentResult.cs
 create mode 100644 SS14.Web/Models/Types/Result.cs
 create mode 100644 SS14.Web/Services/IdentityClaimsProvider.cs
 create mode 100644 SS14.Web/Services/OpenIdActionService.cs
 create mode 100644 SS14.Web/Services/SignedInIdentityService.cs

diff --git a/SS14.Auth.Shared/Data/OpeniddictDefaultTypes.cs b/SS14.Auth.Shared/Data/OpeniddictDefaultTypes.cs
new file mode 100644
index 0000000..c20df5d
--- /dev/null
+++ b/SS14.Auth.Shared/Data/OpeniddictDefaultTypes.cs
@@ -0,0 +1,11 @@
+using OpenIddict.EntityFrameworkCore.Models;
+
+namespace SS14.Auth.Shared.Data;
+
+public class OpeniddictDefaultTypes
+{
+    public sealed class DefaultAuthorization : OpenIddictEntityFrameworkCoreAuthorization<string, SpaceApplication, DefaultToken>;
+    public sealed class DefaultScope : OpenIddictEntityFrameworkCoreScope<string>;
+    public sealed class DefaultToken : OpenIddictEntityFrameworkCoreToken<string, SpaceApplication, DefaultAuthorization>;
+
+}
diff --git a/SS14.Auth.Shared/Data/SpaceApplication.cs b/SS14.Auth.Shared/Data/SpaceApplication.cs
new file mode 100644
index 0000000..1723352
--- /dev/null
+++ b/SS14.Auth.Shared/Data/SpaceApplication.cs
@@ -0,0 +1,11 @@
+using System;
+using OpenIddict.EntityFrameworkCore.Models;
+using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
+
+namespace SS14.Auth.Shared.Data;
+
+public sealed class SpaceApplication : OpenIddictEntityFrameworkCoreApplication<string, DefaultAuthorization, DefaultToken>
+{
+    public Guid SpaceUserId { get; set; }
+    public SpaceUser SpaceUser { get; set; }
+}
diff --git a/SS14.Auth.Shared/Data/UserOAuthClient.cs b/SS14.Auth.Shared/Data/UserOAuthClient.cs
index 70ffa70..f47844b 100644
--- a/SS14.Auth.Shared/Data/UserOAuthClient.cs
+++ b/SS14.Auth.Shared/Data/UserOAuthClient.cs
@@ -3,6 +3,7 @@
 
 namespace SS14.Auth.Shared.Data;
 
+// TODO: Delete
 public sealed class UserOAuthClient
 {
     public int UserOAuthClientId { get; set; }
diff --git a/SS14.Auth.Shared/SS14.Auth.Shared.csproj b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
index 7abe58f..14795e2 100644
--- a/SS14.Auth.Shared/SS14.Auth.Shared.csproj
+++ b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
@@ -19,6 +19,7 @@
         <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.13.1" />
         <PackageReference Include="MimeKit" Version="4.13.0" />
         <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
+        <PackageReference Include="OpenIddict.EntityFrameworkCore.Models" Version="7.0.0" />
         <PackageReference Include="Robust.Shared.AuthLib" Version="0.1.2" />
         <PackageReference Include="Serilog" Version="4.3.0" />
         <PackageReference Include="Serilog.AspNetCore" Version="9.0.0" />
diff --git a/SS14.Web/AccountOptions.cs b/SS14.Web/AccountOptions.cs
index 5a6f589..afdfb49 100644
--- a/SS14.Web/AccountOptions.cs
+++ b/SS14.Web/AccountOptions.cs
@@ -1,4 +1,5 @@
-namespace SS14.Web;
+#nullable enable
+namespace SS14.Web;
 
 public sealed class AccountOptions
 {
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
index 25f79a5..dd1431b 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
@@ -1,4 +1,5 @@
-using System.ComponentModel.DataAnnotations;
+#nullable enable
+using System.ComponentModel.DataAnnotations;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using SS14.Auth.Shared.Data;
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
index 9c904a1..baeed42 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
@@ -1,4 +1,5 @@
-using System.Threading.Tasks;
+#nullable enable
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
index 5235a3d..e2debae 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
@@ -1,4 +1,5 @@
-using System.Threading.Tasks;
+#nullable enable
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using SS14.Auth.Shared.Data;
diff --git a/SS14.Web/Areas/Admin/Pages/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Index.cshtml.cs
index 24402f1..f126493 100644
--- a/SS14.Web/Areas/Admin/Pages/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Index.cshtml.cs
@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Mvc.RazorPages;
+#nullable enable
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace SS14.Web.Areas.Admin.Pages;
 
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/AuditLog.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/AuditLog.cshtml.cs
index eb30aef..c96292e 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/AuditLog.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/AuditLog.cshtml.cs
@@ -1,4 +1,5 @@
-using System.Collections.Generic;
+#nullable enable
+using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Communities/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Communities/ConfirmDelete.cshtml.cs
index 2f12449..7740571 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Communities/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Communities/ConfirmDelete.cshtml.cs
@@ -1,4 +1,5 @@
-using System.Linq;
+#nullable enable
+using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Communities/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Communities/Index.cshtml.cs
index 36bcd98..a270c2d 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Communities/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Communities/Index.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Linq.Expressions;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Communities/View.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Communities/View.cshtml.cs
index 4e66855..ba9c18a 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Communities/View.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Communities/View.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Index.cshtml.cs
index 018739e..2e11fee 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Index.cshtml.cs
@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Mvc.RazorPages;
+#nullable enable
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace SS14.Web.Areas.Admin.Pages.Servers;
 
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/ListActive.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/ListActive.cshtml.cs
index c4b62f0..022488f 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/ListActive.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/ListActive.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Text.Json;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/ListNames.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/ListNames.cshtml.cs
index 0d04bfe..4098ef1 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/ListNames.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/ListNames.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Server.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Server.cshtml.cs
index d70fb44..4cdb5f8 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Server.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Server.cshtml.cs
@@ -1,10 +1,10 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
 using System.Text.Json;
 using System.Threading.Tasks;
-using JetBrains.Annotations;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
@@ -21,7 +21,7 @@ public class Server : PageModel
 
     public int ServerId { get; private set; }
     public string Address { get; private set; } = "";
-    [CanBeNull] public IPAddress AdvertiserAddress { get; private set; }
+    public IPAddress? AdvertiserAddress { get; private set; }
     public ServerStatusData Status { get; private set; }
     public ServerInfoData Info { get; private set; }
     public bool Online { get; private set; }
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/TestInfoMatch.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/TestInfoMatch.cshtml.cs
index 52b0f58..e38adee 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/TestInfoMatch.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/TestInfoMatch.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
@@ -26,7 +27,7 @@ public TestInfoMatch(HubDbContext dbContext)
         _dbContext = dbContext;
     }
 
-    public async Task OnGetAsync(string path, InfoMatchField field)
+    public async Task OnGetAsync(string? path, InfoMatchField field)
     {
         CurrentPath = path;
         CurrentField = field;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/ConfirmClearTfa.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/ConfirmClearTfa.cshtml.cs
index a83fab9..1c96fed 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/ConfirmClearTfa.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/ConfirmClearTfa.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/ConfirmDelete.cshtml.cs
index 8802949..bf41de6 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/ConfirmDelete.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/CreateReserved.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/CreateReserved.cshtml.cs
index a98afb0..31ff282 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/CreateReserved.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/CreateReserved.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Buffers.Text;
 using System.ComponentModel.DataAnnotations;
 using System.Security.Cryptography;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/EditPassword.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/EditPassword.cshtml.cs
index ab9d371..a345dd6 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/EditPassword.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/EditPassword.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/Index.cshtml.cs
index e4fac0c..9419a9f 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/Index.cshtml.cs
@@ -1,4 +1,5 @@
-using System.Linq;
+#nullable enable
+using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc.RazorPages;
@@ -28,7 +29,7 @@ public Index(UserManager<SpaceUser> userManager)
     }
 
     public async Task OnGetAsync(
-        string sortOrder,
+        string? sortOrder,
         string currentFilter,
         string searchString,
         int? pageIndex)
diff --git a/SS14.Web/Areas/Admin/Pages/Users/ViewUser.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/ViewUser.cshtml.cs
index e567821..c6a9d11 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/ViewUser.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/ViewUser.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.ComponentModel.DataAnnotations;
 using System.Net.Mime;
 using System.Text;
diff --git a/SS14.Web/Areas/Identity/IdentityHostingStartup.cs b/SS14.Web/Areas/Identity/IdentityHostingStartup.cs
index c6a6fbf..8ce883a 100644
--- a/SS14.Web/Areas/Identity/IdentityHostingStartup.cs
+++ b/SS14.Web/Areas/Identity/IdentityHostingStartup.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/AccessDenied.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/AccessDenied.cshtml.cs
index df42ee7..3ad719f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/AccessDenied.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/AccessDenied.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/AdminLocked.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/AdminLocked.cshtml.cs
index 31a6145..45b36b9 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/AdminLocked.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/AdminLocked.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmail.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmail.cshtml.cs
index c321c96..6c18576 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmail.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmail.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System.Text;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
@@ -25,7 +26,7 @@ public ConfirmEmailModel(SpaceUserManager userManager, ApplicationDbContext dbCo
     [TempData]
     public string StatusMessage { get; set; }
 
-    public async Task<IActionResult> OnGetAsync(string userId, string code)
+    public async Task<IActionResult> OnGetAsync(string? userId, string code)
     {
         if (userId == null || code == null)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmailChange.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmailChange.cshtml.cs
index ef361a8..c893932 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmailChange.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmailChange.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -35,7 +36,7 @@ public ConfirmEmailChangeModel(
     [TempData]
     public string StatusMessage { get; set; }
 
-    public async Task<IActionResult> OnGetAsync(string userId, string email, string code)
+    public async Task<IActionResult> OnGetAsync(string? userId, string? email, string code)
     {
         if (userId == null || email == null || code == null)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
index 125d4b0..ea78df9 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
@@ -1,49 +1,69 @@
-using System.Threading.Tasks;
+#nullable enable
+using System.Threading.Tasks;
+using Microsoft.AspNetCore;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.Extensions.Logging;
+using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Services;
 
 namespace SS14.Web.Areas.Identity.Pages.Account;
 // TODO: Replace identityserver4 code in this file
 public sealed class Consent : PageModel
 {
-    //private readonly IIdentityServerInteractionService _interaction;
     private readonly ApplicationDbContext _dbContext;
     private readonly ILogger<Consent> _logger;
+    private readonly OpenIdActionService _actionService;
 
-    //public AuthorizationRequest AuthRequest { get; private set; }
-    public UserOAuthClient UserClient { get; private set; }
-    public string ReturnUrl { get; set; }
+    public OpenIddictRequest? AuthRequest { get; private set; }
+    public SpaceApplication? Application { get; private set; }
+    public string? ReturnUrl { get; set; }
 
-    [BindProperty] public InputModel Input { get; set; }
+    [BindProperty] public InputModel? Input { get; set; }
 
     [ValidateAntiForgeryToken]
     public sealed class InputModel
     {
-        public string ReturnUrl { get; set; }
-        public string Button { get; set; }
+        public string? ReturnUrl { get; set; }
+        public string? Button { get; set; }
     }
 
-    public Consent(/*IIdentityServerInteractionService interaction,*/ ApplicationDbContext dbContext, ILogger<Consent> logger)
+    public Consent(ApplicationDbContext dbContext, ILogger<Consent> logger, OpenIdActionService actionService)
     {
-        //_interaction = interaction;
         _dbContext = dbContext;
         _logger = logger;
+        _actionService = actionService;
     }
 
     public async Task<IActionResult> OnGetAsync(string returnUrl)
     {
         ReturnUrl = returnUrl;
-        //AuthRequest = await _interaction.GetAuthorizationContextAsync(returnUrl);
-
-        // Can be null if managed by hub admins.
-        // Though I doubt we'll ever have consent pages for those.
-        UserClient = null;/*await _dbContext.UserOAuthClients
-            .Include(oauth => oauth.Client)
-            .Include(oauth => oauth.SpaceUser)
-            .SingleOrDefaultAsync(oauth => oauth.Client.ClientId == AuthRequest.Client.ClientId);
-*/
+        AuthRequest = HttpContext.GetOpenIddictClientRequest();
+
+        if (AuthRequest is null)
+            return BadRequest();
+
+        var result = await HttpContext.AuthenticateAsync();
+        var validation = _actionService.ValidateOpenIdAuthentication(
+            HttpContext,
+            result,
+            AuthRequest);
+
+        switch (validation.IsSuccess)
+        {
+            case false when validation.Error.IsChallenge:
+                return Challenge(validation.Error.Properties!);
+            case false:
+                return Forbid(validation.Error.Error!, "The login is required.");
+        }
+
+        var authorization = await _actionService.AuthorizeActionAsync(AuthRequest, AuthRequest.GetScopes());
+        Application = authorization.Application;
+
+
+        
         return Page();
     }
 
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs
index 50299b1..9c06b1b 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System.ComponentModel.DataAnnotations;
 using System.Security.Claims;
 using System.Text;
@@ -57,7 +58,7 @@ public IActionResult OnGetAsync()
         return RedirectToPage("./Login");
     }
 
-    public IActionResult OnPost(string provider, string returnUrl = null)
+    public IActionResult OnPost(string provider, string? returnUrl = null)
     {
         // Request a redirect to the external login provider.
         var redirectUrl = Url.Page("./ExternalLogin", pageHandler: "Callback", values: new { returnUrl });
@@ -65,7 +66,7 @@ public IActionResult OnPost(string provider, string returnUrl = null)
         return new ChallengeResult(provider, properties);
     }
 
-    public async Task<IActionResult> OnGetCallbackAsync(string returnUrl = null, string remoteError = null)
+    public async Task<IActionResult> OnGetCallbackAsync(string returnUrl = null, string? remoteError = null)
     {
         returnUrl = returnUrl ?? Url.Content("~/");
         if (remoteError != null)
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml.cs
index 4b1984a..e09483d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System.ComponentModel.DataAnnotations;
 using System.Text;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ForgotPasswordConfirmation.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ForgotPasswordConfirmation.cshtml.cs
index cbabff3..36cd63f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ForgotPasswordConfirmation.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ForgotPasswordConfirmation.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Lockout.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Lockout.cshtml.cs
index 21f1ad7..85171bc 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Lockout.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Lockout.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Login.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Login.cshtml.cs
index 12ddfc0..2150af4 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Login.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Login.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/LoginWith2fa.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/LoginWith2fa.cshtml.cs
index d99e02c..3b67d05 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/LoginWith2fa.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/LoginWith2fa.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
@@ -43,7 +44,7 @@ public class InputModel
         public bool RememberMachine { get; set; }
     }
 
-    public async Task<IActionResult> OnGetAsync(bool rememberMe, string returnUrl = null)
+    public async Task<IActionResult> OnGetAsync(bool rememberMe, string? returnUrl = null)
     {
         // Ensure the user has gone through the username & password screen first
         var user = await _signInManager.GetTwoFactorAuthenticationUserAsync();
diff --git a/SS14.Web/Areas/Identity/Pages/Account/LoginWithRecoveryCode.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/LoginWithRecoveryCode.cshtml.cs
index f2eeb92..d4dfa0e 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/LoginWithRecoveryCode.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/LoginWithRecoveryCode.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
@@ -38,7 +39,7 @@ public class InputModel
         public string RecoveryCode { get; set; }
     }
 
-    public async Task<IActionResult> OnGetAsync(string returnUrl = null)
+    public async Task<IActionResult> OnGetAsync(string? returnUrl = null)
     {
         // Ensure the user has gone through the username & password screen first
         var user = await _signInManager.GetTwoFactorAuthenticationUserAsync();
@@ -52,7 +53,7 @@ public async Task<IActionResult> OnGetAsync(string returnUrl = null)
         return Page();
     }
 
-    public async Task<IActionResult> OnPostAsync(string returnUrl = null)
+    public async Task<IActionResult> OnPostAsync(string? returnUrl = null)
     {
         if (!ModelState.IsValid)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Logout.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Logout.cshtml.cs
index 0242677..db50f2f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Logout.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Logout.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -27,7 +28,7 @@ public void OnGet()
     {
     }
 
-    public async Task<IActionResult> OnPost(string returnUrl = null)
+    public async Task<IActionResult> OnPost(string? returnUrl = null)
     {
         await _signInManager.SignOutAsync();
         _logger.LogInformation("User logged out.");
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml.cs
index 47fa46b..64591e8 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/DeletePersonalData.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/DeletePersonalData.cshtml.cs
index d38f160..534e888 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/DeletePersonalData.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/DeletePersonalData.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 /*
 using System;
 using System.ComponentModel.DataAnnotations;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
index 954785e..7758a0c 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
@@ -1,4 +1,5 @@
-using System.Collections.Generic;
+#nullable enable
+using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml.cs
index 9515863..61e44eb 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs
index 15349d5..a671f64 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System.ComponentModel.DataAnnotations;
 using System.Text;
 using System.Text.Encodings.Web;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs
index 40a395d..438ed8f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ExternalLogins.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ExternalLogins.cshtml.cs
index b52c03f..2c243df 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ExternalLogins.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ExternalLogins.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/GenerateRecoveryCodes.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/GenerateRecoveryCodes.cshtml.cs
index b6a858e..2255429 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/GenerateRecoveryCodes.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/GenerateRecoveryCodes.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Linq;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs
index 79253f6..80ee2b4 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ManageNavPages.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ManageNavPages.cs
index 7114517..781d176 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ManageNavPages.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ManageNavPages.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -19,34 +20,34 @@ public static class ManageNavPages
     public const string ManagePatreon = "ManagePatreon";
     public const string Developer = "Developer";
 
-    public static string IndexNavClass(ViewContext viewContext)
+    public static string? IndexNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, Index);
 
-    public static string EmailNavClass(ViewContext viewContext)
+    public static string? EmailNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, Email);
 
-    public static string ChangePasswordNavClass(ViewContext viewContext)
+    public static string? ChangePasswordNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, ChangePassword);
 
-    public static string DownloadPersonalDataNavClass(ViewContext viewContext)
+    public static string? DownloadPersonalDataNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, DownloadPersonalData);
 
-    public static string DeletePersonalDataNavClass(ViewContext viewContext)
+    public static string? DeletePersonalDataNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, DeletePersonalData);
 
-    public static string ExternalLoginsNavClass(ViewContext viewContext)
+    public static string? ExternalLoginsNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, ExternalLogins);
 
-    public static string PersonalDataNavClass(ViewContext viewContext)
+    public static string? PersonalDataNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, PersonalData);
 
-    public static string TwoFactorAuthenticationNavClass(ViewContext viewContext)
+    public static string? TwoFactorAuthenticationNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, TwoFactorAuthentication);
 
-    public static string PatreonNavClass(ViewContext viewContext) => PageNavClass(viewContext, ManagePatreon);
-    public static string DeveloperNavClass(ViewContext viewContext) => PageNavClass(viewContext, Developer);
+    public static string? PatreonNavClass(ViewContext viewContext) => PageNavClass(viewContext, ManagePatreon);
+    public static string? DeveloperNavClass(ViewContext viewContext) => PageNavClass(viewContext, Developer);
 
-    private static string PageNavClass(ViewContext viewContext, string page)
+    private static string? PageNavClass(ViewContext viewContext, string page)
     {
         var activePage = viewContext.ViewData["ActivePage"] as string
                          ?? System.IO.Path.GetFileNameWithoutExtension(viewContext.ActionDescriptor.DisplayName);
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ManagePatreon.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ManagePatreon.cshtml.cs
index 43ec0e6..029ada3 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ManagePatreon.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ManagePatreon.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
index 144d318..7e20a9d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
@@ -1,4 +1,5 @@
-using System.Threading.Tasks;
+#nullable enable
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
index 1d0198a..52f0f82 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
@@ -1,4 +1,5 @@
-using System.ComponentModel;
+#nullable enable
+using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index fd25c85..189212d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
@@ -131,7 +132,7 @@ public async Task<IActionResult> OnPostDeleteSecretAsync(int client, int secret)
     }
 
     // Null return indicates everything good.
-    private async Task<IActionResult> GetAppAndVerifyAccess(int client)
+    private async Task<IActionResult?> GetAppAndVerifyAccess(int client)
     {
         var user = await _userManager.GetUserAsync(User);
         //App = await _dbContext.UserOAuthClients
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/PersonalData.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/PersonalData.cshtml.cs
index e643136..4857b49 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/PersonalData.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/PersonalData.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System.Net.Mime;
 using System.Threading;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ResetAuthenticator.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ResetAuthenticator.cshtml.cs
index 539cc0d..a09e039 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ResetAuthenticator.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ResetAuthenticator.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/SetPassword.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/SetPassword.cshtml.cs
index e28cbfb..696a112 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/SetPassword.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/SetPassword.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ShowRecoveryCodes.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ShowRecoveryCodes.cshtml.cs
index e1ff308..a07a7be 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ShowRecoveryCodes.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ShowRecoveryCodes.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml.cs
index ff3859a..d255d50 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
index bfe5e2f..208ce1b 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Linq;
@@ -82,7 +83,7 @@ public class InputModel
         public bool AgeCheck { get; set; }
     }
 
-    public async Task OnGetAsync(string returnUrl = null)
+    public async Task OnGetAsync(string? returnUrl = null)
     {
         ReturnUrl = returnUrl;
         ExternalLogins = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList();
@@ -131,9 +132,9 @@ public async Task<IActionResult> OnPostAsync(string returnUrl = null)
         return Page();
     }
 
-    public async Task<string> GenerateEmailConfirmLink(
+    public async Task<string?> GenerateEmailConfirmLink(
         SpaceUser user,
-        string returnUrl = null)
+        string? returnUrl = null)
     {
         var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);
         code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
diff --git a/SS14.Web/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs
index 522cc53..9188646 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using Microsoft.AspNetCore.Authorization;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
@@ -25,7 +26,7 @@ public RegisterConfirmationModel(UserManager<SpaceUser> userManager, IEmailSende
 
     public string EmailConfirmationUrl { get; set; }
 
-    public async Task<IActionResult> OnGetAsync(string email, string returnUrl = null)
+    public async Task<IActionResult> OnGetAsync(string? email, string? returnUrl = null)
     {
         if (email == null)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml.cs
index 37c201a..1dd0679 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System.ComponentModel.DataAnnotations;
 using System.Text;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ResetPassword.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ResetPassword.cshtml.cs
index 0a7491a..ce4b539 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ResetPassword.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ResetPassword.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
@@ -49,7 +50,7 @@ public class InputModel
         public string Code { get; set; }
     }
 
-    public IActionResult OnGet(string code = null)
+    public IActionResult OnGet(string? code = null)
     {
         if (code == null)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ResetPasswordConfirmation.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ResetPasswordConfirmation.cshtml.cs
index 6c6a23d..d9656d8 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ResetPasswordConfirmation.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ResetPasswordConfirmation.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs b/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
index 2bf0983..4c653d5 100644
--- a/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
+++ b/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
@@ -1,4 +1,5 @@
-namespace SS14.Web.Configuration;
+#nullable enable
+namespace SS14.Web.Configuration;
 
 public sealed class OpenIdCertificateConfiguration
 {
diff --git a/SS14.Web/Controllers/HomeController.cs b/SS14.Web/Controllers/HomeController.cs
index 8a66ac9..b163059 100644
--- a/SS14.Web/Controllers/HomeController.cs
+++ b/SS14.Web/Controllers/HomeController.cs
@@ -1,4 +1,5 @@
-using System.Diagnostics;
+#nullable enable
+using System.Diagnostics;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using SS14.Web.Models;
diff --git a/SS14.Web/Data/HubAuditLogManager.cs b/SS14.Web/Data/HubAuditLogManager.cs
index c300231..e4bdb3e 100644
--- a/SS14.Web/Data/HubAuditLogManager.cs
+++ b/SS14.Web/Data/HubAuditLogManager.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Security.Claims;
 using System.Text.Json;
 using Microsoft.AspNetCore.Authentication;
diff --git a/SS14.Web/Extensions/AsyncEnumerableExtension.cs b/SS14.Web/Extensions/AsyncEnumerableExtension.cs
new file mode 100644
index 0000000..e2ac7e2
--- /dev/null
+++ b/SS14.Web/Extensions/AsyncEnumerableExtension.cs
@@ -0,0 +1,21 @@
+#nullable enable
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace SS14.Web.Extensions;
+
+public static class AsyncEnumerableExtension
+{
+    public static async ValueTask<List<T>> ToListAsync<T>(this IAsyncEnumerable<T> enumerable, CancellationToken ct = default)
+    {
+        var source = enumerable.WithCancellation(ct);
+        List<T> list = [];
+        await foreach (var item in source)
+        {
+            list.Add(item);
+        }
+
+        return list;
+    }
+}
diff --git a/SS14.Web/Extensions/OpenIdExtension.cs b/SS14.Web/Extensions/OpenIdExtension.cs
index 755efc4..b12bbf7 100644
--- a/SS14.Web/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/Extensions/OpenIdExtension.cs
@@ -1,15 +1,14 @@
-using System;
-using System.Configuration;
+#nullable enable
+using System;
 using System.IO;
-using System.Security.Cryptography;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
-using Microsoft.Extensions.Logging;
-using Serilog;
+using SS14.Auth.Shared.Data;
 using SS14.ServerHub.Shared.Data;
 using SS14.Web.Configuration;
+using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
 namespace SS14.Web.Extensions;
 
@@ -18,7 +17,11 @@ public static class OpenIdExtension
     public static void AddOpenIdConnect(this WebApplicationBuilder builder)
     {
         var openId = builder.Services.AddOpenIddict();
-        openId.AddCore(options => options.UseEntityFrameworkCore().UseDbContext<HubDbContext>());
+        openId.AddCore(options =>
+        {
+            options.UseEntityFrameworkCore().UseDbContext<HubDbContext>()
+                .ReplaceDefaultEntities<SpaceApplication, DefaultAuthorization, DefaultScope, DefaultToken, string>();
+        });
 
         openId.AddValidation().UseLocalServer();
         openId.AddValidation().UseAspNetCore();
diff --git a/SS14.Web/Extensions/PatreonExtension.cs b/SS14.Web/Extensions/PatreonExtension.cs
index 0fa0c4c..c1b2de9 100644
--- a/SS14.Web/Extensions/PatreonExtension.cs
+++ b/SS14.Web/Extensions/PatreonExtension.cs
@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Builder;
+#nullable enable
+using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using SS14.Auth.Shared.Config;
diff --git a/SS14.Web/HCaptcha/HCaptchaOptions.cs b/SS14.Web/HCaptcha/HCaptchaOptions.cs
index 60ea920..f7f3c09 100644
--- a/SS14.Web/HCaptcha/HCaptchaOptions.cs
+++ b/SS14.Web/HCaptcha/HCaptchaOptions.cs
@@ -1,4 +1,5 @@
-namespace SS14.Web.HCaptcha;
+#nullable enable
+namespace SS14.Web.HCaptcha;
 
 public sealed class HCaptchaOptions
 {
diff --git a/SS14.Web/HCaptcha/HCaptchaService.cs b/SS14.Web/HCaptcha/HCaptchaService.cs
index 6f39209..00c7bf2 100644
--- a/SS14.Web/HCaptcha/HCaptchaService.cs
+++ b/SS14.Web/HCaptcha/HCaptchaService.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.Net.Http;
 using System.Net.Http.Json;
diff --git a/SS14.Web/Helpers/CollectionHelper.cs b/SS14.Web/Helpers/CollectionHelper.cs
index 51c67ff..bd532c2 100644
--- a/SS14.Web/Helpers/CollectionHelper.cs
+++ b/SS14.Web/Helpers/CollectionHelper.cs
@@ -1,4 +1,5 @@
-using System.Collections.Generic;
+#nullable enable
+using System.Collections.Generic;
 
 namespace SS14.Web.Helpers;
 
diff --git a/SS14.Web/Helpers/DestinationHelper.cs b/SS14.Web/Helpers/DestinationHelper.cs
new file mode 100644
index 0000000..b5cd9e2
--- /dev/null
+++ b/SS14.Web/Helpers/DestinationHelper.cs
@@ -0,0 +1,45 @@
+#nullable enable
+using System.Collections.Generic;
+using System.Security.Claims;
+using OpenIddict.Abstractions;
+
+namespace SS14.Web.Helpers;
+
+public static class DestinationHelper
+{
+    /// <summary>
+    /// Yield the access token destination and additionally the identity token destination
+    /// if the given scope is present in the claim
+    /// </summary>
+    /// <param name="claim">The claim to return destinations for</param>
+    /// <param name="scope">The scope to use for checking if identity destination should be returned</param>
+    /// <returns>Destinations.AccessToken and optionally the Destinations.IdentityToken</returns>
+    public static IEnumerable<string> Destination(Claim claim, string scope)
+    {
+        yield return OpenIddictConstants.Destinations.AccessToken;
+
+        if (claim.Subject!.HasScope(scope))
+            yield return OpenIddictConstants.Destinations.IdentityToken;
+    }
+
+    /// <summary>
+    /// Yields the given destination
+    /// </summary>
+    /// <param name="destination">The destination to yield</param>
+    /// <returns>The given destination</returns>
+    /// <remarks>This is useful in a switch for determining the destinations of a claim</remarks>
+    public static IEnumerable<string> Destination(string destination)
+    {
+        yield return destination;
+    }
+
+    /// <summary>
+    /// Completely skips a claim by yielding nothing
+    /// </summary>
+    /// <returns>Nothing</returns>
+    /// <remarks>This is useful in a switch for determining the destinations of a claim</remarks>
+    public static IEnumerable<string> Destination()
+    {
+        yield break;
+    }
+}
diff --git a/SS14.Web/Helpers/FormHiddenRoutes.cs b/SS14.Web/Helpers/FormHiddenRoutes.cs
index abf58b7..3df5c04 100644
--- a/SS14.Web/Helpers/FormHiddenRoutes.cs
+++ b/SS14.Web/Helpers/FormHiddenRoutes.cs
@@ -1,4 +1,5 @@
-using System.Collections.Generic;
+#nullable enable
+using System.Collections.Generic;
 using System.Linq;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
diff --git a/SS14.Web/Helpers/MustBeTrueAttribute.cs b/SS14.Web/Helpers/MustBeTrueAttribute.cs
index 27edee1..71d1a60 100644
--- a/SS14.Web/Helpers/MustBeTrueAttribute.cs
+++ b/SS14.Web/Helpers/MustBeTrueAttribute.cs
@@ -1,10 +1,11 @@
+#nullable enable
 using System.ComponentModel.DataAnnotations;
 
 namespace SS14.Web.Helpers;
 
 public class MustBeTrueAttribute : ValidationAttribute
 {
-    public override bool IsValid(object value)
+    public override bool IsValid(object? value)
     {
         return value is bool b && b;
     }
diff --git a/SS14.Web/Helpers/PaginatedList.cs b/SS14.Web/Helpers/PaginatedList.cs
index 5fe7649..ba94020 100644
--- a/SS14.Web/Helpers/PaginatedList.cs
+++ b/SS14.Web/Helpers/PaginatedList.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Helpers/PaginationState.cs b/SS14.Web/Helpers/PaginationState.cs
index cc71b73..3f580d3 100644
--- a/SS14.Web/Helpers/PaginationState.cs
+++ b/SS14.Web/Helpers/PaginationState.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.Collections.Immutable;
 using System.Globalization;
diff --git a/SS14.Web/Helpers/SearchHelper.cs b/SS14.Web/Helpers/SearchHelper.cs
index df17f17..d75f431 100644
--- a/SS14.Web/Helpers/SearchHelper.cs
+++ b/SS14.Web/Helpers/SearchHelper.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Linq.Expressions;
 
 namespace SS14.Web.Helpers;
diff --git a/SS14.Web/Helpers/SortState.cs b/SS14.Web/Helpers/SortState.cs
index a57cc95..c0bd971 100644
--- a/SS14.Web/Helpers/SortState.cs
+++ b/SS14.Web/Helpers/SortState.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.Collections.Immutable;
 using System.Linq;
diff --git a/SS14.Web/Models/ErrorViewModel.cs b/SS14.Web/Models/ErrorViewModel.cs
index ff229f5..5570672 100644
--- a/SS14.Web/Models/ErrorViewModel.cs
+++ b/SS14.Web/Models/ErrorViewModel.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 
 namespace SS14.Web.Models;
diff --git a/SS14.Web/Models/Types/AuthenticationValidationFailure.cs b/SS14.Web/Models/Types/AuthenticationValidationFailure.cs
new file mode 100644
index 0000000..3c61cff
--- /dev/null
+++ b/SS14.Web/Models/Types/AuthenticationValidationFailure.cs
@@ -0,0 +1,16 @@
+#nullable enable
+using Microsoft.AspNetCore.Authentication;
+using OpenIddict.Abstractions;
+
+namespace SS14.Web.Models.Types;
+
+public record AuthenticationValidationFailure(
+    string? Error = null,
+    bool IsChallenge = false,
+    AuthenticationProperties? Properties = null)
+{
+    public static AuthenticationValidationFailure LoginRequired => new(Error: OpenIddictConstants.Errors.LoginRequired);
+
+    public static AuthenticationValidationFailure Challenge (AuthenticationProperties properties) =>
+        new(IsChallenge: true, Properties: properties);
+};
diff --git a/SS14.Web/Models/Types/AuthorizationResult.cs b/SS14.Web/Models/Types/AuthorizationResult.cs
new file mode 100644
index 0000000..6423073
--- /dev/null
+++ b/SS14.Web/Models/Types/AuthorizationResult.cs
@@ -0,0 +1,41 @@
+#nullable enable
+using System.Collections.Immutable;
+using System.Security.Claims;
+using OpenIddict.EntityFrameworkCore.Models;
+using SS14.Auth.Shared.Data;
+
+namespace SS14.Web.Models.Types;
+
+public record AuthorizationResult(
+    AuthorizationResult.ResultType Type,
+    SpaceApplication? Application,
+    string? ErrorName,
+    ImmutableArray<string>? Scopes,
+    ClaimsPrincipal? Principal)
+{
+    public static AuthorizationResult SignIn(ClaimsPrincipal principal) =>
+        new(ResultType.SignIn, null, null, null, principal);
+
+    public static AuthorizationResult Forbidden(SpaceApplication app, string error)
+    {
+        return new AuthorizationResult(ResultType.Forbidden, app, error, null, null);
+    }
+
+    public static AuthorizationResult Consent(SpaceApplication app, ImmutableArray<string> scopes)
+    {
+        return new AuthorizationResult(ResultType.Consent, app, null, scopes, null);
+    }
+
+    public static AuthorizationResult Error(SpaceApplication? app, string error)
+    {
+        return new AuthorizationResult(ResultType.Error, app, error, null, null);
+    }
+
+    public enum ResultType
+    {
+        SignIn,
+        Forbidden,
+        Consent,
+        Error,
+    }
+}
diff --git a/SS14.Web/Models/Types/ConsentResult.cs b/SS14.Web/Models/Types/ConsentResult.cs
new file mode 100644
index 0000000..99429ee
--- /dev/null
+++ b/SS14.Web/Models/Types/ConsentResult.cs
@@ -0,0 +1,18 @@
+#nullable enable
+using System.Security.Claims;
+
+namespace SS14.Web.Models.Types;
+
+public record ConsentResult(ConsentResult.ResultType Type, string? ErrorName, ClaimsPrincipal? Principal)
+{
+    public static ConsentResult Error(string error) => new(ResultType.Error, error, null);
+    public static ConsentResult Forbid(string error) => new(ResultType.Forbid, error, null);
+    public static ConsentResult SignIn(ClaimsPrincipal principal) => new(ResultType.SignIn, null, principal);
+
+    public enum ResultType
+    {
+        Error,
+        Forbid,
+        SignIn
+    }
+}
diff --git a/SS14.Web/Models/Types/Result.cs b/SS14.Web/Models/Types/Result.cs
new file mode 100644
index 0000000..fe746b7
--- /dev/null
+++ b/SS14.Web/Models/Types/Result.cs
@@ -0,0 +1,38 @@
+#nullable enable
+using System.Diagnostics.CodeAnalysis;
+using JetBrains.Annotations;
+
+namespace SS14.Web.Models.Types;
+
+public record Result<TResult, TError>(TResult? Value, TError? Error) where TResult : class where TError : class
+{
+    [PublicAPI]
+    [MemberNotNullWhen(false, nameof(Error))]
+    [MemberNotNullWhen(true, nameof(Value))]
+    public bool IsSuccess => Error == null;
+
+    public bool TryGetResult([NotNullWhen(true)] out TResult? result)
+    {
+        result = Value;
+        return IsSuccess;
+    }
+
+    public static Result<TResult, TError> Success(TResult value)
+    {
+        return new Result<TResult, TError>(value, null);
+    }
+
+    public static Result<TResult, TError> Failure(TError error)
+    {
+        return new Result<TResult, TError>(null, error);
+    }
+}
+
+/// <summary>
+/// Used to signify that a result does not return any data, but was successful.
+/// </summary>
+public sealed record Void
+{
+    [PublicAPI]
+    public static Void Nothing = new Void();
+}
diff --git a/SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs b/SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs
index 251b270..e606c66 100644
--- a/SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs
+++ b/SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System;
 using SS14.Web.Helpers;
 
diff --git a/SS14.Web/PatreonConnectionHandler.cs b/SS14.Web/PatreonConnectionHandler.cs
index 33f521c..97c1e83 100644
--- a/SS14.Web/PatreonConnectionHandler.cs
+++ b/SS14.Web/PatreonConnectionHandler.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
 using System.Linq;
@@ -40,7 +41,7 @@ public Task HookCreatingTicket(OAuthCreatingTicketContext context)
     {
         // Add current tier to the principal, rest is handle in Received.
 
-        var identity = (ClaimsIdentity) context.Principal!.Identity;
+        var identity = (ClaimsIdentity?) context.Principal!.Identity;
 
         // AFAICT you shouldn't be able to have multiple tiers with our current patreon setup so...
         var tier = ParseTiers(context.User)
diff --git a/SS14.Web/PersonalDataCollector.cs b/SS14.Web/PersonalDataCollector.cs
index 52067d8..6543b13 100644
--- a/SS14.Web/PersonalDataCollector.cs
+++ b/SS14.Web/PersonalDataCollector.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.IO;
 using System.IO.Compression;
 using System.Linq;
diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index 57416cc..745875d 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
diff --git a/SS14.Web/Properties/AssemblyInfo.cs b/SS14.Web/Properties/AssemblyInfo.cs
index a4a4978..eb8f38d 100644
--- a/SS14.Web/Properties/AssemblyInfo.cs
+++ b/SS14.Web/Properties/AssemblyInfo.cs
@@ -1,3 +1,4 @@
+#nullable enable
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("SS14.Web.Tests")]
\ No newline at end of file
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index 73a77bd..bfbbf5e 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -3,6 +3,7 @@
     <PropertyGroup>
         <TargetFramework>net9.0</TargetFramework>
         <LangVersion>12</LangVersion>
+        <Nullable>true</Nullable>
     </PropertyGroup>
 
     <ItemGroup>
diff --git a/SS14.Web/Services/IdentityClaimsProvider.cs b/SS14.Web/Services/IdentityClaimsProvider.cs
new file mode 100644
index 0000000..b26efcd
--- /dev/null
+++ b/SS14.Web/Services/IdentityClaimsProvider.cs
@@ -0,0 +1,68 @@
+#nullable enable
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Identity;
+using OpenIddict.Abstractions;
+using SS14.Auth.Shared.Data;
+using SS14.Web.Helpers;
+using Claims = OpenIddict.Abstractions.OpenIddictConstants.Claims;
+
+namespace SS14.Web.Services;
+
+public class IdentityClaimsProvider
+{
+    private readonly UserManager<SpaceUser> _userManager;
+
+    public IdentityClaimsProvider(UserManager<SpaceUser> userManager)
+    {
+        _userManager = userManager;
+    }
+
+    /// <summary>
+    /// Provides claims for the specified identity.
+    /// </summary>
+    /// <param name="userId"></param>
+    /// <param name="scopes"></param>
+    /// <param name="identity">The identity for which claims are to be provided.</param>
+    /// <returns>A task representing the asynchronous operation.</returns>
+    public async Task ProvideClaimsAsync(string userId, ImmutableArray<string> scopes, ClaimsIdentity identity)
+    {
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+            return;
+
+        var username = await _userManager.GetUserNameAsync(user) ?? "";
+
+        identity.AddClaim(new Claim(Claims.Subject, await _userManager.GetUserIdAsync(user)));
+
+        if (scopes.Contains(OpenIddictConstants.Scopes.Profile))
+        {
+            identity.AddClaim(new Claim(Claims.Name, username));
+            identity.AddClaim(new Claim(Claims.PreferredUsername, await _userManager.GetUserNameAsync(user) ?? username));
+        }
+
+        if (scopes.Contains(OpenIddictConstants.Scopes.Email))
+            identity.AddClaim(new Claim(Claims.Email, await _userManager.GetEmailAsync(user) ?? ""));
+
+        if (scopes.Contains(OpenIddictConstants.Scopes.Roles))
+            identity.AddClaims(Claims.Role, ImmutableArray.Create([.. await _userManager.GetRolesAsync(user)]));
+    }
+
+    /// <summary>
+    /// TODO: Document
+    ///
+    /// </summary>
+    /// <param name="claim"></param>
+    /// <returns></returns>
+    public IEnumerable<string> GetDestinations(Claim claim)  => claim.Type switch
+    {
+        Claims.Name or Claims.PreferredUsername => DestinationHelper.Destination(claim, OpenIddictConstants.Scopes.Profile),
+        Claims.Email => DestinationHelper.Destination(claim, OpenIddictConstants.Scopes.Email),
+        Claims.Role => DestinationHelper.Destination(claim, OpenIddictConstants.Scopes.Roles),
+        Claims.Address => DestinationHelper.Destination(claim, OpenIddictConstants.Scopes.Address),
+        "AspNet.Identity.SecurityStamp" => DestinationHelper.Destination(),
+        _ => DestinationHelper.Destination(OpenIddictConstants.Destinations.AccessToken)
+    };
+}
diff --git a/SS14.Web/Services/OpenIdActionService.cs b/SS14.Web/Services/OpenIdActionService.cs
new file mode 100644
index 0000000..a25109b
--- /dev/null
+++ b/SS14.Web/Services/OpenIdActionService.cs
@@ -0,0 +1,196 @@
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Linq;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Tokens;
+using OpenIddict.Abstractions;
+using OpenIddict.Core;
+using OpenIddict.EntityFrameworkCore.Models;
+using SS14.Auth.Shared.Data;
+using SS14.Web.Extensions;
+using SS14.Web.Models.Types;
+using static OpenIddict.Abstractions.OpenIddictConstants;
+using Void = SS14.Web.Models.Types.Void;
+
+namespace SS14.Web.Services;
+
+public class OpenIdActionService
+{
+    public const string ApplicationNotFoundError = "application_not_found";
+    private const string IgnoreChallengeKey = "IgnoreAuthenticationChallenge";
+
+    private readonly SignedInIdentityService _signedInIdentity;
+    private readonly IdentityClaimsProvider _claimsProvider;
+    private readonly IOpenIddictScopeManager _scopeManager;
+    private readonly IOpenIddictAuthorizationManager _authorizationManager;
+    private readonly OpenIddictApplicationManager<SpaceApplication> _applicationManager;
+    private readonly ILogger<OpenIdActionService> _logger;
+
+    public OpenIdActionService(SignedInIdentityService signedInIdentity,
+        IdentityClaimsProvider claimsProvider,
+        OpenIddictApplicationManager<SpaceApplication> applicationManager,
+        IOpenIddictAuthorizationManager authorizationManager,
+        ILogger<OpenIdActionService> logger,
+        IOpenIddictScopeManager scopeManager)
+    {
+        _signedInIdentity = signedInIdentity;
+        _claimsProvider = claimsProvider;
+        _applicationManager = applicationManager;
+        _authorizationManager = authorizationManager;
+        _logger = logger;
+        _scopeManager = scopeManager;
+    }
+
+    public Result<Void, AuthenticationValidationFailure> ValidateOpenIdAuthentication(HttpContext context, AuthenticateResult auth, OpenIddictRequest request)
+    {
+        if (auth.Succeeded)
+            return Result<Void, AuthenticationValidationFailure>.Success(Void.Nothing);
+
+        var ignoreChallenge = context.Session.GetString(IgnoreChallengeKey);
+
+        if (auth.Succeeded
+            && !request.HasPromptValue(PromptValues.Login)
+            && request.MaxAge is not 0
+            && (request.MaxAge is null || auth.Properties?.IssuedUtc is null || TimeProvider.System.GetUtcNow() - auth.Properties.IssuedUtc < TimeSpan.FromSeconds(request.MaxAge.Value))
+            && ignoreChallenge is null or "false")
+        {
+            return Result<Void, AuthenticationValidationFailure>.Success(Void.Nothing);
+        }
+
+        if (request.HasPromptValue(PromptValues.None))
+            return Result<Void, AuthenticationValidationFailure>.Failure(AuthenticationValidationFailure.LoginRequired);
+
+        context.Session.SetString(IgnoreChallengeKey, "true");
+        var properties = new AuthenticationProperties
+        {
+            RedirectUri = context.Request.PathBase + context.Request.Path + QueryString.Create(
+                context.Request.HasFormContentType ? context.Request.Form : context.Request.Query)
+        };
+
+        return Result<Void, AuthenticationValidationFailure>.Failure(AuthenticationValidationFailure.Challenge(properties));
+    }
+
+    public async Task<AuthorizationResult> AuthorizeActionAsync(OpenIddictRequest request, ImmutableArray<string> scopes)
+    {
+        var application = await _applicationManager.FindByClientIdAsync(request.ClientId!);
+        if (application is null)
+            return AuthorizationResult.Error(null,  ApplicationNotFoundError);
+
+        if (!await _signedInIdentity.IsAvailableAsync())
+        {
+            _logger.LogWarning("Signed in user is not available.");
+            return AuthorizationResult.Forbidden(application, Errors.AccessDenied);
+        }
+
+        var authorizations = new List<object>();
+
+        // Ensure the user will be prompted if a prompt was requested later in the switch statement below
+        if (!request.HasPromptValue(PromptValues.Consent))
+        {
+            authorizations = await _authorizationManager.FindAsync(
+                subject: await _signedInIdentity.GetUserIdAsync(),
+                client: await _applicationManager.GetIdAsync(application),
+                status: Statuses.Valid,
+                type: AuthorizationTypes.Permanent,
+                scopes: scopes
+            ).ToListAsync();
+        }
+
+        return await _applicationManager.GetConsentTypeAsync(application) switch
+        {
+            ConsentTypes.External when authorizations.Count is 0 =>
+               AuthorizationResult.Forbidden(application,  Errors.AccessDenied),
+
+            ConsentTypes.Implicit or ConsentTypes.External when authorizations.Count is not 0 =>
+                await HandleSignIn(request, application, authorizations),
+
+            ConsentTypes.Explicit or ConsentTypes.Systematic when request.HasPromptValue(PromptValues.None) =>
+                AuthorizationResult.Forbidden(application,  Errors.ConsentRequired),
+
+            _ => AuthorizationResult.Consent(application, scopes),
+        };
+    }
+
+    public async Task<ConsentResult> AcceptActionAsync(OpenIddictRequest request, ImmutableArray<string> scopes)
+    {
+        var application = await _applicationManager.FindByClientIdAsync(request.ClientId!);
+        if (application is null)
+            return ConsentResult.Error(ApplicationNotFoundError);
+
+        if (!await _signedInIdentity.IsAvailableAsync())
+        {
+            _logger.LogWarning("Signed in user is not available.");
+            return ConsentResult.Forbid(Errors.AccessDenied);
+        }
+
+        var userId = await _signedInIdentity.GetUserIdAsync();
+        var authorizations = await _authorizationManager.FindAsync(
+            subject: userId,
+            client: await _applicationManager.GetIdAsync(application),
+            status: Statuses.Valid,
+            type: AuthorizationTypes.Permanent,
+            scopes: scopes
+        ).ToListAsync();
+
+        if (authorizations.Count is 0 && await _applicationManager.HasConsentTypeAsync(application, ConsentTypes.External))
+            return ConsentResult.Forbid(Errors.AccessDenied);
+
+        var principal = await CreateAuthorizedPrincipal(
+            userId!,
+            application,
+            authorizations,
+            scopes,
+            _claimsProvider.GetDestinations);
+
+        return ConsentResult.SignIn(principal);
+    }
+
+    private async Task<AuthorizationResult> HandleSignIn(
+        OpenIddictRequest request,
+        SpaceApplication application,
+        List<object> authorizations)
+    {
+        var scopes = request.GetScopes();
+        var userId = await _signedInIdentity.GetUserIdAsync();
+        var identity = await CreateAuthorizedPrincipal(userId!, application, authorizations, scopes, _claimsProvider.GetDestinations);
+
+        return AuthorizationResult.SignIn(identity);
+    }
+
+    private async Task<ClaimsPrincipal> CreateAuthorizedPrincipal(
+        string userId,
+        SpaceApplication application,
+        List<object> authorizations,
+        ImmutableArray<string> scopes,
+        Func<Claim, IEnumerable<string>> destinationsSelector)
+    {
+        var identity = new ClaimsIdentity(
+            authenticationType: TokenValidationParameters.DefaultAuthenticationType,
+            nameType: Claims.Name,
+            roleType: Claims.Role);
+
+        await _claimsProvider.ProvideClaimsAsync(userId, scopes, identity);
+
+        identity.SetScopes(scopes);
+        identity.SetResources(await _scopeManager.ListResourcesAsync(identity.GetScopes()).ToListAsync());
+
+        var authorization = authorizations.LastOrDefault();
+        authorization ??= await _authorizationManager.CreateAsync(
+            identity: identity,
+            subject: userId,
+            client: (await _applicationManager.GetIdAsync(application))!,
+            type: AuthorizationTypes.Permanent,
+            scopes: identity.GetScopes()
+        );
+
+        identity.SetAuthorizationId(await _authorizationManager.GetIdAsync(authorization));
+        identity.SetDestinations(destinationsSelector);
+        return new ClaimsPrincipal(identity);
+    }
+}
diff --git a/SS14.Web/Services/SignedInIdentityService.cs b/SS14.Web/Services/SignedInIdentityService.cs
new file mode 100644
index 0000000..f982b2f
--- /dev/null
+++ b/SS14.Web/Services/SignedInIdentityService.cs
@@ -0,0 +1,43 @@
+#nullable enable
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Identity;
+using SS14.Auth.Shared.Data;
+
+namespace SS14.Web.Services;
+
+public class SignedInIdentityService
+{
+    private readonly IHttpContextAccessor _httpContextAccessor;
+    private readonly UserManager<SpaceUser> _userManager;
+    private readonly SignInManager<SpaceUser> _signInManager;
+
+    public SignedInIdentityService(IHttpContextAccessor httpContextAccessor, UserManager<SpaceUser> userManager, SignInManager<SpaceUser> signInManager)
+    {
+        _httpContextAccessor = httpContextAccessor;
+        _userManager = userManager;
+        _signInManager = signInManager;
+    }
+
+    public async Task<bool> IsAvailableAsync()
+    {
+        if (_httpContextAccessor.HttpContext is not { } context)
+            return false;
+
+        var result = await context.AuthenticateAsync();
+        return result.Succeeded;
+    }
+
+    public async Task<string?> GetUserIdAsync()
+    {
+        if (_httpContextAccessor.HttpContext is not { } context)
+            return null;
+
+        var user = await _userManager.GetUserAsync(context.User);
+        if (user is null)
+            return null;
+
+        return await _userManager.GetUserIdAsync(user);
+    }
+}

From 20a01addabc74065a0362f139ce524715d9bfbf6 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Tue, 12 Aug 2025 00:07:44 +0200
Subject: [PATCH 08/43] Revert "migrate to nullable"

This reverts commit 7b0520a9f95fc67b04458a77b6a69b0943ed9283.
---
 SS14.Web/AccountOptions.cs                    |  3 +--
 .../Admin/Pages/Clients/Client.cshtml.cs      |  3 +--
 .../Pages/Clients/ConfirmDelete.cshtml.cs     |  3 +--
 .../Areas/Admin/Pages/Clients/Index.cshtml.cs |  3 +--
 SS14.Web/Areas/Admin/Pages/Index.cshtml.cs    |  3 +--
 .../Admin/Pages/Servers/AuditLog.cshtml.cs    |  3 +--
 .../Communities/ConfirmDelete.cshtml.cs       |  3 +--
 .../Pages/Servers/Communities/Index.cshtml.cs |  3 +--
 .../Pages/Servers/Communities/View.cshtml.cs  |  3 +--
 .../Areas/Admin/Pages/Servers/Index.cshtml.cs |  3 +--
 .../Admin/Pages/Servers/ListActive.cshtml.cs  |  3 +--
 .../Admin/Pages/Servers/ListNames.cshtml.cs   |  3 +--
 .../Admin/Pages/Servers/Server.cshtml.cs      |  6 ++---
 .../Pages/Servers/TestInfoMatch.cshtml.cs     |  5 ++--
 .../Pages/Users/ConfirmClearTfa.cshtml.cs     |  3 +--
 .../Admin/Pages/Users/ConfirmDelete.cshtml.cs |  3 +--
 .../Pages/Users/CreateReserved.cshtml.cs      |  3 +--
 .../Admin/Pages/Users/EditPassword.cshtml.cs  |  1 -
 .../Areas/Admin/Pages/Users/Index.cshtml.cs   |  5 ++--
 .../Admin/Pages/Users/ViewUser.cshtml.cs      |  3 +--
 .../Areas/Identity/IdentityHostingStartup.cs  |  1 -
 .../Pages/Account/AccessDenied.cshtml.cs      |  1 -
 .../Pages/Account/AdminLocked.cshtml.cs       |  1 -
 .../Pages/Account/ConfirmEmail.cshtml.cs      |  3 +--
 .../Account/ConfirmEmailChange.cshtml.cs      |  3 +--
 .../Pages/Account/ExternalLogin.cshtml.cs     |  5 ++--
 .../Pages/Account/ForgotPassword.cshtml.cs    |  1 -
 .../ForgotPasswordConfirmation.cshtml.cs      |  1 -
 .../Identity/Pages/Account/Lockout.cshtml.cs  |  1 -
 .../Identity/Pages/Account/Login.cshtml.cs    |  1 -
 .../Pages/Account/LoginWith2fa.cshtml.cs      |  3 +--
 .../Account/LoginWithRecoveryCode.cshtml.cs   |  5 ++--
 .../Identity/Pages/Account/Logout.cshtml.cs   |  3 +--
 .../Account/Manage/ChangePassword.cshtml.cs   |  1 -
 .../Manage/DeletePersonalData.cshtml.cs       |  1 -
 .../Pages/Account/Manage/Developer.cshtml.cs  |  3 +--
 .../Pages/Account/Manage/Disable2fa.cshtml.cs |  1 -
 .../Pages/Account/Manage/Email.cshtml.cs      |  1 -
 .../Manage/EnableAuthenticator.cshtml.cs      |  1 -
 .../Account/Manage/ExternalLogins.cshtml.cs   |  1 -
 .../Manage/GenerateRecoveryCodes.cshtml.cs    |  1 -
 .../Pages/Account/Manage/Index.cshtml.cs      |  1 -
 .../Pages/Account/Manage/ManageNavPages.cs    | 23 +++++++++----------
 .../Account/Manage/ManagePatreon.cshtml.cs    |  3 +--
 .../Manage/OAuthApps/ConfirmDelete.cshtml.cs  |  3 +--
 .../Account/Manage/OAuthApps/Create.cshtml.cs |  3 +--
 .../Account/Manage/OAuthApps/Manage.cshtml.cs |  5 ++--
 .../Account/Manage/PersonalData.cshtml.cs     |  1 -
 .../Manage/ResetAuthenticator.cshtml.cs       |  1 -
 .../Account/Manage/SetPassword.cshtml.cs      |  1 -
 .../Manage/ShowRecoveryCodes.cshtml.cs        |  1 -
 .../Manage/TwoFactorAuthentication.cshtml.cs  |  1 -
 .../Identity/Pages/Account/Register.cshtml.cs |  7 +++---
 .../Account/RegisterConfirmation.cshtml.cs    |  3 +--
 .../Account/ResendEmailConfirmation.cshtml.cs |  1 -
 .../Pages/Account/ResetPassword.cshtml.cs     |  3 +--
 .../ResetPasswordConfirmation.cshtml.cs       |  1 -
 .../OpenIdCertificateConfiguration.cs         |  3 +--
 SS14.Web/Controllers/HomeController.cs        |  3 +--
 SS14.Web/Data/HubAuditLogManager.cs           |  3 +--
 SS14.Web/Extensions/PatreonExtension.cs       |  3 +--
 SS14.Web/HCaptcha/HCaptchaOptions.cs          |  3 +--
 SS14.Web/HCaptcha/HCaptchaService.cs          |  3 +--
 SS14.Web/Helpers/CollectionHelper.cs          |  3 +--
 SS14.Web/Helpers/FormHiddenRoutes.cs          |  3 +--
 SS14.Web/Helpers/MustBeTrueAttribute.cs       |  3 +--
 SS14.Web/Helpers/PaginatedList.cs             |  3 +--
 SS14.Web/Helpers/PaginationState.cs           |  3 +--
 SS14.Web/Helpers/SearchHelper.cs              |  3 +--
 SS14.Web/Helpers/SortState.cs                 |  3 +--
 SS14.Web/Models/ErrorViewModel.cs             |  1 -
 SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs |  1 -
 SS14.Web/PatreonConnectionHandler.cs          |  5 ++--
 SS14.Web/PersonalDataCollector.cs             |  3 +--
 SS14.Web/Properties/AssemblyInfo.cs           |  1 -
 75 files changed, 69 insertions(+), 143 deletions(-)

diff --git a/SS14.Web/AccountOptions.cs b/SS14.Web/AccountOptions.cs
index afdfb49..5a6f589 100644
--- a/SS14.Web/AccountOptions.cs
+++ b/SS14.Web/AccountOptions.cs
@@ -1,5 +1,4 @@
-#nullable enable
-namespace SS14.Web;
+namespace SS14.Web;
 
 public sealed class AccountOptions
 {
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
index dd1431b..25f79a5 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using SS14.Auth.Shared.Data;
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
index baeed42..9c904a1 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
index e2debae..5235a3d 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using SS14.Auth.Shared.Data;
diff --git a/SS14.Web/Areas/Admin/Pages/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Index.cshtml.cs
index f126493..24402f1 100644
--- a/SS14.Web/Areas/Admin/Pages/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Index.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace SS14.Web.Areas.Admin.Pages;
 
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/AuditLog.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/AuditLog.cshtml.cs
index c96292e..eb30aef 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/AuditLog.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/AuditLog.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Communities/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Communities/ConfirmDelete.cshtml.cs
index 7740571..2f12449 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Communities/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Communities/ConfirmDelete.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Linq;
+using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Communities/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Communities/Index.cshtml.cs
index a270c2d..36bcd98 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Communities/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Communities/Index.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Linq.Expressions;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Communities/View.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Communities/View.cshtml.cs
index ba9c18a..4e66855 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Communities/View.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Communities/View.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Index.cshtml.cs
index 2e11fee..018739e 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Index.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace SS14.Web.Areas.Admin.Pages.Servers;
 
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/ListActive.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/ListActive.cshtml.cs
index 022488f..c4b62f0 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/ListActive.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/ListActive.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Text.Json;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/ListNames.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/ListNames.cshtml.cs
index 4098ef1..0d04bfe 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/ListNames.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/ListNames.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/Server.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/Server.cshtml.cs
index 4cdb5f8..d70fb44 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/Server.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/Server.cshtml.cs
@@ -1,10 +1,10 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
 using System.Text.Json;
 using System.Threading.Tasks;
+using JetBrains.Annotations;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
@@ -21,7 +21,7 @@ public class Server : PageModel
 
     public int ServerId { get; private set; }
     public string Address { get; private set; } = "";
-    public IPAddress? AdvertiserAddress { get; private set; }
+    [CanBeNull] public IPAddress AdvertiserAddress { get; private set; }
     public ServerStatusData Status { get; private set; }
     public ServerInfoData Info { get; private set; }
     public bool Online { get; private set; }
diff --git a/SS14.Web/Areas/Admin/Pages/Servers/TestInfoMatch.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Servers/TestInfoMatch.cshtml.cs
index e38adee..52b0f58 100644
--- a/SS14.Web/Areas/Admin/Pages/Servers/TestInfoMatch.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Servers/TestInfoMatch.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
@@ -27,7 +26,7 @@ public TestInfoMatch(HubDbContext dbContext)
         _dbContext = dbContext;
     }
 
-    public async Task OnGetAsync(string? path, InfoMatchField field)
+    public async Task OnGetAsync(string path, InfoMatchField field)
     {
         CurrentPath = path;
         CurrentField = field;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/ConfirmClearTfa.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/ConfirmClearTfa.cshtml.cs
index 1c96fed..a83fab9 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/ConfirmClearTfa.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/ConfirmClearTfa.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/ConfirmDelete.cshtml.cs
index bf41de6..8802949 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/ConfirmDelete.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/CreateReserved.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/CreateReserved.cshtml.cs
index 31ff282..a98afb0 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/CreateReserved.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/CreateReserved.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Buffers.Text;
 using System.ComponentModel.DataAnnotations;
 using System.Security.Cryptography;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/EditPassword.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/EditPassword.cshtml.cs
index a345dd6..ab9d371 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/EditPassword.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/EditPassword.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Admin/Pages/Users/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/Index.cshtml.cs
index 9419a9f..e4fac0c 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/Index.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Linq;
+using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc.RazorPages;
@@ -29,7 +28,7 @@ public Index(UserManager<SpaceUser> userManager)
     }
 
     public async Task OnGetAsync(
-        string? sortOrder,
+        string sortOrder,
         string currentFilter,
         string searchString,
         int? pageIndex)
diff --git a/SS14.Web/Areas/Admin/Pages/Users/ViewUser.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Users/ViewUser.cshtml.cs
index c6a9d11..e567821 100644
--- a/SS14.Web/Areas/Admin/Pages/Users/ViewUser.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Users/ViewUser.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.ComponentModel.DataAnnotations;
 using System.Net.Mime;
 using System.Text;
diff --git a/SS14.Web/Areas/Identity/IdentityHostingStartup.cs b/SS14.Web/Areas/Identity/IdentityHostingStartup.cs
index 8ce883a..c6a6fbf 100644
--- a/SS14.Web/Areas/Identity/IdentityHostingStartup.cs
+++ b/SS14.Web/Areas/Identity/IdentityHostingStartup.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/AccessDenied.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/AccessDenied.cshtml.cs
index 3ad719f..df42ee7 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/AccessDenied.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/AccessDenied.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/AdminLocked.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/AdminLocked.cshtml.cs
index 45b36b9..31a6145 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/AdminLocked.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/AdminLocked.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmail.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmail.cshtml.cs
index 6c18576..c321c96 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmail.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmail.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System.Text;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
@@ -26,7 +25,7 @@ public ConfirmEmailModel(SpaceUserManager userManager, ApplicationDbContext dbCo
     [TempData]
     public string StatusMessage { get; set; }
 
-    public async Task<IActionResult> OnGetAsync(string? userId, string code)
+    public async Task<IActionResult> OnGetAsync(string userId, string code)
     {
         if (userId == null || code == null)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmailChange.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmailChange.cshtml.cs
index c893932..ef361a8 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmailChange.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ConfirmEmailChange.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -36,7 +35,7 @@ public ConfirmEmailChangeModel(
     [TempData]
     public string StatusMessage { get; set; }
 
-    public async Task<IActionResult> OnGetAsync(string? userId, string? email, string code)
+    public async Task<IActionResult> OnGetAsync(string userId, string email, string code)
     {
         if (userId == null || email == null || code == null)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs
index 9c06b1b..50299b1 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System.ComponentModel.DataAnnotations;
 using System.Security.Claims;
 using System.Text;
@@ -58,7 +57,7 @@ public IActionResult OnGetAsync()
         return RedirectToPage("./Login");
     }
 
-    public IActionResult OnPost(string provider, string? returnUrl = null)
+    public IActionResult OnPost(string provider, string returnUrl = null)
     {
         // Request a redirect to the external login provider.
         var redirectUrl = Url.Page("./ExternalLogin", pageHandler: "Callback", values: new { returnUrl });
@@ -66,7 +65,7 @@ public IActionResult OnPost(string provider, string? returnUrl = null)
         return new ChallengeResult(provider, properties);
     }
 
-    public async Task<IActionResult> OnGetCallbackAsync(string returnUrl = null, string? remoteError = null)
+    public async Task<IActionResult> OnGetCallbackAsync(string returnUrl = null, string remoteError = null)
     {
         returnUrl = returnUrl ?? Url.Content("~/");
         if (remoteError != null)
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml.cs
index e09483d..4b1984a 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System.ComponentModel.DataAnnotations;
 using System.Text;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ForgotPasswordConfirmation.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ForgotPasswordConfirmation.cshtml.cs
index 36cd63f..cbabff3 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ForgotPasswordConfirmation.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ForgotPasswordConfirmation.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Lockout.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Lockout.cshtml.cs
index 85171bc..21f1ad7 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Lockout.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Lockout.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Login.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Login.cshtml.cs
index 2150af4..12ddfc0 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Login.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Login.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/LoginWith2fa.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/LoginWith2fa.cshtml.cs
index 3b67d05..d99e02c 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/LoginWith2fa.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/LoginWith2fa.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
@@ -44,7 +43,7 @@ public class InputModel
         public bool RememberMachine { get; set; }
     }
 
-    public async Task<IActionResult> OnGetAsync(bool rememberMe, string? returnUrl = null)
+    public async Task<IActionResult> OnGetAsync(bool rememberMe, string returnUrl = null)
     {
         // Ensure the user has gone through the username & password screen first
         var user = await _signInManager.GetTwoFactorAuthenticationUserAsync();
diff --git a/SS14.Web/Areas/Identity/Pages/Account/LoginWithRecoveryCode.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/LoginWithRecoveryCode.cshtml.cs
index d4dfa0e..f2eeb92 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/LoginWithRecoveryCode.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/LoginWithRecoveryCode.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
@@ -39,7 +38,7 @@ public class InputModel
         public string RecoveryCode { get; set; }
     }
 
-    public async Task<IActionResult> OnGetAsync(string? returnUrl = null)
+    public async Task<IActionResult> OnGetAsync(string returnUrl = null)
     {
         // Ensure the user has gone through the username & password screen first
         var user = await _signInManager.GetTwoFactorAuthenticationUserAsync();
@@ -53,7 +52,7 @@ public async Task<IActionResult> OnGetAsync(string? returnUrl = null)
         return Page();
     }
 
-    public async Task<IActionResult> OnPostAsync(string? returnUrl = null)
+    public async Task<IActionResult> OnPostAsync(string returnUrl = null)
     {
         if (!ModelState.IsValid)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Logout.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Logout.cshtml.cs
index db50f2f..0242677 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Logout.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Logout.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -28,7 +27,7 @@ public void OnGet()
     {
     }
 
-    public async Task<IActionResult> OnPost(string? returnUrl = null)
+    public async Task<IActionResult> OnPost(string returnUrl = null)
     {
         await _signInManager.SignOutAsync();
         _logger.LogInformation("User logged out.");
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml.cs
index 64591e8..47fa46b 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/DeletePersonalData.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/DeletePersonalData.cshtml.cs
index 534e888..d38f160 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/DeletePersonalData.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/DeletePersonalData.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 /*
 using System;
 using System.ComponentModel.DataAnnotations;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
index 7758a0c..954785e 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml.cs
index 61e44eb..9515863 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs
index a671f64..15349d5 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System.ComponentModel.DataAnnotations;
 using System.Text;
 using System.Text.Encodings.Web;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs
index 438ed8f..40a395d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ExternalLogins.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ExternalLogins.cshtml.cs
index 2c243df..b52c03f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ExternalLogins.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ExternalLogins.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/GenerateRecoveryCodes.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/GenerateRecoveryCodes.cshtml.cs
index 2255429..b6a858e 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/GenerateRecoveryCodes.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/GenerateRecoveryCodes.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Linq;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs
index 80ee2b4..79253f6 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ManageNavPages.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ManageNavPages.cs
index 781d176..7114517 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ManageNavPages.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ManageNavPages.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -20,34 +19,34 @@ public static class ManageNavPages
     public const string ManagePatreon = "ManagePatreon";
     public const string Developer = "Developer";
 
-    public static string? IndexNavClass(ViewContext viewContext)
+    public static string IndexNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, Index);
 
-    public static string? EmailNavClass(ViewContext viewContext)
+    public static string EmailNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, Email);
 
-    public static string? ChangePasswordNavClass(ViewContext viewContext)
+    public static string ChangePasswordNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, ChangePassword);
 
-    public static string? DownloadPersonalDataNavClass(ViewContext viewContext)
+    public static string DownloadPersonalDataNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, DownloadPersonalData);
 
-    public static string? DeletePersonalDataNavClass(ViewContext viewContext)
+    public static string DeletePersonalDataNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, DeletePersonalData);
 
-    public static string? ExternalLoginsNavClass(ViewContext viewContext)
+    public static string ExternalLoginsNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, ExternalLogins);
 
-    public static string? PersonalDataNavClass(ViewContext viewContext)
+    public static string PersonalDataNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, PersonalData);
 
-    public static string? TwoFactorAuthenticationNavClass(ViewContext viewContext)
+    public static string TwoFactorAuthenticationNavClass(ViewContext viewContext)
         => PageNavClass(viewContext, TwoFactorAuthentication);
 
-    public static string? PatreonNavClass(ViewContext viewContext) => PageNavClass(viewContext, ManagePatreon);
-    public static string? DeveloperNavClass(ViewContext viewContext) => PageNavClass(viewContext, Developer);
+    public static string PatreonNavClass(ViewContext viewContext) => PageNavClass(viewContext, ManagePatreon);
+    public static string DeveloperNavClass(ViewContext viewContext) => PageNavClass(viewContext, Developer);
 
-    private static string? PageNavClass(ViewContext viewContext, string page)
+    private static string PageNavClass(ViewContext viewContext, string page)
     {
         var activePage = viewContext.ViewData["ActivePage"] as string
                          ?? System.IO.Path.GetFileNameWithoutExtension(viewContext.ActionDescriptor.DisplayName);
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ManagePatreon.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ManagePatreon.cshtml.cs
index 029ada3..43ec0e6 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ManagePatreon.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ManagePatreon.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
index 7e20a9d..144d318 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
index 52f0f82..1d0198a 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.ComponentModel;
+using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index 189212d..fd25c85 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
@@ -132,7 +131,7 @@ public async Task<IActionResult> OnPostDeleteSecretAsync(int client, int secret)
     }
 
     // Null return indicates everything good.
-    private async Task<IActionResult?> GetAppAndVerifyAccess(int client)
+    private async Task<IActionResult> GetAppAndVerifyAccess(int client)
     {
         var user = await _userManager.GetUserAsync(User);
         //App = await _dbContext.UserOAuthClients
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/PersonalData.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/PersonalData.cshtml.cs
index 4857b49..e643136 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/PersonalData.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/PersonalData.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System.Net.Mime;
 using System.Threading;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ResetAuthenticator.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ResetAuthenticator.cshtml.cs
index a09e039..539cc0d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ResetAuthenticator.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ResetAuthenticator.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/SetPassword.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/SetPassword.cshtml.cs
index 696a112..e28cbfb 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/SetPassword.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/SetPassword.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/ShowRecoveryCodes.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/ShowRecoveryCodes.cshtml.cs
index a07a7be..e1ff308 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/ShowRecoveryCodes.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/ShowRecoveryCodes.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml.cs
index d255d50..ff3859a 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
index 208ce1b..bfe5e2f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Linq;
@@ -83,7 +82,7 @@ public class InputModel
         public bool AgeCheck { get; set; }
     }
 
-    public async Task OnGetAsync(string? returnUrl = null)
+    public async Task OnGetAsync(string returnUrl = null)
     {
         ReturnUrl = returnUrl;
         ExternalLogins = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList();
@@ -132,9 +131,9 @@ public async Task<IActionResult> OnPostAsync(string returnUrl = null)
         return Page();
     }
 
-    public async Task<string?> GenerateEmailConfirmLink(
+    public async Task<string> GenerateEmailConfirmLink(
         SpaceUser user,
-        string? returnUrl = null)
+        string returnUrl = null)
     {
         var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);
         code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
diff --git a/SS14.Web/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs
index 9188646..522cc53 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using Microsoft.AspNetCore.Authorization;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
@@ -26,7 +25,7 @@ public RegisterConfirmationModel(UserManager<SpaceUser> userManager, IEmailSende
 
     public string EmailConfirmationUrl { get; set; }
 
-    public async Task<IActionResult> OnGetAsync(string? email, string? returnUrl = null)
+    public async Task<IActionResult> OnGetAsync(string email, string returnUrl = null)
     {
         if (email == null)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml.cs
index 1dd0679..37c201a 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System.ComponentModel.DataAnnotations;
 using System.Text;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ResetPassword.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ResetPassword.cshtml.cs
index ce4b539..0a7491a 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ResetPassword.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ResetPassword.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
@@ -50,7 +49,7 @@ public class InputModel
         public string Code { get; set; }
     }
 
-    public IActionResult OnGet(string? code = null)
+    public IActionResult OnGet(string code = null)
     {
         if (code == null)
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ResetPasswordConfirmation.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ResetPasswordConfirmation.cshtml.cs
index d9656d8..6c6a23d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ResetPasswordConfirmation.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ResetPasswordConfirmation.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using System.Collections.Generic;
 using System.Linq;
diff --git a/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs b/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
index 4c653d5..2bf0983 100644
--- a/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
+++ b/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
@@ -1,5 +1,4 @@
-#nullable enable
-namespace SS14.Web.Configuration;
+namespace SS14.Web.Configuration;
 
 public sealed class OpenIdCertificateConfiguration
 {
diff --git a/SS14.Web/Controllers/HomeController.cs b/SS14.Web/Controllers/HomeController.cs
index b163059..8a66ac9 100644
--- a/SS14.Web/Controllers/HomeController.cs
+++ b/SS14.Web/Controllers/HomeController.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Diagnostics;
+using System.Diagnostics;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using SS14.Web.Models;
diff --git a/SS14.Web/Data/HubAuditLogManager.cs b/SS14.Web/Data/HubAuditLogManager.cs
index e4bdb3e..c300231 100644
--- a/SS14.Web/Data/HubAuditLogManager.cs
+++ b/SS14.Web/Data/HubAuditLogManager.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Security.Claims;
 using System.Text.Json;
 using Microsoft.AspNetCore.Authentication;
diff --git a/SS14.Web/Extensions/PatreonExtension.cs b/SS14.Web/Extensions/PatreonExtension.cs
index c1b2de9..0fa0c4c 100644
--- a/SS14.Web/Extensions/PatreonExtension.cs
+++ b/SS14.Web/Extensions/PatreonExtension.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using SS14.Auth.Shared.Config;
diff --git a/SS14.Web/HCaptcha/HCaptchaOptions.cs b/SS14.Web/HCaptcha/HCaptchaOptions.cs
index f7f3c09..60ea920 100644
--- a/SS14.Web/HCaptcha/HCaptchaOptions.cs
+++ b/SS14.Web/HCaptcha/HCaptchaOptions.cs
@@ -1,5 +1,4 @@
-#nullable enable
-namespace SS14.Web.HCaptcha;
+namespace SS14.Web.HCaptcha;
 
 public sealed class HCaptchaOptions
 {
diff --git a/SS14.Web/HCaptcha/HCaptchaService.cs b/SS14.Web/HCaptcha/HCaptchaService.cs
index 00c7bf2..6f39209 100644
--- a/SS14.Web/HCaptcha/HCaptchaService.cs
+++ b/SS14.Web/HCaptcha/HCaptchaService.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.Net.Http;
 using System.Net.Http.Json;
diff --git a/SS14.Web/Helpers/CollectionHelper.cs b/SS14.Web/Helpers/CollectionHelper.cs
index bd532c2..51c67ff 100644
--- a/SS14.Web/Helpers/CollectionHelper.cs
+++ b/SS14.Web/Helpers/CollectionHelper.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Collections.Generic;
+using System.Collections.Generic;
 
 namespace SS14.Web.Helpers;
 
diff --git a/SS14.Web/Helpers/FormHiddenRoutes.cs b/SS14.Web/Helpers/FormHiddenRoutes.cs
index 3df5c04..abf58b7 100644
--- a/SS14.Web/Helpers/FormHiddenRoutes.cs
+++ b/SS14.Web/Helpers/FormHiddenRoutes.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.Linq;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
diff --git a/SS14.Web/Helpers/MustBeTrueAttribute.cs b/SS14.Web/Helpers/MustBeTrueAttribute.cs
index 71d1a60..27edee1 100644
--- a/SS14.Web/Helpers/MustBeTrueAttribute.cs
+++ b/SS14.Web/Helpers/MustBeTrueAttribute.cs
@@ -1,11 +1,10 @@
-#nullable enable
 using System.ComponentModel.DataAnnotations;
 
 namespace SS14.Web.Helpers;
 
 public class MustBeTrueAttribute : ValidationAttribute
 {
-    public override bool IsValid(object? value)
+    public override bool IsValid(object value)
     {
         return value is bool b && b;
     }
diff --git a/SS14.Web/Helpers/PaginatedList.cs b/SS14.Web/Helpers/PaginatedList.cs
index ba94020..5fe7649 100644
--- a/SS14.Web/Helpers/PaginatedList.cs
+++ b/SS14.Web/Helpers/PaginatedList.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
diff --git a/SS14.Web/Helpers/PaginationState.cs b/SS14.Web/Helpers/PaginationState.cs
index 3f580d3..cc71b73 100644
--- a/SS14.Web/Helpers/PaginationState.cs
+++ b/SS14.Web/Helpers/PaginationState.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.Collections.Immutable;
 using System.Globalization;
diff --git a/SS14.Web/Helpers/SearchHelper.cs b/SS14.Web/Helpers/SearchHelper.cs
index d75f431..df17f17 100644
--- a/SS14.Web/Helpers/SearchHelper.cs
+++ b/SS14.Web/Helpers/SearchHelper.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Linq.Expressions;
 
 namespace SS14.Web.Helpers;
diff --git a/SS14.Web/Helpers/SortState.cs b/SS14.Web/Helpers/SortState.cs
index c0bd971..a57cc95 100644
--- a/SS14.Web/Helpers/SortState.cs
+++ b/SS14.Web/Helpers/SortState.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.Collections.Immutable;
 using System.Linq;
diff --git a/SS14.Web/Models/ErrorViewModel.cs b/SS14.Web/Models/ErrorViewModel.cs
index 5570672..ff229f5 100644
--- a/SS14.Web/Models/ErrorViewModel.cs
+++ b/SS14.Web/Models/ErrorViewModel.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 
 namespace SS14.Web.Models;
diff --git a/SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs b/SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs
index e606c66..251b270 100644
--- a/SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs
+++ b/SS14.Web/Pages/Shared/SortTabHeader.cshtml.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System;
 using SS14.Web.Helpers;
 
diff --git a/SS14.Web/PatreonConnectionHandler.cs b/SS14.Web/PatreonConnectionHandler.cs
index 97c1e83..33f521c 100644
--- a/SS14.Web/PatreonConnectionHandler.cs
+++ b/SS14.Web/PatreonConnectionHandler.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
 using System.Linq;
@@ -41,7 +40,7 @@ public Task HookCreatingTicket(OAuthCreatingTicketContext context)
     {
         // Add current tier to the principal, rest is handle in Received.
 
-        var identity = (ClaimsIdentity?) context.Principal!.Identity;
+        var identity = (ClaimsIdentity) context.Principal!.Identity;
 
         // AFAICT you shouldn't be able to have multiple tiers with our current patreon setup so...
         var tier = ParseTiers(context.User)
diff --git a/SS14.Web/PersonalDataCollector.cs b/SS14.Web/PersonalDataCollector.cs
index 6543b13..52067d8 100644
--- a/SS14.Web/PersonalDataCollector.cs
+++ b/SS14.Web/PersonalDataCollector.cs
@@ -1,5 +1,4 @@
-#nullable enable
-using System;
+using System;
 using System.IO;
 using System.IO.Compression;
 using System.Linq;
diff --git a/SS14.Web/Properties/AssemblyInfo.cs b/SS14.Web/Properties/AssemblyInfo.cs
index eb8f38d..a4a4978 100644
--- a/SS14.Web/Properties/AssemblyInfo.cs
+++ b/SS14.Web/Properties/AssemblyInfo.cs
@@ -1,4 +1,3 @@
-#nullable enable
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("SS14.Web.Tests")]
\ No newline at end of file

From 848c7df66ec2dba9148e72192b2c8bccbee2441e Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Wed, 13 Aug 2025 00:19:10 +0200
Subject: [PATCH 09/43] Add list of ef core commands to readme

---
 README.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 930c780..455c7b7 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,13 @@ ConnectionStrings:
 Mutex:
   # Change this to something local on disk.
   DbPath: 'C:\Users\Pieter-Jan Briers\Projects\ss14\web\mutex.db'
-``` 
+```
 
 * Create the mutex DB mentioned above manually, and run `init_mutex.sql` on it. (I recommend https://sqlitebrowser.org/ for this task)
 * If I didn't forget anything you should now be able to start both services and it should work:tm:.
+
+### Handling migrations
+The following ef core commands can be used:
+- Creating a migration: `dotnet ef migrations add <migration name> -p SS14.Auth.Shared`
+- Removing migrations: `dotnet ef migrations remove -p SS14.Auth.Shared --connection "<connection string>"`
+- Updating the database: `dotnet ef database update -p SS14.Auth.Shared -s .\SS14.Web\ --connection "<connection string>"`

From a046867f8aca2445755ecd7b071a2f0729a77ff8 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Wed, 13 Aug 2025 01:21:29 +0200
Subject: [PATCH 10/43] A

---
 .../ApplicationDesignTimeDbContextFactory.cs  |    2 +
 ...50812220730_SwitchToOpenIddict.Designer.cs |  953 +++++++++++
 .../20250812220730_SwitchToOpenIddict.cs      |  998 ++++++++++++
 .../ApplicationDbContextModelSnapshot.cs      | 1412 ++++-------------
 SS14.Auth.Shared/Data/SpaceApplication.cs     |    9 +-
 SS14.Auth.Shared/SS14.Auth.Shared.csproj      |    2 +-
 SS14.Auth.Shared/StartupHelpers.cs            |    7 +-
 .../Identity/Pages/Account/Consent.cshtml     |   31 +-
 .../Identity/Pages/Account/Consent.cshtml.cs  |   39 +-
 .../Identity/Pages/Account/Register.cshtml.cs |    5 +-
 SS14.Web/Data/TestDataSeeder.cs               |   61 +
 SS14.Web/Extensions/OpenIdExtension.cs        |   20 +-
 SS14.Web/Helpers/ScopeHelper.cs               |   15 +
 SS14.Web/Program.cs                           |    3 +-
 SS14.Web/SS14.Web.csproj                      |    6 +-
 SS14.Web/appsettings.yml                      |    5 +-
 16 files changed, 2409 insertions(+), 1159 deletions(-)
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.Designer.cs
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.cs
 create mode 100644 SS14.Web/Data/TestDataSeeder.cs
 create mode 100644 SS14.Web/Helpers/ScopeHelper.cs

diff --git a/SS14.Auth.Shared/Data/ApplicationDesignTimeDbContextFactory.cs b/SS14.Auth.Shared/Data/ApplicationDesignTimeDbContextFactory.cs
index 9c8635f..41d212b 100644
--- a/SS14.Auth.Shared/Data/ApplicationDesignTimeDbContextFactory.cs
+++ b/SS14.Auth.Shared/Data/ApplicationDesignTimeDbContextFactory.cs
@@ -1,6 +1,7 @@
 using JetBrains.Annotations;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Design;
+using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
 namespace SS14.Auth.Shared.Data;
 
@@ -11,6 +12,7 @@ public ApplicationDbContext CreateDbContext(string[] args)
     {
         var optionsBuilder = new DbContextOptionsBuilder<ApplicationDbContext>();
         optionsBuilder.UseNpgsql("Server=localhost");
+        optionsBuilder.UseOpenIddict<SpaceApplication, DefaultAuthorization, DefaultScope, DefaultToken, string>();
         return new ApplicationDbContext(optionsBuilder.Options);
     }
 }
diff --git a/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.Designer.cs b/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.Designer.cs
new file mode 100644
index 0000000..5a37830
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.Designer.cs
@@ -0,0 +1,953 @@
+// <auto-generated />
+using System;
+using System.Net;
+using System.Text.Json;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using SS14.Auth.Shared.Data;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    [DbContext(typeof(ApplicationDbContext))]
+    [Migration("20250812220730_SwitchToOpenIddict")]
+    partial class SwitchToOpenIddict
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "9.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetRoleClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderDisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("LoginProvider", "ProviderKey");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserLogins", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("UserId", "RoleId");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetUserRoles", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("UserId", "LoginProvider", "Name");
+
+                    b.ToTable("AspNetUserTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<Guid?>("Actor")
+                        .HasColumnType("uuid");
+
+                    b.Property<IPAddress>("ActorAddress")
+                        .HasColumnType("inet");
+
+                    b.Property<JsonDocument>("Data")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("AccountLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.Property<long>("AuthHashId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("AuthHashId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte[]>("Hash")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<long?>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("AuthHashId");
+
+                    b.HasIndex("HwidId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Hash", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("AuthHashes");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("BurnerEmails");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<byte[]>("ClientData")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<int>("TypeCode")
+                        .HasColumnType("integer");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientData")
+                        .IsUnique();
+
+                    b.ToTable("Hwids");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("FirstSeen")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("HwidId", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("HwidUsers");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.Property<long>("LoginSessionId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte[]>("Token")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("LoginSessionId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("ActiveSessions");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Scopes")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictAuthorizations", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultScope", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Descriptions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Resources")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Name")
+                        .IsUnique();
+
+                    b.ToTable("OpenIddictScopes", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("AuthorizationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Payload")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RedemptionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ReferenceId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("AuthorizationId");
+
+                    b.HasIndex("ReferenceId")
+                        .IsUnique();
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("ChangeTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PastName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("PastAccountNames");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Content")
+                        .HasColumnType("jsonb");
+
+                    b.Property<DateTimeOffset>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Trigger")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("PatreonWebhookLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("CurrentTier")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PatreonId")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("PatreonId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("Patrons");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ClientId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("ClientSecret")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConsentType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("JsonWebKeySet")
+                        .HasColumnType("text");
+
+                    b.Property<string>("LogoUri")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PostLogoutRedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Requirements")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("OpenIddictApplications", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceRole", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedName")
+                        .IsUnique()
+                        .HasDatabaseName("RoleNameIndex");
+
+                    b.ToTable("AspNetRoles", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AdminLocked")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("AdminNotes")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("CreatedTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("EmailConfirmed")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("LastUsernameChange")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("NormalizedEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedUserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("PasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<string>("SecurityStamp")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("TwoFactorEnabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("UserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedEmail")
+                        .HasDatabaseName("EmailIndex");
+
+                    b.HasIndex("NormalizedUserName")
+                        .IsUnique()
+                        .HasDatabaseName("UserNameIndex");
+
+                    b.ToTable("AspNetUsers", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.UserOAuthClient", b =>
+                {
+                    b.Property<int>("UserOAuthClientId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("UserOAuthClientId"));
+
+                    b.Property<int>("ClientId")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("UserOAuthClientId");
+
+                    b.HasIndex("ClientId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("UserOAuthClients");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.WhitelistEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("WhitelistEmails");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AccountLogs")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany()
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AuthHashes")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany("Users")
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("LoginSessions")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Authorizations")
+                        .HasForeignKey("ApplicationId");
+
+                    b.Navigation("Application");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Tokens")
+                        .HasForeignKey("ApplicationId");
+
+                    b.HasOne("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", "Authorization")
+                        .WithMany("Tokens")
+                        .HasForeignKey("AuthorizationId");
+
+                    b.Navigation("Application");
+
+                    b.Navigation("Authorization");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("PastAccountNames")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithOne("Patron")
+                        .HasForeignKey("SS14.Auth.Shared.Data.Patron", "SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.UserOAuthClient", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Navigation("Users");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Navigation("Authorizations");
+
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Navigation("AccountLogs");
+
+                    b.Navigation("AuthHashes");
+
+                    b.Navigation("LoginSessions");
+
+                    b.Navigation("PastAccountNames");
+
+                    b.Navigation("Patron");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.cs b/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.cs
new file mode 100644
index 0000000..2df86b6
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.cs
@@ -0,0 +1,998 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    /// <inheritdoc />
+    public partial class SwitchToOpenIddict : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropForeignKey(
+                name: "FK_UserOAuthClients_Clients_ClientId",
+                table: "UserOAuthClients");
+
+            migrationBuilder.DropTable(
+                name: "ApiResourceClaims",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ApiResourceProperties",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ApiResourceScopes",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ApiResourceSecrets",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ApiScopeClaims",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ApiScopeProperties",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ClientClaims",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ClientCorsOrigins",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ClientGrantTypes",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ClientIdPRestrictions",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ClientPostLogoutRedirectUris",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ClientProperties",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ClientRedirectUris",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ClientScopes",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ClientSecrets",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "DeviceCodes",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "IdentityResourceClaims",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "IdentityResourceProperties",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "PersistedGrants",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ApiResources",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "ApiScopes",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "Clients",
+                schema: "IS4");
+
+            migrationBuilder.DropTable(
+                name: "IdentityResources",
+                schema: "IS4");
+
+            migrationBuilder.CreateTable(
+                name: "OpenIddictApplications",
+                columns: table => new
+                {
+                    Id = table.Column<string>(type: "text", nullable: false),
+                    SpaceUserId = table.Column<Guid>(type: "uuid", nullable: true),
+                    LogoUri = table.Column<string>(type: "text", nullable: true),
+                    ApplicationType = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true),
+                    ClientId = table.Column<string>(type: "character varying(100)", maxLength: 100, nullable: true),
+                    ClientSecret = table.Column<string>(type: "text", nullable: true),
+                    ClientType = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true),
+                    ConcurrencyToken = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true),
+                    ConsentType = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true),
+                    DisplayName = table.Column<string>(type: "text", nullable: true),
+                    DisplayNames = table.Column<string>(type: "text", nullable: true),
+                    JsonWebKeySet = table.Column<string>(type: "text", nullable: true),
+                    Permissions = table.Column<string>(type: "text", nullable: true),
+                    PostLogoutRedirectUris = table.Column<string>(type: "text", nullable: true),
+                    Properties = table.Column<string>(type: "text", nullable: true),
+                    RedirectUris = table.Column<string>(type: "text", nullable: true),
+                    Requirements = table.Column<string>(type: "text", nullable: true),
+                    Settings = table.Column<string>(type: "text", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_OpenIddictApplications", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_OpenIddictApplications_AspNetUsers_SpaceUserId",
+                        column: x => x.SpaceUserId,
+                        principalTable: "AspNetUsers",
+                        principalColumn: "Id");
+                });
+
+            migrationBuilder.CreateTable(
+                name: "OpenIddictScopes",
+                columns: table => new
+                {
+                    Id = table.Column<string>(type: "text", nullable: false),
+                    ConcurrencyToken = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true),
+                    Description = table.Column<string>(type: "text", nullable: true),
+                    Descriptions = table.Column<string>(type: "text", nullable: true),
+                    DisplayName = table.Column<string>(type: "text", nullable: true),
+                    DisplayNames = table.Column<string>(type: "text", nullable: true),
+                    Name = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    Properties = table.Column<string>(type: "text", nullable: true),
+                    Resources = table.Column<string>(type: "text", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_OpenIddictScopes", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "OpenIddictAuthorizations",
+                columns: table => new
+                {
+                    Id = table.Column<string>(type: "text", nullable: false),
+                    ApplicationId = table.Column<string>(type: "text", nullable: true),
+                    ConcurrencyToken = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true),
+                    CreationDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    Properties = table.Column<string>(type: "text", nullable: true),
+                    Scopes = table.Column<string>(type: "text", nullable: true),
+                    Status = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true),
+                    Subject = table.Column<string>(type: "character varying(400)", maxLength: 400, nullable: true),
+                    Type = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_OpenIddictAuthorizations", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_OpenIddictAuthorizations_OpenIddictApplications_Application~",
+                        column: x => x.ApplicationId,
+                        principalTable: "OpenIddictApplications",
+                        principalColumn: "Id");
+                });
+
+            migrationBuilder.CreateTable(
+                name: "OpenIddictTokens",
+                columns: table => new
+                {
+                    Id = table.Column<string>(type: "text", nullable: false),
+                    ApplicationId = table.Column<string>(type: "text", nullable: true),
+                    AuthorizationId = table.Column<string>(type: "text", nullable: true),
+                    ConcurrencyToken = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true),
+                    CreationDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    ExpirationDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    Payload = table.Column<string>(type: "text", nullable: true),
+                    Properties = table.Column<string>(type: "text", nullable: true),
+                    RedemptionDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    ReferenceId = table.Column<string>(type: "character varying(100)", maxLength: 100, nullable: true),
+                    Status = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: true),
+                    Subject = table.Column<string>(type: "character varying(400)", maxLength: 400, nullable: true),
+                    Type = table.Column<string>(type: "character varying(150)", maxLength: 150, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_OpenIddictTokens", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_OpenIddictTokens_OpenIddictApplications_ApplicationId",
+                        column: x => x.ApplicationId,
+                        principalTable: "OpenIddictApplications",
+                        principalColumn: "Id");
+                    table.ForeignKey(
+                        name: "FK_OpenIddictTokens_OpenIddictAuthorizations_AuthorizationId",
+                        column: x => x.AuthorizationId,
+                        principalTable: "OpenIddictAuthorizations",
+                        principalColumn: "Id");
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_OpenIddictApplications_ClientId",
+                table: "OpenIddictApplications",
+                column: "ClientId",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_OpenIddictApplications_SpaceUserId",
+                table: "OpenIddictApplications",
+                column: "SpaceUserId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_OpenIddictAuthorizations_ApplicationId_Status_Subject_Type",
+                table: "OpenIddictAuthorizations",
+                columns: new[] { "ApplicationId", "Status", "Subject", "Type" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_OpenIddictScopes_Name",
+                table: "OpenIddictScopes",
+                column: "Name",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_OpenIddictTokens_ApplicationId_Status_Subject_Type",
+                table: "OpenIddictTokens",
+                columns: new[] { "ApplicationId", "Status", "Subject", "Type" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_OpenIddictTokens_AuthorizationId",
+                table: "OpenIddictTokens",
+                column: "AuthorizationId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_OpenIddictTokens_ReferenceId",
+                table: "OpenIddictTokens",
+                column: "ReferenceId",
+                unique: true);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "OpenIddictScopes");
+
+            migrationBuilder.DropTable(
+                name: "OpenIddictTokens");
+
+            migrationBuilder.DropTable(
+                name: "OpenIddictAuthorizations");
+
+            migrationBuilder.DropTable(
+                name: "OpenIddictApplications");
+
+            migrationBuilder.EnsureSchema(
+                name: "IS4");
+
+            migrationBuilder.CreateTable(
+                name: "ApiResources",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    AllowedAccessTokenSigningAlgorithms = table.Column<string>(type: "character varying(100)", maxLength: 100, nullable: true),
+                    Created = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    Description = table.Column<string>(type: "character varying(1000)", maxLength: 1000, nullable: true),
+                    DisplayName = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    Enabled = table.Column<bool>(type: "boolean", nullable: false),
+                    LastAccessed = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    Name = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    NonEditable = table.Column<bool>(type: "boolean", nullable: false),
+                    ShowInDiscoveryDocument = table.Column<bool>(type: "boolean", nullable: false),
+                    Updated = table.Column<DateTime>(type: "timestamp with time zone", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ApiResources", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ApiScopes",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    Description = table.Column<string>(type: "character varying(1000)", maxLength: 1000, nullable: true),
+                    DisplayName = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    Emphasize = table.Column<bool>(type: "boolean", nullable: false),
+                    Enabled = table.Column<bool>(type: "boolean", nullable: false),
+                    Name = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    Required = table.Column<bool>(type: "boolean", nullable: false),
+                    ShowInDiscoveryDocument = table.Column<bool>(type: "boolean", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ApiScopes", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "Clients",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    AbsoluteRefreshTokenLifetime = table.Column<int>(type: "integer", nullable: false),
+                    AccessTokenLifetime = table.Column<int>(type: "integer", nullable: false),
+                    AccessTokenType = table.Column<int>(type: "integer", nullable: false),
+                    AllowAccessTokensViaBrowser = table.Column<bool>(type: "boolean", nullable: false),
+                    AllowOfflineAccess = table.Column<bool>(type: "boolean", nullable: false),
+                    AllowPlainTextPkce = table.Column<bool>(type: "boolean", nullable: false),
+                    AllowRememberConsent = table.Column<bool>(type: "boolean", nullable: false),
+                    AllowedIdentityTokenSigningAlgorithms = table.Column<string>(type: "character varying(100)", maxLength: 100, nullable: true),
+                    AlwaysIncludeUserClaimsInIdToken = table.Column<bool>(type: "boolean", nullable: false),
+                    AlwaysSendClientClaims = table.Column<bool>(type: "boolean", nullable: false),
+                    AuthorizationCodeLifetime = table.Column<int>(type: "integer", nullable: false),
+                    BackChannelLogoutSessionRequired = table.Column<bool>(type: "boolean", nullable: false),
+                    BackChannelLogoutUri = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: true),
+                    ClientClaimsPrefix = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    ClientId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    ClientName = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    ClientUri = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: true),
+                    ConsentLifetime = table.Column<int>(type: "integer", nullable: true),
+                    Created = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    Description = table.Column<string>(type: "character varying(1000)", maxLength: 1000, nullable: true),
+                    DeviceCodeLifetime = table.Column<int>(type: "integer", nullable: false),
+                    EnableLocalLogin = table.Column<bool>(type: "boolean", nullable: false),
+                    Enabled = table.Column<bool>(type: "boolean", nullable: false),
+                    FrontChannelLogoutSessionRequired = table.Column<bool>(type: "boolean", nullable: false),
+                    FrontChannelLogoutUri = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: true),
+                    IdentityTokenLifetime = table.Column<int>(type: "integer", nullable: false),
+                    IncludeJwtId = table.Column<bool>(type: "boolean", nullable: false),
+                    LastAccessed = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    LogoUri = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: true),
+                    NonEditable = table.Column<bool>(type: "boolean", nullable: false),
+                    PairWiseSubjectSalt = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    ProtocolType = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    RefreshTokenExpiration = table.Column<int>(type: "integer", nullable: false),
+                    RefreshTokenUsage = table.Column<int>(type: "integer", nullable: false),
+                    RequireClientSecret = table.Column<bool>(type: "boolean", nullable: false),
+                    RequireConsent = table.Column<bool>(type: "boolean", nullable: false),
+                    RequirePkce = table.Column<bool>(type: "boolean", nullable: false),
+                    RequireRequestObject = table.Column<bool>(type: "boolean", nullable: false),
+                    SlidingRefreshTokenLifetime = table.Column<int>(type: "integer", nullable: false),
+                    UpdateAccessTokenClaimsOnRefresh = table.Column<bool>(type: "boolean", nullable: false),
+                    Updated = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    UserCodeType = table.Column<string>(type: "character varying(100)", maxLength: 100, nullable: true),
+                    UserSsoLifetime = table.Column<int>(type: "integer", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_Clients", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "DeviceCodes",
+                schema: "IS4",
+                columns: table => new
+                {
+                    UserCode = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    ClientId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    CreationTime = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    Data = table.Column<string>(type: "character varying(50000)", maxLength: 50000, nullable: false),
+                    Description = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    DeviceCode = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    Expiration = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    SessionId = table.Column<string>(type: "character varying(100)", maxLength: 100, nullable: true),
+                    SubjectId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_DeviceCodes", x => x.UserCode);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "IdentityResources",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    Created = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    Description = table.Column<string>(type: "character varying(1000)", maxLength: 1000, nullable: true),
+                    DisplayName = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    Emphasize = table.Column<bool>(type: "boolean", nullable: false),
+                    Enabled = table.Column<bool>(type: "boolean", nullable: false),
+                    Name = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    NonEditable = table.Column<bool>(type: "boolean", nullable: false),
+                    Required = table.Column<bool>(type: "boolean", nullable: false),
+                    ShowInDiscoveryDocument = table.Column<bool>(type: "boolean", nullable: false),
+                    Updated = table.Column<DateTime>(type: "timestamp with time zone", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_IdentityResources", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "PersistedGrants",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Key = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    ClientId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    ConsumedTime = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    CreationTime = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    Data = table.Column<string>(type: "character varying(50000)", maxLength: 50000, nullable: false),
+                    Description = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    Expiration = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    SessionId = table.Column<string>(type: "character varying(100)", maxLength: 100, nullable: true),
+                    SubjectId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: true),
+                    Type = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_PersistedGrants", x => x.Key);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ApiResourceClaims",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ApiResourceId = table.Column<int>(type: "integer", nullable: false),
+                    Type = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ApiResourceClaims", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ApiResourceClaims_ApiResources_ApiResourceId",
+                        column: x => x.ApiResourceId,
+                        principalSchema: "IS4",
+                        principalTable: "ApiResources",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ApiResourceProperties",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ApiResourceId = table.Column<int>(type: "integer", nullable: false),
+                    Key = table.Column<string>(type: "character varying(250)", maxLength: 250, nullable: false),
+                    Value = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ApiResourceProperties", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ApiResourceProperties_ApiResources_ApiResourceId",
+                        column: x => x.ApiResourceId,
+                        principalSchema: "IS4",
+                        principalTable: "ApiResources",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ApiResourceScopes",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ApiResourceId = table.Column<int>(type: "integer", nullable: false),
+                    Scope = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ApiResourceScopes", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ApiResourceScopes_ApiResources_ApiResourceId",
+                        column: x => x.ApiResourceId,
+                        principalSchema: "IS4",
+                        principalTable: "ApiResources",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ApiResourceSecrets",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ApiResourceId = table.Column<int>(type: "integer", nullable: false),
+                    Created = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    Description = table.Column<string>(type: "character varying(1000)", maxLength: 1000, nullable: true),
+                    Expiration = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    Type = table.Column<string>(type: "character varying(250)", maxLength: 250, nullable: false),
+                    Value = table.Column<string>(type: "character varying(4000)", maxLength: 4000, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ApiResourceSecrets", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ApiResourceSecrets_ApiResources_ApiResourceId",
+                        column: x => x.ApiResourceId,
+                        principalSchema: "IS4",
+                        principalTable: "ApiResources",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ApiScopeClaims",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ScopeId = table.Column<int>(type: "integer", nullable: false),
+                    Type = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ApiScopeClaims", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ApiScopeClaims_ApiScopes_ScopeId",
+                        column: x => x.ScopeId,
+                        principalSchema: "IS4",
+                        principalTable: "ApiScopes",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ApiScopeProperties",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ScopeId = table.Column<int>(type: "integer", nullable: false),
+                    Key = table.Column<string>(type: "character varying(250)", maxLength: 250, nullable: false),
+                    Value = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ApiScopeProperties", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ApiScopeProperties_ApiScopes_ScopeId",
+                        column: x => x.ScopeId,
+                        principalSchema: "IS4",
+                        principalTable: "ApiScopes",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClientClaims",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ClientId = table.Column<int>(type: "integer", nullable: false),
+                    Type = table.Column<string>(type: "character varying(250)", maxLength: 250, nullable: false),
+                    Value = table.Column<string>(type: "character varying(250)", maxLength: 250, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClientClaims", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ClientClaims_Clients_ClientId",
+                        column: x => x.ClientId,
+                        principalSchema: "IS4",
+                        principalTable: "Clients",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClientCorsOrigins",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ClientId = table.Column<int>(type: "integer", nullable: false),
+                    Origin = table.Column<string>(type: "character varying(150)", maxLength: 150, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClientCorsOrigins", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ClientCorsOrigins_Clients_ClientId",
+                        column: x => x.ClientId,
+                        principalSchema: "IS4",
+                        principalTable: "Clients",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClientGrantTypes",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ClientId = table.Column<int>(type: "integer", nullable: false),
+                    GrantType = table.Column<string>(type: "character varying(250)", maxLength: 250, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClientGrantTypes", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ClientGrantTypes_Clients_ClientId",
+                        column: x => x.ClientId,
+                        principalSchema: "IS4",
+                        principalTable: "Clients",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClientIdPRestrictions",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ClientId = table.Column<int>(type: "integer", nullable: false),
+                    Provider = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClientIdPRestrictions", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ClientIdPRestrictions_Clients_ClientId",
+                        column: x => x.ClientId,
+                        principalSchema: "IS4",
+                        principalTable: "Clients",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClientPostLogoutRedirectUris",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ClientId = table.Column<int>(type: "integer", nullable: false),
+                    PostLogoutRedirectUri = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClientPostLogoutRedirectUris", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ClientPostLogoutRedirectUris_Clients_ClientId",
+                        column: x => x.ClientId,
+                        principalSchema: "IS4",
+                        principalTable: "Clients",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClientProperties",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ClientId = table.Column<int>(type: "integer", nullable: false),
+                    Key = table.Column<string>(type: "character varying(250)", maxLength: 250, nullable: false),
+                    Value = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClientProperties", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ClientProperties_Clients_ClientId",
+                        column: x => x.ClientId,
+                        principalSchema: "IS4",
+                        principalTable: "Clients",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClientRedirectUris",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ClientId = table.Column<int>(type: "integer", nullable: false),
+                    RedirectUri = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClientRedirectUris", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ClientRedirectUris_Clients_ClientId",
+                        column: x => x.ClientId,
+                        principalSchema: "IS4",
+                        principalTable: "Clients",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClientScopes",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ClientId = table.Column<int>(type: "integer", nullable: false),
+                    Scope = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClientScopes", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ClientScopes_Clients_ClientId",
+                        column: x => x.ClientId,
+                        principalSchema: "IS4",
+                        principalTable: "Clients",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClientSecrets",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    ClientId = table.Column<int>(type: "integer", nullable: false),
+                    Created = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    Description = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: true),
+                    Expiration = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    Type = table.Column<string>(type: "character varying(250)", maxLength: 250, nullable: false),
+                    Value = table.Column<string>(type: "character varying(4000)", maxLength: 4000, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClientSecrets", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_ClientSecrets_Clients_ClientId",
+                        column: x => x.ClientId,
+                        principalSchema: "IS4",
+                        principalTable: "Clients",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "IdentityResourceClaims",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    IdentityResourceId = table.Column<int>(type: "integer", nullable: false),
+                    Type = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_IdentityResourceClaims", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_IdentityResourceClaims_IdentityResources_IdentityResourceId",
+                        column: x => x.IdentityResourceId,
+                        principalSchema: "IS4",
+                        principalTable: "IdentityResources",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "IdentityResourceProperties",
+                schema: "IS4",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    IdentityResourceId = table.Column<int>(type: "integer", nullable: false),
+                    Key = table.Column<string>(type: "character varying(250)", maxLength: 250, nullable: false),
+                    Value = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_IdentityResourceProperties", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_IdentityResourceProperties_IdentityResources_IdentityResour~",
+                        column: x => x.IdentityResourceId,
+                        principalSchema: "IS4",
+                        principalTable: "IdentityResources",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ApiResourceClaims_ApiResourceId",
+                schema: "IS4",
+                table: "ApiResourceClaims",
+                column: "ApiResourceId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ApiResourceProperties_ApiResourceId",
+                schema: "IS4",
+                table: "ApiResourceProperties",
+                column: "ApiResourceId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ApiResources_Name",
+                schema: "IS4",
+                table: "ApiResources",
+                column: "Name",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ApiResourceScopes_ApiResourceId",
+                schema: "IS4",
+                table: "ApiResourceScopes",
+                column: "ApiResourceId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ApiResourceSecrets_ApiResourceId",
+                schema: "IS4",
+                table: "ApiResourceSecrets",
+                column: "ApiResourceId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ApiScopeClaims_ScopeId",
+                schema: "IS4",
+                table: "ApiScopeClaims",
+                column: "ScopeId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ApiScopeProperties_ScopeId",
+                schema: "IS4",
+                table: "ApiScopeProperties",
+                column: "ScopeId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ApiScopes_Name",
+                schema: "IS4",
+                table: "ApiScopes",
+                column: "Name",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClientClaims_ClientId",
+                schema: "IS4",
+                table: "ClientClaims",
+                column: "ClientId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClientCorsOrigins_ClientId",
+                schema: "IS4",
+                table: "ClientCorsOrigins",
+                column: "ClientId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClientGrantTypes_ClientId",
+                schema: "IS4",
+                table: "ClientGrantTypes",
+                column: "ClientId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClientIdPRestrictions_ClientId",
+                schema: "IS4",
+                table: "ClientIdPRestrictions",
+                column: "ClientId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClientPostLogoutRedirectUris_ClientId",
+                schema: "IS4",
+                table: "ClientPostLogoutRedirectUris",
+                column: "ClientId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClientProperties_ClientId",
+                schema: "IS4",
+                table: "ClientProperties",
+                column: "ClientId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClientRedirectUris_ClientId",
+                schema: "IS4",
+                table: "ClientRedirectUris",
+                column: "ClientId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Clients_ClientId",
+                schema: "IS4",
+                table: "Clients",
+                column: "ClientId",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClientScopes_ClientId",
+                schema: "IS4",
+                table: "ClientScopes",
+                column: "ClientId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClientSecrets_ClientId",
+                schema: "IS4",
+                table: "ClientSecrets",
+                column: "ClientId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DeviceCodes_DeviceCode",
+                schema: "IS4",
+                table: "DeviceCodes",
+                column: "DeviceCode",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DeviceCodes_Expiration",
+                schema: "IS4",
+                table: "DeviceCodes",
+                column: "Expiration");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_IdentityResourceClaims_IdentityResourceId",
+                schema: "IS4",
+                table: "IdentityResourceClaims",
+                column: "IdentityResourceId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_IdentityResourceProperties_IdentityResourceId",
+                schema: "IS4",
+                table: "IdentityResourceProperties",
+                column: "IdentityResourceId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_IdentityResources_Name",
+                schema: "IS4",
+                table: "IdentityResources",
+                column: "Name",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_PersistedGrants_Expiration",
+                schema: "IS4",
+                table: "PersistedGrants",
+                column: "Expiration");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_PersistedGrants_SubjectId_ClientId_Type",
+                schema: "IS4",
+                table: "PersistedGrants",
+                columns: new[] { "SubjectId", "ClientId", "Type" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_PersistedGrants_SubjectId_SessionId_Type",
+                schema: "IS4",
+                table: "PersistedGrants",
+                columns: new[] { "SubjectId", "SessionId", "Type" });
+
+            migrationBuilder.AddForeignKey(
+                name: "FK_UserOAuthClients_Clients_ClientId",
+                table: "UserOAuthClients",
+                column: "ClientId",
+                principalSchema: "IS4",
+                principalTable: "Clients",
+                principalColumn: "Id",
+                onDelete: ReferentialAction.Cascade);
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
index 692c7df..fca38c4 100644
--- a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
+++ b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
@@ -19,861 +19,11 @@ protected override void BuildModel(ModelBuilder modelBuilder)
         {
 #pragma warning disable 612, 618
             modelBuilder
-                .HasAnnotation("ProductVersion", "6.0.1")
+                .HasAnnotation("ProductVersion", "9.0.8")
                 .HasAnnotation("Relational:MaxIdentifierLength", 63);
 
             NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
 
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResource", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("AllowedAccessTokenSigningAlgorithms")
-                        .HasMaxLength(100)
-                        .HasColumnType("character varying(100)");
-
-                    b.Property<DateTime>("Created")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Description")
-                        .HasMaxLength(1000)
-                        .HasColumnType("character varying(1000)");
-
-                    b.Property<string>("DisplayName")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<bool>("Enabled")
-                        .HasColumnType("boolean");
-
-                    b.Property<DateTime?>("LastAccessed")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Name")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<bool>("NonEditable")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("ShowInDiscoveryDocument")
-                        .HasColumnType("boolean");
-
-                    b.Property<DateTime?>("Updated")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("Name")
-                        .IsUnique();
-
-                    b.ToTable("ApiResources", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResourceClaim", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ApiResourceId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Type")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ApiResourceId");
-
-                    b.ToTable("ApiResourceClaims", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResourceProperty", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ApiResourceId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Key")
-                        .IsRequired()
-                        .HasMaxLength(250)
-                        .HasColumnType("character varying(250)");
-
-                    b.Property<string>("Value")
-                        .IsRequired()
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ApiResourceId");
-
-                    b.ToTable("ApiResourceProperties", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResourceScope", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ApiResourceId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Scope")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ApiResourceId");
-
-                    b.ToTable("ApiResourceScopes", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResourceSecret", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ApiResourceId")
-                        .HasColumnType("integer");
-
-                    b.Property<DateTime>("Created")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Description")
-                        .HasMaxLength(1000)
-                        .HasColumnType("character varying(1000)");
-
-                    b.Property<DateTime?>("Expiration")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Type")
-                        .IsRequired()
-                        .HasMaxLength(250)
-                        .HasColumnType("character varying(250)");
-
-                    b.Property<string>("Value")
-                        .IsRequired()
-                        .HasMaxLength(4000)
-                        .HasColumnType("character varying(4000)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ApiResourceId");
-
-                    b.ToTable("ApiResourceSecrets", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiScope", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("Description")
-                        .HasMaxLength(1000)
-                        .HasColumnType("character varying(1000)");
-
-                    b.Property<string>("DisplayName")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<bool>("Emphasize")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("Enabled")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("Name")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<bool>("Required")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("ShowInDiscoveryDocument")
-                        .HasColumnType("boolean");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("Name")
-                        .IsUnique();
-
-                    b.ToTable("ApiScopes", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiScopeClaim", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ScopeId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Type")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ScopeId");
-
-                    b.ToTable("ApiScopeClaims", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiScopeProperty", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("Key")
-                        .IsRequired()
-                        .HasMaxLength(250)
-                        .HasColumnType("character varying(250)");
-
-                    b.Property<int>("ScopeId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Value")
-                        .IsRequired()
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ScopeId");
-
-                    b.ToTable("ApiScopeProperties", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.Client", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("AbsoluteRefreshTokenLifetime")
-                        .HasColumnType("integer");
-
-                    b.Property<int>("AccessTokenLifetime")
-                        .HasColumnType("integer");
-
-                    b.Property<int>("AccessTokenType")
-                        .HasColumnType("integer");
-
-                    b.Property<bool>("AllowAccessTokensViaBrowser")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("AllowOfflineAccess")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("AllowPlainTextPkce")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("AllowRememberConsent")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("AllowedIdentityTokenSigningAlgorithms")
-                        .HasMaxLength(100)
-                        .HasColumnType("character varying(100)");
-
-                    b.Property<bool>("AlwaysIncludeUserClaimsInIdToken")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("AlwaysSendClientClaims")
-                        .HasColumnType("boolean");
-
-                    b.Property<int>("AuthorizationCodeLifetime")
-                        .HasColumnType("integer");
-
-                    b.Property<bool>("BackChannelLogoutSessionRequired")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("BackChannelLogoutUri")
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.Property<string>("ClientClaimsPrefix")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<string>("ClientId")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<string>("ClientName")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<string>("ClientUri")
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.Property<int?>("ConsentLifetime")
-                        .HasColumnType("integer");
-
-                    b.Property<DateTime>("Created")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Description")
-                        .HasMaxLength(1000)
-                        .HasColumnType("character varying(1000)");
-
-                    b.Property<int>("DeviceCodeLifetime")
-                        .HasColumnType("integer");
-
-                    b.Property<bool>("EnableLocalLogin")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("Enabled")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("FrontChannelLogoutSessionRequired")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("FrontChannelLogoutUri")
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.Property<int>("IdentityTokenLifetime")
-                        .HasColumnType("integer");
-
-                    b.Property<bool>("IncludeJwtId")
-                        .HasColumnType("boolean");
-
-                    b.Property<DateTime?>("LastAccessed")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("LogoUri")
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.Property<bool>("NonEditable")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("PairWiseSubjectSalt")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<string>("ProtocolType")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<int>("RefreshTokenExpiration")
-                        .HasColumnType("integer");
-
-                    b.Property<int>("RefreshTokenUsage")
-                        .HasColumnType("integer");
-
-                    b.Property<bool>("RequireClientSecret")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("RequireConsent")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("RequirePkce")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("RequireRequestObject")
-                        .HasColumnType("boolean");
-
-                    b.Property<int>("SlidingRefreshTokenLifetime")
-                        .HasColumnType("integer");
-
-                    b.Property<bool>("UpdateAccessTokenClaimsOnRefresh")
-                        .HasColumnType("boolean");
-
-                    b.Property<DateTime?>("Updated")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("UserCodeType")
-                        .HasMaxLength(100)
-                        .HasColumnType("character varying(100)");
-
-                    b.Property<int?>("UserSsoLifetime")
-                        .HasColumnType("integer");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId")
-                        .IsUnique();
-
-                    b.ToTable("Clients", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientClaim", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Type")
-                        .IsRequired()
-                        .HasMaxLength(250)
-                        .HasColumnType("character varying(250)");
-
-                    b.Property<string>("Value")
-                        .IsRequired()
-                        .HasMaxLength(250)
-                        .HasColumnType("character varying(250)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.ToTable("ClientClaims", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientCorsOrigin", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Origin")
-                        .IsRequired()
-                        .HasMaxLength(150)
-                        .HasColumnType("character varying(150)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.ToTable("ClientCorsOrigins", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientGrantType", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("GrantType")
-                        .IsRequired()
-                        .HasMaxLength(250)
-                        .HasColumnType("character varying(250)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.ToTable("ClientGrantTypes", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientIdPRestriction", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Provider")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.ToTable("ClientIdPRestrictions", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientPostLogoutRedirectUri", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("PostLogoutRedirectUri")
-                        .IsRequired()
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.ToTable("ClientPostLogoutRedirectUris", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientProperty", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Key")
-                        .IsRequired()
-                        .HasMaxLength(250)
-                        .HasColumnType("character varying(250)");
-
-                    b.Property<string>("Value")
-                        .IsRequired()
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.ToTable("ClientProperties", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientRedirectUri", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("RedirectUri")
-                        .IsRequired()
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.ToTable("ClientRedirectUris", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientScope", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Scope")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.ToTable("ClientScopes", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientSecret", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<DateTime>("Created")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Description")
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.Property<DateTime?>("Expiration")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Type")
-                        .IsRequired()
-                        .HasMaxLength(250)
-                        .HasColumnType("character varying(250)");
-
-                    b.Property<string>("Value")
-                        .IsRequired()
-                        .HasMaxLength(4000)
-                        .HasColumnType("character varying(4000)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.ToTable("ClientSecrets", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.DeviceFlowCodes", b =>
-                {
-                    b.Property<string>("UserCode")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<string>("ClientId")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<DateTime>("CreationTime")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Data")
-                        .IsRequired()
-                        .HasMaxLength(50000)
-                        .HasColumnType("character varying(50000)");
-
-                    b.Property<string>("Description")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<string>("DeviceCode")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<DateTime?>("Expiration")
-                        .IsRequired()
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("SessionId")
-                        .HasMaxLength(100)
-                        .HasColumnType("character varying(100)");
-
-                    b.Property<string>("SubjectId")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.HasKey("UserCode");
-
-                    b.HasIndex("DeviceCode")
-                        .IsUnique();
-
-                    b.HasIndex("Expiration");
-
-                    b.ToTable("DeviceCodes", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.IdentityResource", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<DateTime>("Created")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Description")
-                        .HasMaxLength(1000)
-                        .HasColumnType("character varying(1000)");
-
-                    b.Property<string>("DisplayName")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<bool>("Emphasize")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("Enabled")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("Name")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<bool>("NonEditable")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("Required")
-                        .HasColumnType("boolean");
-
-                    b.Property<bool>("ShowInDiscoveryDocument")
-                        .HasColumnType("boolean");
-
-                    b.Property<DateTime?>("Updated")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("Name")
-                        .IsUnique();
-
-                    b.ToTable("IdentityResources", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.IdentityResourceClaim", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("IdentityResourceId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Type")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("IdentityResourceId");
-
-                    b.ToTable("IdentityResourceClaims", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.IdentityResourceProperty", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<int>("IdentityResourceId")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Key")
-                        .IsRequired()
-                        .HasMaxLength(250)
-                        .HasColumnType("character varying(250)");
-
-                    b.Property<string>("Value")
-                        .IsRequired()
-                        .HasMaxLength(2000)
-                        .HasColumnType("character varying(2000)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("IdentityResourceId");
-
-                    b.ToTable("IdentityResourceProperties", "IS4");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.PersistedGrant", b =>
-                {
-                    b.Property<string>("Key")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<string>("ClientId")
-                        .IsRequired()
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<DateTime?>("ConsumedTime")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<DateTime>("CreationTime")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Data")
-                        .IsRequired()
-                        .HasMaxLength(50000)
-                        .HasColumnType("character varying(50000)");
-
-                    b.Property<string>("Description")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<DateTime?>("Expiration")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("SessionId")
-                        .HasMaxLength(100)
-                        .HasColumnType("character varying(100)");
-
-                    b.Property<string>("SubjectId")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<string>("Type")
-                        .IsRequired()
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.HasKey("Key");
-
-                    b.HasIndex("Expiration");
-
-                    b.HasIndex("SubjectId", "ClientId", "Type");
-
-                    b.HasIndex("SubjectId", "SessionId", "Type");
-
-                    b.ToTable("PersistedGrants", "IS4");
-                });
-
             modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
                 {
                     b.Property<int>("Id")
@@ -1106,62 +256,205 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("ClientData")
                         .IsUnique();
 
-                    b.ToTable("Hwids");
+                    b.ToTable("Hwids");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("FirstSeen")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("HwidId", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("HwidUsers");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.Property<long>("LoginSessionId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte[]>("Token")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("LoginSessionId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("ActiveSessions");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Scopes")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictAuthorizations", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultScope", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Descriptions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Resources")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Name")
+                        .IsUnique();
+
+                    b.ToTable("OpenIddictScopes", (string)null);
                 });
 
-            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
                 {
-                    b.Property<long>("Id")
+                    b.Property<string>("Id")
                         .ValueGeneratedOnAdd()
-                        .HasColumnType("bigint");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+                        .HasColumnType("text");
 
-                    b.Property<DateTime>("FirstSeen")
-                        .HasColumnType("timestamp with time zone");
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
 
-                    b.Property<long>("HwidId")
-                        .HasColumnType("bigint");
+                    b.Property<string>("AuthorizationId")
+                        .HasColumnType("text");
 
-                    b.Property<Guid>("SpaceUserId")
-                        .HasColumnType("uuid");
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
 
-                    b.HasKey("Id");
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
 
-                    b.HasIndex("SpaceUserId");
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
 
-                    b.HasIndex("HwidId", "SpaceUserId")
-                        .IsUnique();
+                    b.Property<string>("Payload")
+                        .HasColumnType("text");
 
-                    b.ToTable("HwidUsers");
-                });
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
 
-            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
-                {
-                    b.Property<long>("LoginSessionId")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("bigint");
+                    b.Property<DateTime?>("RedemptionDate")
+                        .HasColumnType("timestamp with time zone");
 
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
+                    b.Property<string>("ReferenceId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
 
-                    b.Property<DateTimeOffset>("Expires")
-                        .HasColumnType("timestamp with time zone");
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
 
-                    b.Property<Guid>("SpaceUserId")
-                        .HasColumnType("uuid");
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
 
-                    b.Property<byte[]>("Token")
-                        .IsRequired()
-                        .HasColumnType("bytea");
+                    b.Property<string>("Type")
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
 
-                    b.HasKey("LoginSessionId");
+                    b.HasKey("Id");
 
-                    b.HasIndex("SpaceUserId");
+                    b.HasIndex("AuthorizationId");
 
-                    b.HasIndex("Token")
+                    b.HasIndex("ReferenceId")
                         .IsUnique();
 
-                    b.ToTable("ActiveSessions");
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictTokens", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
@@ -1240,6 +533,79 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.ToTable("Patrons");
                 });
 
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ClientId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("ClientSecret")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConsentType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("JsonWebKeySet")
+                        .HasColumnType("text");
+
+                    b.Property<string>("LogoUri")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PostLogoutRedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Requirements")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("OpenIddictApplications", (string)null);
+                });
+
             modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceRole", b =>
                 {
                     b.Property<Guid>("Id")
@@ -1373,193 +739,6 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.ToTable("WhitelistEmails");
                 });
 
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResourceClaim", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.ApiResource", "ApiResource")
-                        .WithMany("UserClaims")
-                        .HasForeignKey("ApiResourceId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("ApiResource");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResourceProperty", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.ApiResource", "ApiResource")
-                        .WithMany("Properties")
-                        .HasForeignKey("ApiResourceId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("ApiResource");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResourceScope", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.ApiResource", "ApiResource")
-                        .WithMany("Scopes")
-                        .HasForeignKey("ApiResourceId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("ApiResource");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResourceSecret", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.ApiResource", "ApiResource")
-                        .WithMany("Secrets")
-                        .HasForeignKey("ApiResourceId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("ApiResource");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiScopeClaim", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.ApiScope", "Scope")
-                        .WithMany("UserClaims")
-                        .HasForeignKey("ScopeId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Scope");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiScopeProperty", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.ApiScope", "Scope")
-                        .WithMany("Properties")
-                        .HasForeignKey("ScopeId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Scope");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientClaim", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
-                        .WithMany("Claims")
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Client");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientCorsOrigin", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
-                        .WithMany("AllowedCorsOrigins")
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Client");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientGrantType", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
-                        .WithMany("AllowedGrantTypes")
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Client");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientIdPRestriction", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
-                        .WithMany("IdentityProviderRestrictions")
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Client");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientPostLogoutRedirectUri", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
-                        .WithMany("PostLogoutRedirectUris")
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Client");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientProperty", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
-                        .WithMany("Properties")
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Client");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientRedirectUri", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
-                        .WithMany("RedirectUris")
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Client");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientScope", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
-                        .WithMany("AllowedScopes")
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Client");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ClientSecret", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
-                        .WithMany("ClientSecrets")
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Client");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.IdentityResourceClaim", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.IdentityResource", "IdentityResource")
-                        .WithMany("UserClaims")
-                        .HasForeignKey("IdentityResourceId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("IdentityResource");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.IdentityResourceProperty", b =>
-                {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.IdentityResource", "IdentityResource")
-                        .WithMany("Properties")
-                        .HasForeignKey("IdentityResourceId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("IdentityResource");
-                });
-
             modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
                 {
                     b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
@@ -1670,6 +849,30 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Navigation("SpaceUser");
                 });
 
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Authorizations")
+                        .HasForeignKey("ApplicationId");
+
+                    b.Navigation("Application");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Tokens")
+                        .HasForeignKey("ApplicationId");
+
+                    b.HasOne("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", "Authorization")
+                        .WithMany("Tokens")
+                        .HasForeignKey("AuthorizationId");
+
+                    b.Navigation("Application");
+
+                    b.Navigation("Authorization");
+                });
+
             modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
                 {
                     b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
@@ -1692,74 +895,41 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Navigation("SpaceUser");
                 });
 
-            modelBuilder.Entity("SS14.Auth.Shared.Data.UserOAuthClient", b =>
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
                 {
-                    b.HasOne("IdentityServer4.EntityFramework.Entities.Client", "Client")
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
                         .WithMany()
-                        .HasForeignKey("ClientId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
+                        .HasForeignKey("SpaceUserId");
 
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.UserOAuthClient", b =>
+                {
                     b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
                         .WithMany()
                         .HasForeignKey("SpaceUserId")
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
 
-                    b.Navigation("Client");
-
                     b.Navigation("SpaceUser");
                 });
 
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResource", b =>
-                {
-                    b.Navigation("Properties");
-
-                    b.Navigation("Scopes");
-
-                    b.Navigation("Secrets");
-
-                    b.Navigation("UserClaims");
-                });
-
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiScope", b =>
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
                 {
-                    b.Navigation("Properties");
-
-                    b.Navigation("UserClaims");
+                    b.Navigation("Users");
                 });
 
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.Client", b =>
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
                 {
-                    b.Navigation("AllowedCorsOrigins");
-
-                    b.Navigation("AllowedGrantTypes");
-
-                    b.Navigation("AllowedScopes");
-
-                    b.Navigation("Claims");
-
-                    b.Navigation("ClientSecrets");
-
-                    b.Navigation("IdentityProviderRestrictions");
-
-                    b.Navigation("PostLogoutRedirectUris");
-
-                    b.Navigation("Properties");
-
-                    b.Navigation("RedirectUris");
+                    b.Navigation("Tokens");
                 });
 
-            modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.IdentityResource", b =>
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
                 {
-                    b.Navigation("Properties");
-
-                    b.Navigation("UserClaims");
-                });
+                    b.Navigation("Authorizations");
 
-            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
-                {
-                    b.Navigation("Users");
+                    b.Navigation("Tokens");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
diff --git a/SS14.Auth.Shared/Data/SpaceApplication.cs b/SS14.Auth.Shared/Data/SpaceApplication.cs
index 1723352..3c91222 100644
--- a/SS14.Auth.Shared/Data/SpaceApplication.cs
+++ b/SS14.Auth.Shared/Data/SpaceApplication.cs
@@ -1,4 +1,6 @@
-using System;
+#nullable enable
+using System;
+using JetBrains.Annotations;
 using OpenIddict.EntityFrameworkCore.Models;
 using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
@@ -6,6 +8,7 @@ namespace SS14.Auth.Shared.Data;
 
 public sealed class SpaceApplication : OpenIddictEntityFrameworkCoreApplication<string, DefaultAuthorization, DefaultToken>
 {
-    public Guid SpaceUserId { get; set; }
-    public SpaceUser SpaceUser { get; set; }
+    public Guid? SpaceUserId { get; set; }
+    public SpaceUser? SpaceUser { get; set; }
+    public string? LogoUri { get; set; }
 }
diff --git a/SS14.Auth.Shared/SS14.Auth.Shared.csproj b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
index 14795e2..5e77028 100644
--- a/SS14.Auth.Shared/SS14.Auth.Shared.csproj
+++ b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
@@ -16,9 +16,9 @@
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.13.1" />
         <PackageReference Include="MimeKit" Version="4.13.0" />
         <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
+        <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="7.0.0" />
         <PackageReference Include="OpenIddict.EntityFrameworkCore.Models" Version="7.0.0" />
         <PackageReference Include="Robust.Shared.AuthLib" Version="0.1.2" />
         <PackageReference Include="Serilog" Version="4.3.0" />
diff --git a/SS14.Auth.Shared/StartupHelpers.cs b/SS14.Auth.Shared/StartupHelpers.cs
index a5eb577..fb4ad28 100644
--- a/SS14.Auth.Shared/StartupHelpers.cs
+++ b/SS14.Auth.Shared/StartupHelpers.cs
@@ -17,6 +17,7 @@
 using SS14.Auth.Shared.Emails;
 using SS14.Auth.Shared.MutexDb;
 using SS14.Auth.Shared.Sessions;
+using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
 namespace SS14.Auth.Shared;
 
@@ -42,8 +43,10 @@ public static void AddShared(IServiceCollection services, IConfiguration config)
         });
 
         services.AddDbContext<ApplicationDbContext>(options =>
-            options.UseNpgsql(
-                config.GetConnectionString("DefaultConnection")));
+        {
+            options.UseNpgsql(config.GetConnectionString("DefaultConnection"));
+            options.UseOpenIddict<SpaceApplication, DefaultAuthorization, DefaultScope, DefaultToken, string>();
+        });
 
         services.AddDataProtection()
             .PersistKeysToDbContext<ApplicationDbContext>()
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
index 538f79e..522a939 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
@@ -1,4 +1,7 @@
 @page
+@using OpenIddict.Abstractions
+@using SS14.Web.Extensions
+@using SS14.Web.Helpers
 @model SS14.Web.Areas.Identity.Pages.Account.Consent
 
 @{
@@ -28,47 +31,45 @@
     <div class="row">
         <div class="col d-flex align-items-center">
             <h2 class="text-center flex-grow-1 m-3">Authorize @*@Model.AuthRequest.Client.ClientName*@</h2>
-            @*@if (!string.IsNullOrWhiteSpace(@Model.AuthRequest.Client.LogoUri))
+            @if (!string.IsNullOrWhiteSpace(Model.Application?.LogoUri))
             {
-                <img class="rounded" height="48" src="@Model.AuthRequest.Client.LogoUri" alt="@Model.AuthRequest.Client.ClientName"/>
-            }*@
+                <img class="rounded" height="48" src="@Model.Application?.LogoUri" alt="@Model.Application?.DisplayName"/>
+            }
         </div>
     </div>
     <div class="row consent-wrap">
         <div class="col consent-contents">
             <div class="row mb-3">
                 <div class="col">
-                    @*<strong>@Model.AuthRequest.Client.ClientName</strong>*@
-                    @if (Model.UserClient != null)
+                    <strong>@Model.Application?.DisplayName</strong>
+                    @if (Model.Application != null)
                     {
                         <span>
-                            by <strong>@Model.UserClient.SpaceUser.UserName</strong>
+                            by <strong>@Model.Application?.SpaceUser?.UserName</strong>
                         </span>
                     }
                     <br/> wants access to your account <strong>@User.Identity!.Name</strong>
                 </div>
             </div>
             @{
-                // openid and profile are not worth showing.
-                @*var identityResources = Model.AuthRequest.ValidatedResources.Resources.IdentityResources
-                    .Where(c => c.Name != "openid" && c.Name != "profile")
-                    .ToArray();*@
+                // openid is not worth showing.
+                var scopes = Model.AuthRequest?.GetScopes()
+                    .Where(c => c != "openid")
+                    .ToArray();
             }
             <div class="row mb-3">
                 <div class="col">
                     <strong>Requested Account Information</strong>
                     <ul class="pl-3">
-                        <li>Name and user ID</li>
-                        @*@foreach (var resource in identityResources)
+                        @foreach (var scope in scopes ?? [])
                         {
                             <li>
-                                @resource.DisplayName
+                               @ScopeHelper.GetScopeName(scope)
                             </li>
-                        }*@
+                        }
                     </ul>
                 </div>
             </div>
-            <!-- TODO: non-identity scopes -->
             <div class="row">
                 <div class="col-6">
                     <button name="button" value="no" class="btn-block btn btn-dark">Cancel</button>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
index ea78df9..48be54a 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
@@ -2,12 +2,17 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.Extensions.Logging;
 using OpenIddict.Abstractions;
+using OpenIddict.Server.AspNetCore;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Models.Types;
 using SS14.Web.Services;
+using static OpenIddict.Abstractions.OpenIddictConstants;
 
 namespace SS14.Web.Areas.Identity.Pages.Account;
 // TODO: Replace identityserver4 code in this file
@@ -56,15 +61,25 @@ public async Task<IActionResult> OnGetAsync(string returnUrl)
             case false when validation.Error.IsChallenge:
                 return Challenge(validation.Error.Properties!);
             case false:
-                return Forbid(validation.Error.Error!, "The login is required.");
+                return Forbid(validation.Error.Error!, GetErrorDescription(validation.Error.Error!));
         }
 
         var authorization = await _actionService.AuthorizeActionAsync(AuthRequest, AuthRequest.GetScopes());
         Application = authorization.Application;
 
+        return authorization.Type switch
+        {
+            AuthorizationResult.ResultType.Forbidden =>
+               Forbid(authorization.ErrorName ?? "", GetErrorDescription(authorization.ErrorName)),
+
+            AuthorizationResult.ResultType.Error =>
+                BadRequest(GetErrorDescription(authorization.ErrorName)),
 
-        
-        return Page();
+            AuthorizationResult.ResultType.SignIn =>
+                SignIn(authorization.Principal!, authenticationScheme: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme),
+
+            _ => Page(),
+        };
     }
 
     public async Task<IActionResult> OnPostAsync()
@@ -97,4 +112,22 @@ public async Task<IActionResult> OnPostAsync()
 
         return Redirect(Input.ReturnUrl);*/
     }
+
+    public static string GetScopeName(string scope) => scope switch
+    {
+        Scopes.Email => "Email",
+        Scopes.Roles => "Roles",
+        _ => scope,
+    };
+
+    // ReSharper disable once ArrangeMethodOrOperatorBody
+    private static string GetErrorDescription(string? error) => error switch
+    {
+        OpenIdActionService.ApplicationNotFoundError => "No application for the given client id.",
+        Errors.AccessDenied => "The logged in user is not allowed to access this client application.",
+        Errors.ConsentRequired => "Interactive user consent is required.",
+        Errors.UnsupportedGrantType => "The specified grant type is not supported.",
+        Errors.InvalidGrant => "The token is no longer valid.",
+        _ => "An unknown error occurred.",
+    };
 }
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
index bfe5e2f..800be51 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
@@ -46,8 +46,9 @@ public RegisterModel(
 
     [BindProperty] public InputModel Input { get; set; }
 
+    // TODO: Remove nullable when done developing
     [BindProperty(Name = "h-captcha-response")]
-    public string HCaptchaResponse { get; set; }
+    public string? HCaptchaResponse { get; set; }
 
     public string ReturnUrl { get; set; }
 
@@ -150,4 +151,4 @@ public async Task<string> GenerateEmailConfirmLink(
             protocol: Request.Scheme);
         return callbackUrl;
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Data/TestDataSeeder.cs b/SS14.Web/Data/TestDataSeeder.cs
new file mode 100644
index 0000000..1409e82
--- /dev/null
+++ b/SS14.Web/Data/TestDataSeeder.cs
@@ -0,0 +1,61 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using OpenIddict.Abstractions;
+
+namespace SS14.Web.Data;
+
+// TODO: Remove after development
+public sealed class TestDataSeeder(IServiceProvider serviceProvider) : IHostedService
+{
+    public async Task StartAsync(CancellationToken ct)
+    {
+        using var scope = serviceProvider.CreateScope();
+        await PopulateInternalApps(scope, ct);
+    }
+
+    public Task StopAsync(CancellationToken ct)
+    {
+        return Task.CompletedTask;
+    }
+
+    private async ValueTask PopulateInternalApps(IServiceScope scope, CancellationToken ct)
+    {
+        var appManager = scope.ServiceProvider.GetRequiredService<IOpenIddictApplicationManager>();
+
+        var appDescriptor = new OpenIddictApplicationDescriptor
+        {
+            ClientId = "test_client",
+            ClientSecret = "test_secret",
+            ClientType = OpenIddictConstants.ClientTypes.Confidential,
+            DisplayName = "Test Client",
+            RedirectUris = { new Uri("https://localhost:7175/callback") },
+            Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
+            Permissions =
+            {
+                OpenIddictConstants.Permissions.Endpoints.Authorization,
+                OpenIddictConstants.Permissions.Endpoints.Token,
+                OpenIddictConstants.Permissions.Endpoints.Introspection,
+                OpenIddictConstants.Permissions.Endpoints.EndSession,
+                OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
+                OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
+                OpenIddictConstants.Permissions.ResponseTypes.Code,
+                OpenIddictConstants.Permissions.Scopes.Email,
+                OpenIddictConstants.Permissions.Scopes.Profile,
+                OpenIddictConstants.Permissions.Scopes.Roles
+            }
+        };
+
+        var client = await appManager.FindByClientIdAsync(appDescriptor.ClientId, ct);
+        if (client == null)
+        {
+            await appManager.CreateAsync(appDescriptor, ct);
+        }
+        else
+        {
+            await appManager.UpdateAsync(client, appDescriptor, ct);
+        }
+    }
+}
diff --git a/SS14.Web/Extensions/OpenIdExtension.cs b/SS14.Web/Extensions/OpenIdExtension.cs
index b12bbf7..4405fb6 100644
--- a/SS14.Web/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/Extensions/OpenIdExtension.cs
@@ -5,9 +5,13 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using OpenIddict.Server;
 using SS14.Auth.Shared.Data;
 using SS14.ServerHub.Shared.Data;
 using SS14.Web.Configuration;
+using SS14.Web.Data;
+using SS14.Web.Services;
+using static OpenIddict.Abstractions.OpenIddictConstants;
 using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
 namespace SS14.Web.Extensions;
@@ -19,18 +23,22 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
         var openId = builder.Services.AddOpenIddict();
         openId.AddCore(options =>
         {
-            options.UseEntityFrameworkCore().UseDbContext<HubDbContext>()
+            options.UseEntityFrameworkCore().UseDbContext<ApplicationDbContext>()
                 .ReplaceDefaultEntities<SpaceApplication, DefaultAuthorization, DefaultScope, DefaultToken, string>();
         });
 
-        openId.AddValidation().UseLocalServer();
-        openId.AddValidation().UseAspNetCore();
-
-        openId.AddServer().Configure(config => builder.Configuration.Bind("OpenId:Server", config));
-        openId.AddServer().UseAspNetCore().EnableAuthorizationEndpointPassthrough().EnableStatusCodePagesIntegration();
+        openId.AddServer()
+            .Configure(config => builder.Configuration.Bind("OpenId:Server", config))
+            .UseAspNetCore().EnableAuthorizationEndpointPassthrough().EnableStatusCodePagesIntegration();
         ConfigureCertificates(openId, builder);
 
+        openId.AddValidation().UseLocalServer();
+        openId.AddValidation().UseAspNetCore();
 
+        builder.Services.AddHostedService<TestDataSeeder>();
+        builder.Services.AddScoped<IdentityClaimsProvider>();
+        builder.Services.AddScoped<SignedInIdentityService>();
+        builder.Services.AddScoped<OpenIdActionService>();
     }
 
     public static void UseOpenIdConnect(this WebApplication app)
diff --git a/SS14.Web/Helpers/ScopeHelper.cs b/SS14.Web/Helpers/ScopeHelper.cs
new file mode 100644
index 0000000..6f1810d
--- /dev/null
+++ b/SS14.Web/Helpers/ScopeHelper.cs
@@ -0,0 +1,15 @@
+using static OpenIddict.Abstractions.OpenIddictConstants;
+
+namespace SS14.Web.Helpers;
+
+public static class ScopeHelper
+{
+    // ReSharper disable once ArrangeMethodOrOperatorBody
+    public static string GetScopeName(string scope) => scope switch
+    {
+        Scopes.Profile => "Name and user ID",
+        Scopes.Email => "Email",
+        Scopes.Roles => "Roles",
+        _ => scope,
+    };
+}
diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index 745875d..06c26d8 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -8,12 +8,14 @@
 using Prometheus;
 using Serilog;
 using SS14.Auth.Shared;
+using SS14.Auth.Shared.Data;
 using SS14.ServerHub.Shared.Data;
 using SS14.Web;
 using SS14.Web.Data;
 using SS14.Web.Extensions;
 using SS14.Web.HCaptcha;
 using SS14.WebEverythingShared;
+using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
 var builder = WebApplication.CreateBuilder();
 
@@ -42,7 +44,6 @@
         ?? throw new InvalidOperationException("Must set HubConnection");
 
     options.UseNpgsql(connectionString);
-    options.UseOpenIddict();
 });
 
 // Auth
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index bfbbf5e..5549f71 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -3,11 +3,15 @@
     <PropertyGroup>
         <TargetFramework>net9.0</TargetFramework>
         <LangVersion>12</LangVersion>
-        <Nullable>true</Nullable>
+        <Nullable>enable</Nullable>
     </PropertyGroup>
 
     <ItemGroup>
         <PackageReference Include="AspNet.Security.OAuth.Patreon" Version="9.4.0" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="9.0.8">
+          <PrivateAssets>all</PrivateAssets>
+          <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
         <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="9.0.8" />
         <PackageReference Include="NetEscapades.Configuration.Yaml" Version="3.1.0" />
         <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" Condition="'$(Configuration)' == 'Debug'" />
diff --git a/SS14.Web/appsettings.yml b/SS14.Web/appsettings.yml
index c6fe967..b5f575d 100644
--- a/SS14.Web/appsettings.yml
+++ b/SS14.Web/appsettings.yml
@@ -30,10 +30,7 @@ Account:
 
 OpenId:
   Server:
-    AuthorizationEndpointUris:
-    - connect/authorize
-    - connect/authorize/accept
-    - connect/authorize/deny
+    AuthorizationEndpointUris: [ Identity/Account/Consent ]
     TokenEndpointUris: [ connect/token ]
     EndSessionEndpointUris: [ connect/endsession ]
     UserInfoEndpointUris: [ connect/userinfo ]

From 34f9134b12de03d718cf13153a6a694fa7baaa3f Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Wed, 13 Aug 2025 14:35:53 +0200
Subject: [PATCH 11/43] Fix wrong get openiddict request method call

---
 SS14.Auth.Shared/Data/AccountLogManager.cs      |  5 +++--
 .../Identity/Pages/Account/Consent.cshtml.cs    |  2 +-
 SS14.Web/Data/TestDataSeeder.cs                 | 17 +++++++++++++++++
 SS14.Web/Extensions/OpenIdExtension.cs          |  7 ++++---
 4 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/SS14.Auth.Shared/Data/AccountLogManager.cs b/SS14.Auth.Shared/Data/AccountLogManager.cs
index c067042..e5c1461 100644
--- a/SS14.Auth.Shared/Data/AccountLogManager.cs
+++ b/SS14.Auth.Shared/Data/AccountLogManager.cs
@@ -81,11 +81,12 @@ public AccountLogActor NoActor()
     private IPAddress? GetActorIP()
     {
         if (httpContextAccessor.HttpContext == null)
-            throw new InvalidOperationException("Unable to get HttpContext!");
+            return null;
+            // TODO: Undo commenting this out throw new InvalidOperationException("Unable to get HttpContext!");
 
         var address = httpContextAccessor.HttpContext.Connection.RemoteIpAddress;
         return address;
     }
 }
 
-public sealed record AccountLogActor(Guid? User, IPAddress? Address);
\ No newline at end of file
+public sealed record AccountLogActor(Guid? User, IPAddress? Address);
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
index 48be54a..24ee90f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
@@ -45,7 +45,7 @@ public Consent(ApplicationDbContext dbContext, ILogger<Consent> logger, OpenIdAc
     public async Task<IActionResult> OnGetAsync(string returnUrl)
     {
         ReturnUrl = returnUrl;
-        AuthRequest = HttpContext.GetOpenIddictClientRequest();
+        AuthRequest = HttpContext.GetOpenIddictServerRequest();
 
         if (AuthRequest is null)
             return BadRequest();
diff --git a/SS14.Web/Data/TestDataSeeder.cs b/SS14.Web/Data/TestDataSeeder.cs
index 1409e82..add2f56 100644
--- a/SS14.Web/Data/TestDataSeeder.cs
+++ b/SS14.Web/Data/TestDataSeeder.cs
@@ -1,9 +1,11 @@
 using System;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using OpenIddict.Abstractions;
+using SS14.Auth.Shared.Data;
 
 namespace SS14.Web.Data;
 
@@ -14,6 +16,7 @@ public async Task StartAsync(CancellationToken ct)
     {
         using var scope = serviceProvider.CreateScope();
         await PopulateInternalApps(scope, ct);
+        await PopulateUsersAsync(scope);
     }
 
     public Task StopAsync(CancellationToken ct)
@@ -58,4 +61,18 @@ private async ValueTask PopulateInternalApps(IServiceScope scope, CancellationTo
             await appManager.UpdateAsync(client, appDescriptor, ct);
         }
     }
+
+    private async ValueTask PopulateUsersAsync(IServiceScope scope)
+    {
+        var userManager = scope.ServiceProvider.GetRequiredService<UserManager<SpaceUser>>();
+
+        var user = new SpaceUser
+        {
+            UserName = "TestUser",
+            Email = "test@example.test",
+            EmailConfirmed = true,
+        };
+
+        await userManager.CreateAsync(user, "Test123456$");
+    }
 }
diff --git a/SS14.Web/Extensions/OpenIdExtension.cs b/SS14.Web/Extensions/OpenIdExtension.cs
index 4405fb6..5907837 100644
--- a/SS14.Web/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/Extensions/OpenIdExtension.cs
@@ -5,6 +5,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using OpenIddict.Client.AspNetCore;
 using OpenIddict.Server;
 using SS14.Auth.Shared.Data;
 using SS14.ServerHub.Shared.Data;
@@ -27,14 +28,14 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
                 .ReplaceDefaultEntities<SpaceApplication, DefaultAuthorization, DefaultScope, DefaultToken, string>();
         });
 
+        openId.AddValidation().UseLocalServer();
+        openId.AddValidation().UseAspNetCore();
+
         openId.AddServer()
             .Configure(config => builder.Configuration.Bind("OpenId:Server", config))
             .UseAspNetCore().EnableAuthorizationEndpointPassthrough().EnableStatusCodePagesIntegration();
         ConfigureCertificates(openId, builder);
 
-        openId.AddValidation().UseLocalServer();
-        openId.AddValidation().UseAspNetCore();
-
         builder.Services.AddHostedService<TestDataSeeder>();
         builder.Services.AddScoped<IdentityClaimsProvider>();
         builder.Services.AddScoped<SignedInIdentityService>();

From 588619296c68dd3247d0b8e8162388143a29b957 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Wed, 13 Aug 2025 15:52:10 +0200
Subject: [PATCH 12/43] Finish implementing the oidc authorization/consent
 endpoint

---
 OAuthTest/Startup.cs                          |  16 +--
 SS14.Auth.Shared/StartupHelpers.cs            |   1 +
 .../Identity/Pages/Account/Consent.cshtml     |  16 ++-
 .../Identity/Pages/Account/Consent.cshtml.cs  | 113 ++++++++++++------
 SS14.Web/Data/TestDataSeeder.cs               |   4 +-
 SS14.Web/Helpers/AuthResults.cs               |  22 ++++
 SS14.Web/Program.cs                           |  10 ++
 SS14.Web/Services/OpenIdActionService.cs      |   8 +-
 8 files changed, 134 insertions(+), 56 deletions(-)
 create mode 100644 SS14.Web/Helpers/AuthResults.cs

diff --git a/OAuthTest/Startup.cs b/OAuthTest/Startup.cs
index 0ec8a6a..2fab532 100644
--- a/OAuthTest/Startup.cs
+++ b/OAuthTest/Startup.cs
@@ -24,10 +24,10 @@ public void ConfigureServices(IServiceCollection services)
         services.AddHttpLogging(logging =>
         {
             logging.LoggingFields = HttpLoggingFields.All;
-            //Write your code to configure the HttpLogging middleware here    
+            //Write your code to configure the HttpLogging middleware here
         });
         JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
-            
+
         services.AddControllersWithViews();
 
         services.AddAuthentication(options =>
@@ -39,15 +39,15 @@ public void ConfigureServices(IServiceCollection services)
             .AddOpenIdConnect("oidc", options =>
             {
                 options.SignInScheme = "Cookies";
-                    
-                options.Authority = "https://localhost:5003";
-                options.ClientId = "A";
-                options.ClientSecret = "A";
+
+                options.Authority = "https://localhost:5001";
+                options.ClientId = "test_client";
+                options.ClientSecret = "test_secret";
 
                 options.GetClaimsFromUserInfoEndpoint = true;
                 options.ResponseType = OpenIdConnectResponseType.Code;
                 //options.SaveTokens = true;
-                    
+
                 options.Scope.Add("profile");
                 options.Scope.Add("email");
                 options.ResponseType = "code";
@@ -85,4 +85,4 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                 pattern: "{controller=Home}/{action=Index}/{id?}");
         });
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Auth.Shared/StartupHelpers.cs b/SS14.Auth.Shared/StartupHelpers.cs
index fb4ad28..a98d43c 100644
--- a/SS14.Auth.Shared/StartupHelpers.cs
+++ b/SS14.Auth.Shared/StartupHelpers.cs
@@ -1,6 +1,7 @@
 using System;
 using System.IO;
 using System.Security.Cryptography;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
index 522a939..fbe5187 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
@@ -1,4 +1,5 @@
 @page
+@using Microsoft.Extensions.Primitives
 @using OpenIddict.Abstractions
 @using SS14.Web.Extensions
 @using SS14.Web.Helpers
@@ -22,7 +23,12 @@
 <!-- totally not ripped from github's -->
 
 <form style="max-width: 500px" method="post" class="container-fluid">
-    <input type="hidden" asp-for="ReturnUrl"/>
+    @* Pass request parameters through so they can be handled by the accept/deny handlers*@
+    @foreach (var parameter in HttpContext.Request.HasFormContentType ? (IEnumerable<KeyValuePair<string, StringValues>>) HttpContext.Request.Form : HttpContext.Request.Query)
+    {
+        <input type="hidden" name="@parameter.Key" value="@parameter.Value"/>
+    }
+
     <div class="row">
         <div class="col">
             <img alt="Space Station 14" src="~/logo-long-auth-o.svg" class="img-fluid p-3"/>
@@ -42,7 +48,7 @@
             <div class="row mb-3">
                 <div class="col">
                     <strong>@Model.Application?.DisplayName</strong>
-                    @if (Model.Application != null)
+                    @if (Model.Application?.SpaceUser != null)
                     {
                         <span>
                             by <strong>@Model.Application?.SpaceUser?.UserName</strong>
@@ -64,7 +70,7 @@
                         @foreach (var scope in scopes ?? [])
                         {
                             <li>
-                               @ScopeHelper.GetScopeName(scope)
+                                @ScopeHelper.GetScopeName(scope)
                             </li>
                         }
                     </ul>
@@ -72,10 +78,10 @@
             </div>
             <div class="row">
                 <div class="col-6">
-                    <button name="button" value="no" class="btn-block btn btn-dark">Cancel</button>
+                    <button name="Button" value="no" class="btn-block btn btn-dark">Cancel</button>
                 </div>
                 <div class="col-6">
-                    <button name="button" value="yes" class="btn-block btn btn-success">Authorize</button>
+                    <button  name="Button" value="yes" class="btn-block btn btn-success">Authorize</button>
                 </div>
             </div>
         </div>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
index 24ee90f..7205ec5 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
@@ -1,4 +1,6 @@
 #nullable enable
+using System.Collections.Immutable;
+using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore;
 using Microsoft.AspNetCore.Authentication;
@@ -10,6 +12,7 @@
 using OpenIddict.Abstractions;
 using OpenIddict.Server.AspNetCore;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Helpers;
 using SS14.Web.Models.Types;
 using SS14.Web.Services;
 using static OpenIddict.Abstractions.OpenIddictConstants;
@@ -24,6 +27,7 @@ public sealed class Consent : PageModel
 
     public OpenIddictRequest? AuthRequest { get; private set; }
     public SpaceApplication? Application { get; private set; }
+    public ImmutableArray<string> RequestScopes { get; private set; }
     public string? ReturnUrl { get; set; }
 
     [BindProperty] public InputModel? Input { get; set; }
@@ -31,7 +35,6 @@ public sealed class Consent : PageModel
     [ValidateAntiForgeryToken]
     public sealed class InputModel
     {
-        public string? ReturnUrl { get; set; }
         public string? Button { get; set; }
     }
 
@@ -42,7 +45,60 @@ public Consent(ApplicationDbContext dbContext, ILogger<Consent> logger, OpenIdAc
         _actionService = actionService;
     }
 
-    public async Task<IActionResult> OnGetAsync(string returnUrl)
+    public async Task<IActionResult> OnGetAsync(string? returnUrl)
+    {
+        return await HandleAuthorization(returnUrl);
+    }
+
+    public async Task<IActionResult> OnPostAsync(string? returnUrl)
+    {
+        switch (Input?.Button)
+        {
+            case "no":
+                return Forbid(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
+            case "yes":
+                return await HandleAccept();
+            default:
+                return await HandleAuthorization(returnUrl);
+
+                return NotFound();
+                /*var request = await _interaction.GetAuthorizationContextAsync(Input.ReturnUrl);
+        if (request == null)
+            return RedirectToAction("Error", "Home");
+
+        var response = new ConsentResponse();
+        if (Input.Button == "yes")
+        {
+            var resources = request.ValidatedResources.Resources;
+
+            // TODO: Maybe allow configuring this?
+            response.RememberConsent = true;
+            response.ScopesValuesConsented = resources.ApiScopes.Select(x => x.Name)
+                .Concat(resources.IdentityResources.Select(x => x.Name));
+        }
+        else if (Input.Button == "no")
+        {
+            response.Error = AuthorizationError.AccessDenied;
+        }
+        else
+        {
+            return BadRequest();
+        }
+
+        await _interaction.GrantConsentAsync(request, response);
+
+        return Redirect(Input.ReturnUrl);*/
+        }
+    }
+
+    public static string GetScopeName(string scope) => scope switch
+    {
+        Scopes.Email => "Email",
+        Scopes.Roles => "Roles",
+        _ => scope,
+    };
+
+    private async Task<IActionResult> HandleAuthorization(string? returnUrl)
     {
         ReturnUrl = returnUrl;
         AuthRequest = HttpContext.GetOpenIddictServerRequest();
@@ -61,16 +117,18 @@ public async Task<IActionResult> OnGetAsync(string returnUrl)
             case false when validation.Error.IsChallenge:
                 return Challenge(validation.Error.Properties!);
             case false:
-                return Forbid(validation.Error.Error!, GetErrorDescription(validation.Error.Error!));
+                return AuthResults.Forbid(validation.Error.Error!, GetErrorDescription(validation.Error.Error!));
         }
 
-        var authorization = await _actionService.AuthorizeActionAsync(AuthRequest, AuthRequest.GetScopes());
+        // Ensure the request contains the openid and profile scopes
+        RequestScopes = [..AuthRequest.GetScopes().Union(["openid", "profile"])];
+        var authorization = await _actionService.AuthorizeActionAsync(AuthRequest, RequestScopes);
         Application = authorization.Application;
 
         return authorization.Type switch
         {
             AuthorizationResult.ResultType.Forbidden =>
-               Forbid(authorization.ErrorName ?? "", GetErrorDescription(authorization.ErrorName)),
+                AuthResults.Forbid(authorization.ErrorName ?? "", GetErrorDescription(authorization.ErrorName)),
 
             AuthorizationResult.ResultType.Error =>
                 BadRequest(GetErrorDescription(authorization.ErrorName)),
@@ -82,44 +140,25 @@ public async Task<IActionResult> OnGetAsync(string returnUrl)
         };
     }
 
-    public async Task<IActionResult> OnPostAsync()
+    private async Task<IActionResult> HandleAccept()
     {
-        return NotFound();
-        /*var request = await _interaction.GetAuthorizationContextAsync(Input.ReturnUrl);
-        if (request == null)
-            return RedirectToAction("Error", "Home");
+        var request = HttpContext.GetOpenIddictServerRequest();
+        if (request is null)
+            return BadRequest("The OpenID Connect request cannot be retrieved.");
 
-        var response = new ConsentResponse();
-        if (Input.Button == "yes")
-        {
-            var resources = request.ValidatedResources.Resources;
+        var result = await _actionService.AcceptActionAsync(request, request.GetScopes());
 
-            // TODO: Maybe allow configuring this?
-            response.RememberConsent = true;
-            response.ScopesValuesConsented = resources.ApiScopes.Select(x => x.Name)
-                .Concat(resources.IdentityResources.Select(x => x.Name));
-        }
-        else if (Input.Button == "no")
+        return result.Type switch
         {
-            response.Error = AuthorizationError.AccessDenied;
-        }
-        else
-        {
-            return BadRequest();
-        }
-
-        await _interaction.GrantConsentAsync(request, response);
-
-        return Redirect(Input.ReturnUrl);*/
+            ConsentResult.ResultType.SignIn =>
+                SignIn(result.Principal!,
+                    authenticationScheme: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme),
+            ConsentResult.ResultType.Forbid =>
+                 AuthResults.Forbid(result.ErrorName ?? "", GetErrorDescription(result.ErrorName)),
+            _ => BadRequest(GetErrorDescription(result.ErrorName))
+        };
     }
 
-    public static string GetScopeName(string scope) => scope switch
-    {
-        Scopes.Email => "Email",
-        Scopes.Roles => "Roles",
-        _ => scope,
-    };
-
     // ReSharper disable once ArrangeMethodOrOperatorBody
     private static string GetErrorDescription(string? error) => error switch
     {
diff --git a/SS14.Web/Data/TestDataSeeder.cs b/SS14.Web/Data/TestDataSeeder.cs
index add2f56..23ec772 100644
--- a/SS14.Web/Data/TestDataSeeder.cs
+++ b/SS14.Web/Data/TestDataSeeder.cs
@@ -34,7 +34,7 @@ private async ValueTask PopulateInternalApps(IServiceScope scope, CancellationTo
             ClientSecret = "test_secret",
             ClientType = OpenIddictConstants.ClientTypes.Confidential,
             DisplayName = "Test Client",
-            RedirectUris = { new Uri("https://localhost:7175/callback") },
+            RedirectUris = { new Uri("https://localhost:5001/signin-oidc") },
             Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
             Permissions =
             {
@@ -47,7 +47,7 @@ private async ValueTask PopulateInternalApps(IServiceScope scope, CancellationTo
                 OpenIddictConstants.Permissions.ResponseTypes.Code,
                 OpenIddictConstants.Permissions.Scopes.Email,
                 OpenIddictConstants.Permissions.Scopes.Profile,
-                OpenIddictConstants.Permissions.Scopes.Roles
+                OpenIddictConstants.Permissions.Scopes.Roles,
             }
         };
 
diff --git a/SS14.Web/Helpers/AuthResults.cs b/SS14.Web/Helpers/AuthResults.cs
new file mode 100644
index 0000000..ac2ef04
--- /dev/null
+++ b/SS14.Web/Helpers/AuthResults.cs
@@ -0,0 +1,22 @@
+using System.Collections.Generic;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using OpenIddict.Server.AspNetCore;
+using static OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreConstants;
+
+namespace SS14.Web.Helpers;
+
+public static class AuthResults
+{
+    public static ForbidResult Forbid(string error, string description)
+    {
+        return new ForbidResult(
+            authenticationSchemes: [OpenIddictServerAspNetCoreDefaults.AuthenticationScheme],
+            properties: new AuthenticationProperties(new Dictionary<string, string?>
+            {
+                [Properties.Error] = error,
+                [Properties.ErrorDescription] = description,
+            }));
+    }
+}
diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index 06c26d8..7444336 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -1,6 +1,8 @@
 #nullable enable
 using System;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -83,6 +85,14 @@
 builder.Services.AddScoped<PersonalDataCollector>();
 builder.AddShared();
 
+builder.Services.Configure<CookieAuthenticationOptions>(IdentityConstants.ApplicationScheme,
+    options =>
+    {
+        options.LoginPath = $"/Identity/Account/Login";
+        options.LogoutPath = $"/Identity/Account/Logout";
+        options.AccessDeniedPath = $"/Identity/Account/AccessDenied";
+    });
+
 var app = builder.Build();
 
 app.UseSerilogRequestLogging(options =>
diff --git a/SS14.Web/Services/OpenIdActionService.cs b/SS14.Web/Services/OpenIdActionService.cs
index a25109b..9fdfe0b 100644
--- a/SS14.Web/Services/OpenIdActionService.cs
+++ b/SS14.Web/Services/OpenIdActionService.cs
@@ -52,13 +52,13 @@ public Result<Void, AuthenticationValidationFailure> ValidateOpenIdAuthenticatio
         if (auth.Succeeded)
             return Result<Void, AuthenticationValidationFailure>.Success(Void.Nothing);
 
-        var ignoreChallenge = context.Session.GetString(IgnoreChallengeKey);
+        //var ignoreChallenge = context.Session.GetString(IgnoreChallengeKey);
 
         if (auth.Succeeded
             && !request.HasPromptValue(PromptValues.Login)
             && request.MaxAge is not 0
             && (request.MaxAge is null || auth.Properties?.IssuedUtc is null || TimeProvider.System.GetUtcNow() - auth.Properties.IssuedUtc < TimeSpan.FromSeconds(request.MaxAge.Value))
-            && ignoreChallenge is null or "false")
+            )//&& ignoreChallenge is null or "false")
         {
             return Result<Void, AuthenticationValidationFailure>.Success(Void.Nothing);
         }
@@ -66,11 +66,11 @@ public Result<Void, AuthenticationValidationFailure> ValidateOpenIdAuthenticatio
         if (request.HasPromptValue(PromptValues.None))
             return Result<Void, AuthenticationValidationFailure>.Failure(AuthenticationValidationFailure.LoginRequired);
 
-        context.Session.SetString(IgnoreChallengeKey, "true");
+        //context.Session.SetString(IgnoreChallengeKey, "true");
         var properties = new AuthenticationProperties
         {
             RedirectUri = context.Request.PathBase + context.Request.Path + QueryString.Create(
-                context.Request.HasFormContentType ? context.Request.Form : context.Request.Query)
+                context.Request.HasFormContentType ? context.Request.Form : context.Request.Query),
         };
 
         return Result<Void, AuthenticationValidationFailure>.Failure(AuthenticationValidationFailure.Challenge(properties));

From ed44b1bac469f82c38865095c995dd618fc5b20f Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Wed, 13 Aug 2025 20:45:25 +0200
Subject: [PATCH 13/43] Clean up Consent.cshtml and codebehind

---
 .../Identity/Pages/Account/Consent.cshtml     |  1 -
 .../Identity/Pages/Account/Consent.cshtml.cs  | 51 +++----------------
 SS14.Web/SS14.Web.csproj                      |  1 -
 3 files changed, 6 insertions(+), 47 deletions(-)

diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
index fbe5187..f472afe 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml
@@ -8,7 +8,6 @@
 @{
     Layout = null;
 }
-@* TODO: Replace identityserver4 code in this file *@
 <!DOCTYPE html>
 <html lang="en">
 <head>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
index 7205ec5..aed5b40 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
@@ -4,11 +4,8 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore;
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.Extensions.Logging;
 using OpenIddict.Abstractions;
 using OpenIddict.Server.AspNetCore;
 using SS14.Auth.Shared.Data;
@@ -18,11 +15,8 @@
 using static OpenIddict.Abstractions.OpenIddictConstants;
 
 namespace SS14.Web.Areas.Identity.Pages.Account;
-// TODO: Replace identityserver4 code in this file
 public sealed class Consent : PageModel
 {
-    private readonly ApplicationDbContext _dbContext;
-    private readonly ILogger<Consent> _logger;
     private readonly OpenIdActionService _actionService;
 
     public OpenIddictRequest? AuthRequest { get; private set; }
@@ -38,10 +32,8 @@ public sealed class InputModel
         public string? Button { get; set; }
     }
 
-    public Consent(ApplicationDbContext dbContext, ILogger<Consent> logger, OpenIdActionService actionService)
+    public Consent(OpenIdActionService actionService)
     {
-        _dbContext = dbContext;
-        _logger = logger;
         _actionService = actionService;
     }
 
@@ -52,43 +44,12 @@ public async Task<IActionResult> OnGetAsync(string? returnUrl)
 
     public async Task<IActionResult> OnPostAsync(string? returnUrl)
     {
-        switch (Input?.Button)
+        return Input?.Button switch
         {
-            case "no":
-                return Forbid(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
-            case "yes":
-                return await HandleAccept();
-            default:
-                return await HandleAuthorization(returnUrl);
-
-                return NotFound();
-                /*var request = await _interaction.GetAuthorizationContextAsync(Input.ReturnUrl);
-        if (request == null)
-            return RedirectToAction("Error", "Home");
-
-        var response = new ConsentResponse();
-        if (Input.Button == "yes")
-        {
-            var resources = request.ValidatedResources.Resources;
-
-            // TODO: Maybe allow configuring this?
-            response.RememberConsent = true;
-            response.ScopesValuesConsented = resources.ApiScopes.Select(x => x.Name)
-                .Concat(resources.IdentityResources.Select(x => x.Name));
-        }
-        else if (Input.Button == "no")
-        {
-            response.Error = AuthorizationError.AccessDenied;
-        }
-        else
-        {
-            return BadRequest();
-        }
-
-        await _interaction.GrantConsentAsync(request, response);
-
-        return Redirect(Input.ReturnUrl);*/
-        }
+            "no" => Forbid(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme),
+            "yes" => await HandleAccept(),
+            _ => await HandleAuthorization(returnUrl)
+        };
     }
 
     public static string GetScopeName(string scope) => scope switch
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index 5549f71..7a8eb7a 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -3,7 +3,6 @@
     <PropertyGroup>
         <TargetFramework>net9.0</TargetFramework>
         <LangVersion>12</LangVersion>
-        <Nullable>enable</Nullable>
     </PropertyGroup>
 
     <ItemGroup>

From 69604599c86bcf9aa155d83be6cdab81449453df Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Wed, 13 Aug 2025 22:08:16 +0200
Subject: [PATCH 14/43] Remove IS4 code from ApplicationDbContext

---
 SS14.Auth.Shared/Data/ApplicationDbContext.cs | 55 +------------------
 1 file changed, 1 insertion(+), 54 deletions(-)

diff --git a/SS14.Auth.Shared/Data/ApplicationDbContext.cs b/SS14.Auth.Shared/Data/ApplicationDbContext.cs
index de20479..9f93980 100644
--- a/SS14.Auth.Shared/Data/ApplicationDbContext.cs
+++ b/SS14.Auth.Shared/Data/ApplicationDbContext.cs
@@ -5,12 +5,8 @@
 
 namespace SS14.Auth.Shared.Data;
 
-// TODO: Replace identityserver4 code in this file
-
 public class ApplicationDbContext : IdentityDbContext<SpaceUser, SpaceRole, Guid>,
-    IDataProtectionKeyContext //,
-    //IConfigurationDbContext,
-    //IPersistedGrantDbContext
+    IDataProtectionKeyContext
 {
     public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options)
         : base(options)
@@ -69,38 +65,6 @@ protected override void OnModelCreating(ModelBuilder builder)
         builder.Entity<HwidUser>()
             .HasIndex(h => new { h.HwidId, h.SpaceUserId })
             .IsUnique();
-
-        /*var cfgStoreOptions = new ConfigurationStoreOptions
-        {
-            IdentityResource = new TableConfiguration("IdentityResources", "IS4"),
-            IdentityResourceClaim = new TableConfiguration("IdentityResourceClaims", "IS4"),
-            IdentityResourceProperty = new TableConfiguration("IdentityResourceProperties", "IS4"),
-            ApiResource = new TableConfiguration("ApiResources", "IS4"),
-            ApiResourceSecret = new TableConfiguration("ApiResourceSecrets", "IS4"),
-            ApiResourceScope = new TableConfiguration("ApiResourceScopes", "IS4"),
-            ApiResourceClaim = new TableConfiguration("ApiResourceClaims", "IS4"),
-            ApiResourceProperty = new TableConfiguration("ApiResourceProperties", "IS4"),
-            Client = new TableConfiguration("Clients", "IS4"),
-            ClientGrantType = new TableConfiguration("ClientGrantTypes", "IS4"),
-            ClientRedirectUri = new TableConfiguration("ClientRedirectUris", "IS4"),
-            ClientPostLogoutRedirectUri = new TableConfiguration("ClientPostLogoutRedirectUris", "IS4"),
-            ClientScopes = new TableConfiguration("ClientScopes", "IS4"),
-            ClientSecret = new TableConfiguration("ClientSecrets", "IS4"),
-            ClientClaim = new TableConfiguration("ClientClaims", "IS4"),
-            ClientIdPRestriction = new TableConfiguration("ClientIdPRestrictions", "IS4"),
-            ClientCorsOrigin = new TableConfiguration("ClientCorsOrigins", "IS4"),
-            ClientProperty = new TableConfiguration("ClientProperties", "IS4"),
-            ApiScope = new TableConfiguration("ApiScopes", "IS4"),
-            ApiScopeClaim = new TableConfiguration("ApiScopeClaims", "IS4"),
-            ApiScopeProperty = new TableConfiguration("ApiScopeProperties", "IS4")
-        };
-        builder.ConfigureClientContext(cfgStoreOptions);
-        builder.ConfigureResourcesContext(cfgStoreOptions);
-        builder.ConfigurePersistedGrantContext(new OperationalStoreOptions
-        {
-            PersistedGrants = new TableConfiguration("PersistedGrants", "IS4"),
-            DeviceFlowCodes = new TableConfiguration("DeviceCodes", "IS4"),
-        });*/
     }
 
     public DbSet<LoginSession> ActiveSessions { get; set; }
@@ -115,21 +79,4 @@ protected override void OnModelCreating(ModelBuilder builder)
     public DbSet<AccountLog> AccountLogs { get; set; }
     public DbSet<Hwid> Hwids { get; set; }
     public DbSet<HwidUser> HwidUsers { get; set; }
-
-    // IS4 configuration.
-    /*public DbSet<Client> Clients { get; set; }
-    public DbSet<ClientSecret> ClientSecrets { get; set; }
-    public DbSet<ClientCorsOrigin> ClientCorsOrigins { get; set; }
-    public DbSet<IdentityResource> IdentityResources { get; set; }
-    public DbSet<ApiResource> ApiResources { get; set; }
-    public DbSet<ApiScope> ApiScopes { get; set; }
-
-    // IS4 operational.
-    public DbSet<PersistedGrant> PersistedGrants { get; set; }
-    public DbSet<DeviceFlowCodes> DeviceFlowCodes { get; set; }
-
-    Task<int> IPersistedGrantDbContext.SaveChangesAsync()
-    {
-        return base.SaveChangesAsync();
-    }*/
 }

From 20873e63b819023f07a42a93eafcbbf307abb7b9 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Wed, 13 Aug 2025 22:12:33 +0200
Subject: [PATCH 15/43] Remove UserOauthClient

---
 SS14.Auth.Shared/Data/ApplicationDbContext.cs  |  5 -----
 SS14.Auth.Shared/Data/UserOAuthClient.cs       | 18 ------------------
 .../Pages/Account/Manage/Developer.cshtml      |  9 +++++----
 .../Pages/Account/Manage/Developer.cshtml.cs   |  2 +-
 .../Manage/OAuthApps/ConfirmDelete.cshtml.cs   | 18 +++++++++---------
 .../Account/Manage/OAuthApps/Manage.cshtml     |  4 ++--
 .../Account/Manage/OAuthApps/Manage.cshtml.cs  | 14 +++++++-------
 7 files changed, 24 insertions(+), 46 deletions(-)
 delete mode 100644 SS14.Auth.Shared/Data/UserOAuthClient.cs

diff --git a/SS14.Auth.Shared/Data/ApplicationDbContext.cs b/SS14.Auth.Shared/Data/ApplicationDbContext.cs
index 9f93980..56e429a 100644
--- a/SS14.Auth.Shared/Data/ApplicationDbContext.cs
+++ b/SS14.Auth.Shared/Data/ApplicationDbContext.cs
@@ -54,10 +54,6 @@ protected override void OnModelCreating(ModelBuilder builder)
             .HasIndex(p => p.SpaceUserId)
             .IsUnique();
 
-        builder.Entity<UserOAuthClient>()
-            .HasIndex(p => new { p.ClientId })
-            .IsUnique();
-
         builder.Entity<Hwid>()
             .HasIndex(h => h.ClientData)
             .IsUnique();
@@ -74,7 +70,6 @@ protected override void OnModelCreating(ModelBuilder builder)
     public DbSet<WhitelistEmail> WhitelistEmails { get; set; }
     public DbSet<Patron> Patrons { get; set; }
     public DbSet<PatreonWebhookLog> PatreonWebhookLogs { get; set; }
-    public DbSet<UserOAuthClient> UserOAuthClients { get; set; }
     public DbSet<PastAccountName> PastAccountNames { get; set; }
     public DbSet<AccountLog> AccountLogs { get; set; }
     public DbSet<Hwid> Hwids { get; set; }
diff --git a/SS14.Auth.Shared/Data/UserOAuthClient.cs b/SS14.Auth.Shared/Data/UserOAuthClient.cs
deleted file mode 100644
index f47844b..0000000
--- a/SS14.Auth.Shared/Data/UserOAuthClient.cs
+++ /dev/null
@@ -1,18 +0,0 @@
-
-using System;
-
-namespace SS14.Auth.Shared.Data;
-
-// TODO: Delete
-public sealed class UserOAuthClient
-{
-    public int UserOAuthClientId { get; set; }
-
-    public Guid SpaceUserId { get; set; }
-    public int ClientId { get; set; }
-
-    public SpaceUser SpaceUser { get; set; }
-    // TODO: Replace identityserver4 code in this file
-
-    //public Client Client { get; set; }
-}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml
index 9441661..b7d6720 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml
@@ -18,9 +18,10 @@
 </p>
 
 <div class="list-group-flush">
-    @foreach (var app in Model.OAuthClients)
+    @*@foreach (var app in Model.OAuthClients)
     {
-        @* TODO: Replace identityserver4 code in this file *@
-        @*<a asp-page="./OAuthApps/Manage" asp-route-client="@app.UserOAuthClientId" class="list-group-item">@app.Client.ClientName</a>*@
-    }
+        TODO: Replace identityserver4 code in this file
+
+        <a asp-page="./OAuthApps/Manage" asp-route-client="@app.UserOAuthClientId" class="list-group-item">@app.Client.ClientName</a>
+    }*@
 </div>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
index 954785e..3cd4c6c 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
@@ -13,7 +13,7 @@ public class Developer : PageModel
     private readonly ApplicationDbContext _dbContext;
     private readonly UserManager<SpaceUser> _userManager;
 
-    public List<UserOAuthClient> OAuthClients { get; set; }
+    //public List<UserOAuthClient> OAuthClients { get; set; }
 
     public Developer(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager)
     {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
index 144d318..af469b7 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
@@ -20,7 +20,7 @@ public ConfirmDelete(ApplicationDbContext dbContext, UserManager<SpaceUser> user
         _userManager = userManager;
     }
 
-    public UserOAuthClient App { get; set; }
+    //public UserOAuthClient App { get; set; }
 
     public async Task<IActionResult> OnGetAsync(int client)
     {
@@ -28,11 +28,11 @@ public async Task<IActionResult> OnGetAsync(int client)
         //App = await _dbContext.UserOAuthClients.Include(a => a.Client)
         //    .SingleOrDefaultAsync(ac => ac.UserOAuthClientId == client);
 
-        if (App == null)
-            return NotFound();
+        //if (App == null)
+        //    return NotFound();
 
-        if (!Manage.VerifyAppAccess(user, App))
-            return Forbid();
+        //if (!Manage.VerifyAppAccess(user, App))
+        //    return Forbid();
 
         return Page();
     }
@@ -43,11 +43,11 @@ public async Task<IActionResult> OnPostDeleteAsync(int client)
         //App = await _dbContext.UserOAuthClients.Include(a => a.Client)
         //    .SingleOrDefaultAsync(ac => ac.UserOAuthClientId == client);
 
-        if (App == null)
-            return NotFound();
+        //if (App == null)
+        //    return NotFound();
 
-        if (!Manage.VerifyAppAccess(user, App))
-            return Forbid();
+        //if (!Manage.VerifyAppAccess(user, App))
+        //    return Forbid();
 
        // _dbContext.Remove(App.Client);
 
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
index a7e0191..aa66221 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
@@ -97,11 +97,11 @@
     </div>
     <div class="row">
         <div class="col">
-            <a asp-page="./ConfirmDelete" class="btn btn-danger" asp-route-client="@Model.App.UserOAuthClientId">Delete</a>
+            @*<a asp-page="./ConfirmDelete" class="btn btn-danger" asp-route-client="@Model.App.UserOAuthClientId">Delete</a>
             @if (User.IsInRole(AuthConstants.RoleSysAdmin))
             {
                 <a asp-area="Admin" asp-page="/Clients/Client" class="btn btn-primary" asp-route-id="@Model.App.ClientId">Hub Admin</a>
-            }
+            }*@
         </div>
     </div>
 </div>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index fd25c85..e22693d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -19,7 +19,7 @@ public class Manage : PageModel
     private readonly ApplicationDbContext _dbContext;
     private readonly UserManager<SpaceUser> _userManager;
 
-    public UserOAuthClient App { get; set; }
+    //public UserOAuthClient App { get; set; }
 
     [BindProperty] public InputModel Input { get; set; }
 
@@ -141,19 +141,19 @@ private async Task<IActionResult> GetAppAndVerifyAccess(int client)
         //    .ThenInclude(c => c.ClientSecrets)
         //    .SingleOrDefaultAsync(oa => oa.UserOAuthClientId == client);
 
-        if (App == null)
-            return NotFound();
+        //if (App == null)
+        //    return NotFound();
 
-        if (!VerifyAppAccess(user, App))
-            return Forbid();
+        //if (!VerifyAppAccess(user, App))
+        //    return Forbid();
 
         return null;
     }
 
-    public static bool VerifyAppAccess(
+    /*public static bool VerifyAppAccess(
         SpaceUser user,
         UserOAuthClient userClient)
     {
         return user == userClient.SpaceUser;
-    }
+    }*/
 }

From 88995d3ef26d9559511575e924b08bbb73d1658b Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Wed, 13 Aug 2025 23:27:23 +0200
Subject: [PATCH 16/43] Change PersonalDataCollector to collecto from
 OpenIddict

---
 SS14.Web/Extensions/OpenIdExtension.cs |   2 +-
 SS14.Web/PersonalDataCollector.cs      | 168 +++++++++++++++++--------
 2 files changed, 119 insertions(+), 51 deletions(-)

diff --git a/SS14.Web/Extensions/OpenIdExtension.cs b/SS14.Web/Extensions/OpenIdExtension.cs
index 5907837..64a07d9 100644
--- a/SS14.Web/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/Extensions/OpenIdExtension.cs
@@ -16,7 +16,7 @@
 using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
 namespace SS14.Web.Extensions;
-
+// TODO: Add integration with quartz
 public static class OpenIdExtension
 {
     public static void AddOpenIdConnect(this WebApplicationBuilder builder)
diff --git a/SS14.Web/PersonalDataCollector.cs b/SS14.Web/PersonalDataCollector.cs
index 52067d8..9bf51b4 100644
--- a/SS14.Web/PersonalDataCollector.cs
+++ b/SS14.Web/PersonalDataCollector.cs
@@ -1,4 +1,5 @@
-using System;
+#nullable enable
+using System;
 using System.IO;
 using System.IO.Compression;
 using System.Linq;
@@ -6,11 +7,12 @@
 using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
-using Dapper;
 using JetBrains.Annotations;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Logging;
+using OpenIddict.Core;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Extensions;
 using SS14.WebEverythingShared;
 
 namespace SS14.Web;
@@ -18,7 +20,12 @@ namespace SS14.Web;
 /// <summary>
 /// Helper class that wraps up all the personal data for a user into a neat little zip file!
 /// </summary>
-public sealed class PersonalDataCollector(ApplicationDbContext dbContext, ILogger<PersonalDataCollector> logger)
+public sealed class PersonalDataCollector(
+    ApplicationDbContext dbContext,
+    OpenIddictApplicationManager<SpaceApplication> applicationManager,
+    OpenIddictAuthorizationManager<OpeniddictDefaultTypes.DefaultAuthorization> authorizationManager,
+    OpenIddictTokenManager<OpeniddictDefaultTypes.DefaultToken> tokenManager,
+    ILogger<PersonalDataCollector> logger)
 {
     private static readonly JsonSerializerOptions JsonOptions = new()
     {
@@ -41,7 +48,8 @@ public async Task<Stream> CollectPersonalData(SpaceUser user, CancellationToken
             await CollectPastAccountNames(zip, user, cancel);
             await CollectPatrons(zip, user, cancel);
             await CollectUserOAuthClients(zip, user, cancel);
-            await CollectIS4PersistedGrants(zip, user, cancel);
+            await CollectAuthorizations(zip, user, cancel);
+            await CollectTokens(zip, user, cancel);
             await CollectHwidUsers(zip, user, cancel);
         }
 
@@ -128,54 +136,70 @@ private async Task CollectPatrons(ZipArchive zip, SpaceUser user, CancellationTo
 
     private async Task CollectUserOAuthClients(ZipArchive zip, SpaceUser user, CancellationToken cancel)
     {
-        var dbConnection = dbContext.Database.GetDbConnection();
-        var data = await dbConnection.QuerySingleAsync<string>("""
-            SELECT
-                COALESCE(json_agg(to_jsonb(data)), '[]') #>> '{}'
-            FROM (
-                SELECT
-                    *,
-                    (SELECT to_jsonb(client) FROM (
-                        SELECT
-                            *,
-                            (SELECT COALESCE(json_agg(to_jsonb(client_scopeq)), '[]') FROM (
-                                SELECT * FROM "IS4"."ClientScopes" cs WHERE cs."ClientId" = c."Id"
-                            ) client_scopeq)
-                            as "Scopes",
-                            (SELECT COALESCE(json_agg(to_jsonb(client_redirectq)), '[]') FROM (
-                                SELECT * FROM "IS4"."ClientRedirectUris" cru WHERE cru."ClientId" = c."Id"
-                            ) client_redirectq)
-                            as "RedirectUris",
-                            (SELECT COALESCE(json_agg(to_jsonb(client_grantq)), '[]') FROM (
-                                SELECT * FROM "IS4"."ClientGrantTypes" cgt WHERE cgt."ClientId" = c."Id"
-                            ) client_grantq)
-                            as "GrantTypes"
-                        FROM
-                            "IS4"."Clients" c
-                        WHERE c."Id" = a."ClientId"
-                    ) client)
-                    as "Client"
-                FROM
-                    "UserOAuthClients" a
-                WHERE
-                    "SpaceUserId" = @UserId
-            ) as data
-            """,
-            new
-            {
-                UserId = user.Id,
-            });
+       var applications = await applicationManager.ListAsync(
+           x => x.Where(a => a.SpaceUserId == user.Id)
+           , cancel).ToListAsync(ct: cancel);
+
+       var data = applications.Select(x => new SpaceApplicationData(
+           Id: x.Id,
+           UserId: x.SpaceUserId,
+           ClientId: x.ClientId,
+           ClientType: x.ClientType,
+           ApplicationType: x.ApplicationType,
+           LogoUri: x.LogoUri,
+           DisplayName: x.DisplayName,
+           Permissions: x.Permissions,
+           PostLogoutRedirectUris: x.PostLogoutRedirectUris,
+           RedirectUris: x.RedirectUris,
+           Properties: x.Properties,
+           Requirements: x.Requirements,
+           Settings: x.Settings
+       ));
+
+
+       SerializeToFile(zip, "OAuthClients.json", data);
+    }
+
+    private async Task CollectAuthorizations(ZipArchive zip, SpaceUser user, CancellationToken cancel)
+    {
+        var authorizations = await authorizationManager.FindBySubjectAsync(user.Id.ToString(), cancel)
+            .ToListAsync(ct: cancel);
+
+        var data = authorizations.Select(x => new AuthorizationData(
+            Id: x.Id,
+            Subject: x.Subject,
+            ApplicationId: x.Application?.Id,
+            ApplicationName: x.Application?.DisplayName,
+            Type: x.Type,
+            Status: x.Status,
+            CreationDate: x.CreationDate,
+            Scopes: x.Scopes
+            ));
 
-        StringToFile(zip, "UserOAuthClients.json", data);
+        SerializeToFile(zip, "OAuthAuthorizations.json", data);
     }
 
-    private async Task CollectIS4PersistedGrants(ZipArchive zip, SpaceUser user, CancellationToken cancel)
+    private async Task CollectTokens(ZipArchive zip, SpaceUser user, CancellationToken cancel)
     {
-        // TODO: Replace identityserver4 code in this file
+        var tokens = await tokenManager.FindBySubjectAsync(user.Id.ToString(), cancel)
+            .ToListAsync(ct: cancel);
 
-        //var grants = await dbContext.PersistedGrants.Where(x => x.SubjectId == user.Id.ToString()).ToListAsync(cancel);
+        var data = tokens.Select(x => new TokenData(
+            Id: x.Id,
+            Subject: x.Subject,
+            AuthorizationId: x.Authorization?.Id,
+            ApplicationId: x.Application?.Id,
+            ApplicationName: x.Application?.DisplayName,
+            Status: x.Status,
+            Type: x.Type,
+            ReferenceId: x.ReferenceId,
+            Payload: x.Payload,
+            CreationDate: x.CreationDate,
+            ExpirationDate: x.ExpirationDate,
+            RedemptionDate: x.RedemptionDate
+        ));
 
-        //SerializeToFile(zip, "IS4.PersistedGrants.json", grants);
+        SerializeToFile(zip, "OAuthTokens.json", data);
     }
 
     private async Task CollectHwidUsers(ZipArchive zip, SpaceUser user, CancellationToken cancel)
@@ -187,7 +211,7 @@ private async Task CollectHwidUsers(ZipArchive zip, SpaceUser user, Cancellation
 
         SerializeToFile(zip, "HwidUsers.json", hwidUsers);
     }
-
+    
     private static void StringToFile(ZipArchive archive, string name, string data)
     {
         var entry = archive.CreateEntry(name, CompressionLevel.Optimal);
@@ -205,13 +229,57 @@ private static void SerializeToFile<T>(ZipArchive archive, string name, T data)
     [UsedImplicitly]
     private sealed record SpaceUserData(
         Guid Id,
-        string UserName,
+        string? UserName,
         DateTimeOffset CreatedTime,
         bool EmailConfirmed,
-        string NormalizedEmail,
+        string? NormalizedEmail,
         bool TwoFactorEnabled,
-        string NormalizedUserName,
+        string? NormalizedUserName,
         bool AdminLocked,
         string AdminNotes,
         DateTimeOffset? LastUsernameChange);
+
+    [UsedImplicitly]
+    private sealed record SpaceApplicationData(
+        string? Id,
+        Guid? UserId,
+        string? ClientId,
+        string? ClientType,
+        string? ApplicationType,
+        string? LogoUri,
+        string? DisplayName,
+        string? Permissions,
+        string? PostLogoutRedirectUris,
+        string? RedirectUris,
+        string? Properties,
+        string? Requirements,
+        string? Settings);
+
+    [UsedImplicitly]
+    private sealed record AuthorizationData(
+        string? Id,
+        string? Subject,
+        string? ApplicationId,
+        string? ApplicationName,
+        string? Type,
+        string? Status,
+        DateTime? CreationDate,
+        string? Scopes
+        );
+
+    [UsedImplicitly]
+    private sealed record TokenData(
+        string? Id,
+        string? Subject,
+        string? AuthorizationId,
+        string? ApplicationId,
+        string? ApplicationName,
+        string? Status,
+        string? Type,
+        string? ReferenceId,
+        string? Payload,
+        DateTime? CreationDate,
+        DateTime? ExpirationDate,
+        DateTime? RedemptionDate
+    );
 }

From ad63ba58e6bb35f1cda2d125fd1a3ccf5267661c Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Thu, 14 Aug 2025 13:34:30 +0200
Subject: [PATCH 17/43] Implement generate token event handler for ensuring the
 right algorithm is used

---
 .../Identity/Pages/Account/Consent.cshtml.cs  |  2 +-
 .../Account/Manage/OAuthApps/Manage.cshtml.cs | 17 ++--
 .../OpenIdCertificateConfiguration.cs         | 12 ---
 .../Configuration/CertificateOptions.cs       |  4 +
 .../OpenIdCertificateConfiguration.cs         | 30 ++++++++
 .../EventHandlers/TokenSigningHandler.cs      | 77 +++++++++++++++++++
 .../ApplicationManagerExtensions.cs           | 33 ++++++++
 .../Extensions/OpenIdExtension.cs             | 36 +++++----
 SS14.Web/OpenId/OpenIdConstants.cs            |  7 ++
 .../Services/IdentityClaimsProvider.cs        |  2 +-
 .../Services/OpenIdActionService.cs           |  5 +-
 .../Services/SignedInIdentityService.cs       |  2 +-
 SS14.Web/{Data => OpenId}/TestDataSeeder.cs   |  5 +-
 SS14.Web/Program.cs                           |  1 +
 14 files changed, 193 insertions(+), 40 deletions(-)
 delete mode 100644 SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
 create mode 100644 SS14.Web/OpenId/Configuration/CertificateOptions.cs
 create mode 100644 SS14.Web/OpenId/Configuration/OpenIdCertificateConfiguration.cs
 create mode 100644 SS14.Web/OpenId/EventHandlers/TokenSigningHandler.cs
 create mode 100644 SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
 rename SS14.Web/{ => OpenId}/Extensions/OpenIdExtension.cs (60%)
 create mode 100644 SS14.Web/OpenId/OpenIdConstants.cs
 rename SS14.Web/{ => OpenId}/Services/IdentityClaimsProvider.cs (98%)
 rename SS14.Web/{ => OpenId}/Services/OpenIdActionService.cs (97%)
 rename SS14.Web/{ => OpenId}/Services/SignedInIdentityService.cs (97%)
 rename SS14.Web/{Data => OpenId}/TestDataSeeder.cs (94%)

diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
index aed5b40..c5f9cb2 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
@@ -11,7 +11,7 @@
 using SS14.Auth.Shared.Data;
 using SS14.Web.Helpers;
 using SS14.Web.Models.Types;
-using SS14.Web.Services;
+using SS14.Web.OpenId.Services;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 
 namespace SS14.Web.Areas.Identity.Pages.Account;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index e22693d..91bd565 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -8,7 +8,10 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
+using OpenIddict.Core;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Extensions;
+using SS14.Web.OpenId.Extensions;
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
 
@@ -18,8 +21,10 @@ public class Manage : PageModel
 {
     private readonly ApplicationDbContext _dbContext;
     private readonly UserManager<SpaceUser> _userManager;
+    private readonly OpenIddictApplicationManager<SpaceApplication> _appManager;
 
     //public UserOAuthClient App { get; set; }
+    public SpaceApplication App { get; set; }
 
     [BindProperty] public InputModel Input { get; set; }
 
@@ -49,10 +54,11 @@ public sealed class InputModel
         public bool AllowPS256 { get; set; } = true;
     }
 
-    public Manage(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager)
+    public Manage(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager, OpenIddictApplicationManager<SpaceApplication> appManager)
     {
         _dbContext = dbContext;
         _userManager = userManager;
+        _appManager = appManager;
     }
 
     public async Task<IActionResult> OnGetAsync(int client)
@@ -60,12 +66,13 @@ public async Task<IActionResult> OnGetAsync(int client)
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
 
+
         Input = new InputModel
         {
-            //Name = App.Client.ClientName,
-            //CallbackUrl = App.Client.RedirectUris.FirstOrDefault()?.RedirectUri ?? "",
-            //HomepageUrl = App.Client.ClientUri,
-            //RequirePkce = App.Client.RequirePkce,
+            Name = App.DisplayName,
+            CallbackUrl = await _appManager.GetFirstRedirectUrl(App) ?? "",
+            HomepageUrl = await _appManager.GetHomePageProperty(App) ?? "",
+            RequirePkce = await _appManager.GetRequiresPkceSetting(App),
             //AllowPS256 = App.Client.AllowedIdentityTokenSigningAlgorithms?.Contains("PS256") ?? false
         };
 
diff --git a/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs b/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
deleted file mode 100644
index 2bf0983..0000000
--- a/SS14.Web/Configuration/OpenIdCertificateConfiguration.cs
+++ /dev/null
@@ -1,12 +0,0 @@
-namespace SS14.Web.Configuration;
-
-public sealed class OpenIdCertificateConfiguration
-{
-    public const string Name = "Certificates";
-
-    public string? EncryptionCertificatePath { get; set; }
-    public string? EncryptionCertificatePassword { get; set; }
-
-    public string? SigningCertificatePath { get; set; }
-    public string? SigningCertificatePassword { get; set; }
-}
diff --git a/SS14.Web/OpenId/Configuration/CertificateOptions.cs b/SS14.Web/OpenId/Configuration/CertificateOptions.cs
new file mode 100644
index 0000000..983119b
--- /dev/null
+++ b/SS14.Web/OpenId/Configuration/CertificateOptions.cs
@@ -0,0 +1,4 @@
+#nullable enable
+namespace SS14.Web.OpenId.Configuration;
+
+public sealed record CertificateOptions(string Path, string? Password);
diff --git a/SS14.Web/OpenId/Configuration/OpenIdCertificateConfiguration.cs b/SS14.Web/OpenId/Configuration/OpenIdCertificateConfiguration.cs
new file mode 100644
index 0000000..4351e73
--- /dev/null
+++ b/SS14.Web/OpenId/Configuration/OpenIdCertificateConfiguration.cs
@@ -0,0 +1,30 @@
+#nullable enable
+using System.Collections.Generic;
+
+namespace SS14.Web.OpenId.Configuration;
+
+public sealed class OpenIdCertificateConfiguration
+{
+    public const string Name = "Certificates";
+
+    /// <summary>
+    /// Sets the default encryption algorithm if it didn't get overriden by the application.
+    /// If this is null the first available certificate will be used.
+    /// </summary>
+    /// <remarks>
+    /// A certificate with the matching algorithm needs to be present
+    /// </remarks>
+    public string? DefaultEncryptionAlgorithm { get; set; }
+
+    /// <summary>
+    /// Sets the default encryption algorithm if it didn't get overriden by the application.
+    /// If this is null the first available certificate will be used.
+    /// </summary>
+    /// <remarks>
+    /// A certificate with the matching algorithm needs to be present
+    /// </remarks>
+    public string? DefaultSigningAlgorithm { get; set; }
+
+    public List<CertificateOptions> EncryptionCertificates { get; set; } = [];
+    public List<CertificateOptions> SigningCertificates { get; set; } = [];
+}
diff --git a/SS14.Web/OpenId/EventHandlers/TokenSigningHandler.cs b/SS14.Web/OpenId/EventHandlers/TokenSigningHandler.cs
new file mode 100644
index 0000000..98fc3ff
--- /dev/null
+++ b/SS14.Web/OpenId/EventHandlers/TokenSigningHandler.cs
@@ -0,0 +1,77 @@
+#nullable enable
+using System.Threading.Tasks;
+using Microsoft.Extensions.Configuration;
+using OpenIddict.Abstractions;
+using OpenIddict.Server;
+using SS14.Web.OpenId.Configuration;
+using static OpenIddict.Server.OpenIddictServerEvents;
+
+namespace SS14.Web.OpenId.EventHandlers;
+
+public class TokenSigningHandler : IOpenIddictServerHandler<GenerateTokenContext>
+{
+    private readonly IOpenIddictApplicationManager _applicationManager;
+
+    private readonly OpenIdCertificateConfiguration _config = new();
+
+    public TokenSigningHandler(IOpenIddictApplicationManager applicationManager, IConfiguration configuration)
+    {
+        _applicationManager = applicationManager;
+
+        configuration.GetSection("OpenId").GetSection(OpenIdCertificateConfiguration.Name).Bind(_config);
+    }
+
+    public static OpenIddictServerHandlerDescriptor Descriptor { get; } =
+        OpenIddictServerHandlerDescriptor.CreateBuilder<GenerateTokenContext>()
+            .UseScopedHandler<TokenSigningHandler>()
+            .SetOrder(OpenIddictServerHandlers.Protection.AttachSecurityCredentials.Descriptor.Order + 500)
+            .Build();
+
+    public async ValueTask HandleAsync(GenerateTokenContext context)
+    {
+        if (context.Request?.ClientId is null)
+            return;
+
+        // Ignore client assertion
+        if (context.TokenType is OpenIddictConstants.TokenTypeIdentifiers.Private.ClientAssertion)
+            return;
+
+        var app = await _applicationManager.FindByClientIdAsync(context.Request.ClientId);
+        if (app is null)
+            return;
+
+        var settings = await _applicationManager.GetSettingsAsync(app);
+
+        var encryptionAlgorithm = settings.TryGetValue(OpenIdConstants.EncryptionAlgorithmSetting, out var encryptionAlg)
+            ? encryptionAlg
+            : _config.DefaultEncryptionAlgorithm;
+
+        if (encryptionAlgorithm is not null)
+        {
+            foreach (var credential in context.Options.EncryptionCredentials)
+            {
+                if (!credential.Enc.Equals(encryptionAlgorithm))
+                    continue;
+
+                context.EncryptionCredentials = credential;
+                break;
+            }
+        }
+
+        var signingAlgorithm = settings.TryGetValue(OpenIdConstants.SigningAlgorithmSetting, out var signingAlg)
+            ? signingAlg
+            : _config.DefaultSigningAlgorithm;
+
+        if (signingAlgorithm is not null)
+        {
+            foreach (var credential in context.Options.SigningCredentials)
+            {
+                if (!credential.Algorithm.Equals(signingAlgorithm))
+                    continue;
+
+                context.SigningCredentials = credential;
+                break;
+            }
+        }
+    }
+}
diff --git a/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
new file mode 100644
index 0000000..b9a15bc
--- /dev/null
+++ b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
@@ -0,0 +1,33 @@
+#nullable enable
+using System.Threading.Tasks;
+using OpenIddict.Core;
+using SS14.Auth.Shared.Data;
+
+namespace SS14.Web.OpenId.Extensions;
+
+public static class ApplicationManagerExtensions
+{
+    public static async ValueTask<string?> GetFirstRedirectUrl(
+        this OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app)
+    {
+        var callbackUris = await manager.GetRedirectUrisAsync(app);
+        return callbackUris.IsEmpty ? null : callbackUris[0];
+    }
+
+    public static async ValueTask<string?> GetHomePageProperty(
+        this OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app)
+    {
+        var properties = await manager.GetPropertiesAsync(app);
+        return properties.TryGetValue("homepage", out var homepage) ? homepage.GetString() : null;
+    }
+
+    public static async ValueTask<bool> GetRequiresPkceSetting(
+        this OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app)
+    {
+        var settings = await manager.GetSettingsAsync(app);
+        return settings.ContainsKey("ft:pkce");
+    }
+}
diff --git a/SS14.Web/Extensions/OpenIdExtension.cs b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
similarity index 60%
rename from SS14.Web/Extensions/OpenIdExtension.cs
rename to SS14.Web/OpenId/Extensions/OpenIdExtension.cs
index 64a07d9..5ba9901 100644
--- a/SS14.Web/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
@@ -5,17 +5,15 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
-using OpenIddict.Client.AspNetCore;
-using OpenIddict.Server;
 using SS14.Auth.Shared.Data;
-using SS14.ServerHub.Shared.Data;
-using SS14.Web.Configuration;
 using SS14.Web.Data;
-using SS14.Web.Services;
+using SS14.Web.OpenId.Configuration;
+using SS14.Web.OpenId.EventHandlers;
+using SS14.Web.OpenId.Services;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
-namespace SS14.Web.Extensions;
+namespace SS14.Web.OpenId.Extensions;
 // TODO: Add integration with quartz
 public static class OpenIdExtension
 {
@@ -31,9 +29,8 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
         openId.AddValidation().UseLocalServer();
         openId.AddValidation().UseAspNetCore();
 
-        openId.AddServer()
-            .Configure(config => builder.Configuration.Bind("OpenId:Server", config))
-            .UseAspNetCore().EnableAuthorizationEndpointPassthrough().EnableStatusCodePagesIntegration();
+        openId.AddServer().Configure(config => builder.Configuration.Bind("OpenId:Server", config));
+        openId.AddServer().UseAspNetCore().EnableAuthorizationEndpointPassthrough().EnableStatusCodePagesIntegration();
         ConfigureCertificates(openId, builder);
 
         builder.Services.AddHostedService<TestDataSeeder>();
@@ -49,6 +46,9 @@ public static void UseOpenIdConnect(this WebApplication app)
 
     private static void ConfigureCertificates(OpenIddictBuilder openId, WebApplicationBuilder builder)
     {
+        builder.Services.Add(TokenSigningHandler.Descriptor.ServiceDescriptor);
+        openId.AddServer().AddEventHandler(TokenSigningHandler.Descriptor);
+
         if (builder.Environment.IsDevelopment())
         {
             openId.AddServer().AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();
@@ -59,13 +59,19 @@ private static void ConfigureCertificates(OpenIddictBuilder openId, WebApplicati
             .GetSection("OpenId")
             .GetSection(OpenIdCertificateConfiguration.Name).Get<OpenIdCertificateConfiguration>();
 
-        if (config?.EncryptionCertificatePath == null || config.SigningCertificatePath == null)
-            throw new InvalidOperationException("Encryption and signing certificates not configured");
+        if (config is null)
+            throw new ArgumentException("OpenId:Server:CertificateConfiguration is not set.");
 
-        using var encryptionCert = File.OpenRead(config.EncryptionCertificatePath);
-        openId.AddServer().AddEncryptionCertificate(encryptionCert, config.EncryptionCertificatePassword);
+        foreach (var encryptionCertificate in config.EncryptionCertificates)
+        {
+            using var encryptionCert = File.OpenRead(encryptionCertificate.Path);
+            openId.AddServer().AddEncryptionCertificate(encryptionCert, encryptionCertificate.Password);
+        }
 
-        using var signingCert = File.OpenRead(config.SigningCertificatePath);
-        openId.AddServer().AddSigningCertificate(signingCert, config.SigningCertificatePassword);
+        foreach (var signingCertificate in config.EncryptionCertificates)
+        {
+            using var signingCert = File.OpenRead(signingCertificate.Path);;
+            openId.AddServer().AddSigningCertificate(signingCert, signingCertificate.Password);
+        }
     }
 }
diff --git a/SS14.Web/OpenId/OpenIdConstants.cs b/SS14.Web/OpenId/OpenIdConstants.cs
new file mode 100644
index 0000000..235b6e0
--- /dev/null
+++ b/SS14.Web/OpenId/OpenIdConstants.cs
@@ -0,0 +1,7 @@
+namespace SS14.Web.OpenId;
+
+public static class OpenIdConstants
+{
+    public const string EncryptionAlgorithmSetting = "space:EncryptionAlgorithm";
+    public const string SigningAlgorithmSetting = "space:SigningAlgorithm";
+}
diff --git a/SS14.Web/Services/IdentityClaimsProvider.cs b/SS14.Web/OpenId/Services/IdentityClaimsProvider.cs
similarity index 98%
rename from SS14.Web/Services/IdentityClaimsProvider.cs
rename to SS14.Web/OpenId/Services/IdentityClaimsProvider.cs
index b26efcd..21b5914 100644
--- a/SS14.Web/Services/IdentityClaimsProvider.cs
+++ b/SS14.Web/OpenId/Services/IdentityClaimsProvider.cs
@@ -9,7 +9,7 @@
 using SS14.Web.Helpers;
 using Claims = OpenIddict.Abstractions.OpenIddictConstants.Claims;
 
-namespace SS14.Web.Services;
+namespace SS14.Web.OpenId.Services;
 
 public class IdentityClaimsProvider
 {
diff --git a/SS14.Web/Services/OpenIdActionService.cs b/SS14.Web/OpenId/Services/OpenIdActionService.cs
similarity index 97%
rename from SS14.Web/Services/OpenIdActionService.cs
rename to SS14.Web/OpenId/Services/OpenIdActionService.cs
index 9fdfe0b..c243931 100644
--- a/SS14.Web/Services/OpenIdActionService.cs
+++ b/SS14.Web/OpenId/Services/OpenIdActionService.cs
@@ -11,14 +11,13 @@
 using Microsoft.IdentityModel.Tokens;
 using OpenIddict.Abstractions;
 using OpenIddict.Core;
-using OpenIddict.EntityFrameworkCore.Models;
 using SS14.Auth.Shared.Data;
 using SS14.Web.Extensions;
 using SS14.Web.Models.Types;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 using Void = SS14.Web.Models.Types.Void;
 
-namespace SS14.Web.Services;
+namespace SS14.Web.OpenId.Services;
 
 public class OpenIdActionService
 {
@@ -107,7 +106,7 @@ public async Task<AuthorizationResult> AuthorizeActionAsync(OpenIddictRequest re
             ConsentTypes.External when authorizations.Count is 0 =>
                AuthorizationResult.Forbidden(application,  Errors.AccessDenied),
 
-            ConsentTypes.Implicit or ConsentTypes.External when authorizations.Count is not 0 =>
+            ConsentTypes.Implicit or ConsentTypes.External or ConsentTypes.Explicit when authorizations.Count is not 0 =>
                 await HandleSignIn(request, application, authorizations),
 
             ConsentTypes.Explicit or ConsentTypes.Systematic when request.HasPromptValue(PromptValues.None) =>
diff --git a/SS14.Web/Services/SignedInIdentityService.cs b/SS14.Web/OpenId/Services/SignedInIdentityService.cs
similarity index 97%
rename from SS14.Web/Services/SignedInIdentityService.cs
rename to SS14.Web/OpenId/Services/SignedInIdentityService.cs
index f982b2f..59e0760 100644
--- a/SS14.Web/Services/SignedInIdentityService.cs
+++ b/SS14.Web/OpenId/Services/SignedInIdentityService.cs
@@ -5,7 +5,7 @@
 using Microsoft.AspNetCore.Identity;
 using SS14.Auth.Shared.Data;
 
-namespace SS14.Web.Services;
+namespace SS14.Web.OpenId.Services;
 
 public class SignedInIdentityService
 {
diff --git a/SS14.Web/Data/TestDataSeeder.cs b/SS14.Web/OpenId/TestDataSeeder.cs
similarity index 94%
rename from SS14.Web/Data/TestDataSeeder.cs
rename to SS14.Web/OpenId/TestDataSeeder.cs
index 23ec772..7e60d50 100644
--- a/SS14.Web/Data/TestDataSeeder.cs
+++ b/SS14.Web/OpenId/TestDataSeeder.cs
@@ -7,7 +7,7 @@
 using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
 
-namespace SS14.Web.Data;
+namespace SS14.Web.OpenId;
 
 // TODO: Remove after development
 public sealed class TestDataSeeder(IServiceProvider serviceProvider) : IHostedService
@@ -34,8 +34,9 @@ private async ValueTask PopulateInternalApps(IServiceScope scope, CancellationTo
             ClientSecret = "test_secret",
             ClientType = OpenIddictConstants.ClientTypes.Confidential,
             DisplayName = "Test Client",
-            RedirectUris = { new Uri("https://localhost:5001/signin-oidc") },
+            RedirectUris = { new Uri("https://localhost:5002/signin-oidc") },
             Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
+            Settings = {{OpenIdConstants.SigningAlgorithmSetting, "RS256"}},
             Permissions =
             {
                 OpenIddictConstants.Permissions.Endpoints.Authorization,
diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index 7444336..0b8801a 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -16,6 +16,7 @@
 using SS14.Web.Data;
 using SS14.Web.Extensions;
 using SS14.Web.HCaptcha;
+using SS14.Web.OpenId.Extensions;
 using SS14.WebEverythingShared;
 using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 

From 50d29195b921464cb5123dfea05a217ce55525d3 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Thu, 14 Aug 2025 21:50:48 +0200
Subject: [PATCH 18/43] Add home page url property to SpaceApplication

---
 ...10_AddSpaceAppHomePageProperty.Designer.cs | 921 ++++++++++++++++++
 ...50814194410_AddSpaceAppHomePageProperty.cs |  64 ++
 .../ApplicationDbContextModelSnapshot.cs      |  38 +-
 SS14.Auth.Shared/Data/SpaceApplication.cs     |   1 +
 4 files changed, 989 insertions(+), 35 deletions(-)
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250814194410_AddSpaceAppHomePageProperty.Designer.cs
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250814194410_AddSpaceAppHomePageProperty.cs

diff --git a/SS14.Auth.Shared/Data/Migrations/20250814194410_AddSpaceAppHomePageProperty.Designer.cs b/SS14.Auth.Shared/Data/Migrations/20250814194410_AddSpaceAppHomePageProperty.Designer.cs
new file mode 100644
index 0000000..95fbed8
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250814194410_AddSpaceAppHomePageProperty.Designer.cs
@@ -0,0 +1,921 @@
+// <auto-generated />
+using System;
+using System.Net;
+using System.Text.Json;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using SS14.Auth.Shared.Data;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    [DbContext(typeof(ApplicationDbContext))]
+    [Migration("20250814194410_AddSpaceAppHomePageProperty")]
+    partial class AddSpaceAppHomePageProperty
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "9.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetRoleClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderDisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("LoginProvider", "ProviderKey");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserLogins", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("UserId", "RoleId");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetUserRoles", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("UserId", "LoginProvider", "Name");
+
+                    b.ToTable("AspNetUserTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<Guid?>("Actor")
+                        .HasColumnType("uuid");
+
+                    b.Property<IPAddress>("ActorAddress")
+                        .HasColumnType("inet");
+
+                    b.Property<JsonDocument>("Data")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("AccountLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.Property<long>("AuthHashId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("AuthHashId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte[]>("Hash")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<long?>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("AuthHashId");
+
+                    b.HasIndex("HwidId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Hash", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("AuthHashes");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("BurnerEmails");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<byte[]>("ClientData")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<int>("TypeCode")
+                        .HasColumnType("integer");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientData")
+                        .IsUnique();
+
+                    b.ToTable("Hwids");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("FirstSeen")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("HwidId", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("HwidUsers");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.Property<long>("LoginSessionId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte[]>("Token")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("LoginSessionId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("ActiveSessions");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Scopes")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictAuthorizations", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultScope", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Descriptions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Resources")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Name")
+                        .IsUnique();
+
+                    b.ToTable("OpenIddictScopes", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("AuthorizationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Payload")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RedemptionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ReferenceId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("AuthorizationId");
+
+                    b.HasIndex("ReferenceId")
+                        .IsUnique();
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("ChangeTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PastName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("PastAccountNames");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Content")
+                        .HasColumnType("jsonb");
+
+                    b.Property<DateTimeOffset>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Trigger")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("PatreonWebhookLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("CurrentTier")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PatreonId")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("PatreonId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("Patrons");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ClientId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("ClientSecret")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConsentType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("JsonWebKeySet")
+                        .HasColumnType("text");
+
+                    b.Property<string>("LogoUri")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PostLogoutRedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Requirements")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("WebsiteUrl")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("OpenIddictApplications", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceRole", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedName")
+                        .IsUnique()
+                        .HasDatabaseName("RoleNameIndex");
+
+                    b.ToTable("AspNetRoles", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AdminLocked")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("AdminNotes")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("CreatedTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("EmailConfirmed")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("LastUsernameChange")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("NormalizedEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedUserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("PasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<string>("SecurityStamp")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("TwoFactorEnabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("UserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedEmail")
+                        .HasDatabaseName("EmailIndex");
+
+                    b.HasIndex("NormalizedUserName")
+                        .IsUnique()
+                        .HasDatabaseName("UserNameIndex");
+
+                    b.ToTable("AspNetUsers", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.WhitelistEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("WhitelistEmails");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AccountLogs")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany()
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AuthHashes")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany("Users")
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("LoginSessions")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Authorizations")
+                        .HasForeignKey("ApplicationId");
+
+                    b.Navigation("Application");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Tokens")
+                        .HasForeignKey("ApplicationId");
+
+                    b.HasOne("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", "Authorization")
+                        .WithMany("Tokens")
+                        .HasForeignKey("AuthorizationId");
+
+                    b.Navigation("Application");
+
+                    b.Navigation("Authorization");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("PastAccountNames")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithOne("Patron")
+                        .HasForeignKey("SS14.Auth.Shared.Data.Patron", "SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Navigation("Users");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Navigation("Authorizations");
+
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Navigation("AccountLogs");
+
+                    b.Navigation("AuthHashes");
+
+                    b.Navigation("LoginSessions");
+
+                    b.Navigation("PastAccountNames");
+
+                    b.Navigation("Patron");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/20250814194410_AddSpaceAppHomePageProperty.cs b/SS14.Auth.Shared/Data/Migrations/20250814194410_AddSpaceAppHomePageProperty.cs
new file mode 100644
index 0000000..b91ca8e
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250814194410_AddSpaceAppHomePageProperty.cs
@@ -0,0 +1,64 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddSpaceAppHomePageProperty : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "UserOAuthClients");
+
+            migrationBuilder.AddColumn<string>(
+                name: "WebsiteUrl",
+                table: "OpenIddictApplications",
+                type: "text",
+                nullable: true);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "WebsiteUrl",
+                table: "OpenIddictApplications");
+
+            migrationBuilder.CreateTable(
+                name: "UserOAuthClients",
+                columns: table => new
+                {
+                    UserOAuthClientId = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    SpaceUserId = table.Column<Guid>(type: "uuid", nullable: false),
+                    ClientId = table.Column<int>(type: "integer", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_UserOAuthClients", x => x.UserOAuthClientId);
+                    table.ForeignKey(
+                        name: "FK_UserOAuthClients_AspNetUsers_SpaceUserId",
+                        column: x => x.SpaceUserId,
+                        principalTable: "AspNetUsers",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_UserOAuthClients_ClientId",
+                table: "UserOAuthClients",
+                column: "ClientId",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_UserOAuthClients_SpaceUserId",
+                table: "UserOAuthClients",
+                column: "SpaceUserId");
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
index fca38c4..f48e1b6 100644
--- a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
+++ b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
@@ -596,6 +596,9 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Property<Guid?>("SpaceUserId")
                         .HasColumnType("uuid");
 
+                    b.Property<string>("WebsiteUrl")
+                        .HasColumnType("text");
+
                     b.HasKey("Id");
 
                     b.HasIndex("ClientId")
@@ -696,30 +699,6 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.ToTable("AspNetUsers", (string)null);
                 });
 
-            modelBuilder.Entity("SS14.Auth.Shared.Data.UserOAuthClient", b =>
-                {
-                    b.Property<int>("UserOAuthClientId")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("UserOAuthClientId"));
-
-                    b.Property<int>("ClientId")
-                        .HasColumnType("integer");
-
-                    b.Property<Guid>("SpaceUserId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("UserOAuthClientId");
-
-                    b.HasIndex("ClientId")
-                        .IsUnique();
-
-                    b.HasIndex("SpaceUserId");
-
-                    b.ToTable("UserOAuthClients");
-                });
-
             modelBuilder.Entity("SS14.Auth.Shared.Data.WhitelistEmail", b =>
                 {
                     b.Property<int>("Id")
@@ -904,17 +883,6 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Navigation("SpaceUser");
                 });
 
-            modelBuilder.Entity("SS14.Auth.Shared.Data.UserOAuthClient", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
-                        .WithMany()
-                        .HasForeignKey("SpaceUserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("SpaceUser");
-                });
-
             modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
                 {
                     b.Navigation("Users");
diff --git a/SS14.Auth.Shared/Data/SpaceApplication.cs b/SS14.Auth.Shared/Data/SpaceApplication.cs
index 3c91222..5f7150c 100644
--- a/SS14.Auth.Shared/Data/SpaceApplication.cs
+++ b/SS14.Auth.Shared/Data/SpaceApplication.cs
@@ -11,4 +11,5 @@ public sealed class SpaceApplication : OpenIddictEntityFrameworkCoreApplication<
     public Guid? SpaceUserId { get; set; }
     public SpaceUser? SpaceUser { get; set; }
     public string? LogoUri { get; set; }
+    public string? WebsiteUrl { get; set; }
 }

From 6baccdad372b64a22d0076f2cc1210765911107f Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Fri, 15 Aug 2025 00:40:29 +0200
Subject: [PATCH 19/43] Work on oauth application manage page

---
 ...paceAppClientSecretDescription.Designer.cs | 924 +++++++++++++++++
 ...5916_AddSpaceAppClientSecretDescription.cs |  28 +
 ...aceAppClientSecretCreationDate.Designer.cs | 927 ++++++++++++++++++
 ...250_AddSpaceAppClientSecretCreationDate.cs |  29 +
 .../ApplicationDbContextModelSnapshot.cs      |   6 +
 SS14.Auth.Shared/Data/SpaceApplication.cs     |   4 +
 .../Identity/Pages/Account/Consent.cshtml.cs  |   7 +
 .../Account/Manage/OAuthApps/Manage.cshtml    |  41 +-
 .../Account/Manage/OAuthApps/Manage.cshtml.cs |  83 +-
 .../ApplicationManagerExtensions.cs           |  23 +-
 .../OpenId/Services/OpenIdActionService.cs    |  18 +-
 SS14.Web/PersonalDataCollector.cs             |  14 +-
 12 files changed, 2022 insertions(+), 82 deletions(-)
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250814195916_AddSpaceAppClientSecretDescription.Designer.cs
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250814195916_AddSpaceAppClientSecretDescription.cs
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250814215250_AddSpaceAppClientSecretCreationDate.Designer.cs
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250814215250_AddSpaceAppClientSecretCreationDate.cs

diff --git a/SS14.Auth.Shared/Data/Migrations/20250814195916_AddSpaceAppClientSecretDescription.Designer.cs b/SS14.Auth.Shared/Data/Migrations/20250814195916_AddSpaceAppClientSecretDescription.Designer.cs
new file mode 100644
index 0000000..7ccadbc
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250814195916_AddSpaceAppClientSecretDescription.Designer.cs
@@ -0,0 +1,924 @@
+// <auto-generated />
+using System;
+using System.Net;
+using System.Text.Json;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using SS14.Auth.Shared.Data;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    [DbContext(typeof(ApplicationDbContext))]
+    [Migration("20250814195916_AddSpaceAppClientSecretDescription")]
+    partial class AddSpaceAppClientSecretDescription
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "9.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetRoleClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderDisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("LoginProvider", "ProviderKey");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserLogins", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("UserId", "RoleId");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetUserRoles", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("UserId", "LoginProvider", "Name");
+
+                    b.ToTable("AspNetUserTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<Guid?>("Actor")
+                        .HasColumnType("uuid");
+
+                    b.Property<IPAddress>("ActorAddress")
+                        .HasColumnType("inet");
+
+                    b.Property<JsonDocument>("Data")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("AccountLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.Property<long>("AuthHashId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("AuthHashId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte[]>("Hash")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<long?>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("AuthHashId");
+
+                    b.HasIndex("HwidId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Hash", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("AuthHashes");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("BurnerEmails");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<byte[]>("ClientData")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<int>("TypeCode")
+                        .HasColumnType("integer");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientData")
+                        .IsUnique();
+
+                    b.ToTable("Hwids");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("FirstSeen")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("HwidId", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("HwidUsers");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.Property<long>("LoginSessionId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte[]>("Token")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("LoginSessionId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("ActiveSessions");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Scopes")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictAuthorizations", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultScope", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Descriptions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Resources")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Name")
+                        .IsUnique();
+
+                    b.ToTable("OpenIddictScopes", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("AuthorizationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Payload")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RedemptionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ReferenceId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("AuthorizationId");
+
+                    b.HasIndex("ReferenceId")
+                        .IsUnique();
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("ChangeTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PastName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("PastAccountNames");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Content")
+                        .HasColumnType("jsonb");
+
+                    b.Property<DateTimeOffset>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Trigger")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("PatreonWebhookLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("CurrentTier")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PatreonId")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("PatreonId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("Patrons");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ClientId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("ClientSecret")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientSecretDescription")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConsentType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("JsonWebKeySet")
+                        .HasColumnType("text");
+
+                    b.Property<string>("LogoUri")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PostLogoutRedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Requirements")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("WebsiteUrl")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("OpenIddictApplications", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceRole", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedName")
+                        .IsUnique()
+                        .HasDatabaseName("RoleNameIndex");
+
+                    b.ToTable("AspNetRoles", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AdminLocked")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("AdminNotes")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("CreatedTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("EmailConfirmed")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("LastUsernameChange")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("NormalizedEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedUserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("PasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<string>("SecurityStamp")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("TwoFactorEnabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("UserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedEmail")
+                        .HasDatabaseName("EmailIndex");
+
+                    b.HasIndex("NormalizedUserName")
+                        .IsUnique()
+                        .HasDatabaseName("UserNameIndex");
+
+                    b.ToTable("AspNetUsers", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.WhitelistEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("WhitelistEmails");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AccountLogs")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany()
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AuthHashes")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany("Users")
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("LoginSessions")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Authorizations")
+                        .HasForeignKey("ApplicationId");
+
+                    b.Navigation("Application");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Tokens")
+                        .HasForeignKey("ApplicationId");
+
+                    b.HasOne("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", "Authorization")
+                        .WithMany("Tokens")
+                        .HasForeignKey("AuthorizationId");
+
+                    b.Navigation("Application");
+
+                    b.Navigation("Authorization");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("PastAccountNames")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithOne("Patron")
+                        .HasForeignKey("SS14.Auth.Shared.Data.Patron", "SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Navigation("Users");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Navigation("Authorizations");
+
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Navigation("AccountLogs");
+
+                    b.Navigation("AuthHashes");
+
+                    b.Navigation("LoginSessions");
+
+                    b.Navigation("PastAccountNames");
+
+                    b.Navigation("Patron");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/20250814195916_AddSpaceAppClientSecretDescription.cs b/SS14.Auth.Shared/Data/Migrations/20250814195916_AddSpaceAppClientSecretDescription.cs
new file mode 100644
index 0000000..b3e9df0
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250814195916_AddSpaceAppClientSecretDescription.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddSpaceAppClientSecretDescription : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<string>(
+                name: "ClientSecretDescription",
+                table: "OpenIddictApplications",
+                type: "text",
+                nullable: true);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "ClientSecretDescription",
+                table: "OpenIddictApplications");
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/20250814215250_AddSpaceAppClientSecretCreationDate.Designer.cs b/SS14.Auth.Shared/Data/Migrations/20250814215250_AddSpaceAppClientSecretCreationDate.Designer.cs
new file mode 100644
index 0000000..314ad7a
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250814215250_AddSpaceAppClientSecretCreationDate.Designer.cs
@@ -0,0 +1,927 @@
+// <auto-generated />
+using System;
+using System.Net;
+using System.Text.Json;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using SS14.Auth.Shared.Data;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    [DbContext(typeof(ApplicationDbContext))]
+    [Migration("20250814215250_AddSpaceAppClientSecretCreationDate")]
+    partial class AddSpaceAppClientSecretCreationDate
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "9.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetRoleClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderDisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("LoginProvider", "ProviderKey");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserLogins", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("UserId", "RoleId");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetUserRoles", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("UserId", "LoginProvider", "Name");
+
+                    b.ToTable("AspNetUserTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<Guid?>("Actor")
+                        .HasColumnType("uuid");
+
+                    b.Property<IPAddress>("ActorAddress")
+                        .HasColumnType("inet");
+
+                    b.Property<JsonDocument>("Data")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("AccountLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.Property<long>("AuthHashId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("AuthHashId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte[]>("Hash")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<long?>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("AuthHashId");
+
+                    b.HasIndex("HwidId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Hash", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("AuthHashes");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("BurnerEmails");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<byte[]>("ClientData")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<int>("TypeCode")
+                        .HasColumnType("integer");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientData")
+                        .IsUnique();
+
+                    b.ToTable("Hwids");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("FirstSeen")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("HwidId", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("HwidUsers");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.Property<long>("LoginSessionId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte[]>("Token")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("LoginSessionId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("ActiveSessions");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Scopes")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictAuthorizations", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultScope", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Descriptions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Resources")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Name")
+                        .IsUnique();
+
+                    b.ToTable("OpenIddictScopes", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("AuthorizationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Payload")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RedemptionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ReferenceId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("AuthorizationId");
+
+                    b.HasIndex("ReferenceId")
+                        .IsUnique();
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("ChangeTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PastName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("PastAccountNames");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Content")
+                        .HasColumnType("jsonb");
+
+                    b.Property<DateTimeOffset>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Trigger")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("PatreonWebhookLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("CurrentTier")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PatreonId")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("PatreonId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("Patrons");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ClientId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("ClientSecret")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientSecretDescription")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConsentType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("JsonWebKeySet")
+                        .HasColumnType("text");
+
+                    b.Property<string>("LogoUri")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PostLogoutRedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Requirements")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("SecretCreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("WebsiteUrl")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("OpenIddictApplications", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceRole", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedName")
+                        .IsUnique()
+                        .HasDatabaseName("RoleNameIndex");
+
+                    b.ToTable("AspNetRoles", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AdminLocked")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("AdminNotes")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("CreatedTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("EmailConfirmed")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("LastUsernameChange")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("NormalizedEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedUserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("PasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<string>("SecurityStamp")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("TwoFactorEnabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("UserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedEmail")
+                        .HasDatabaseName("EmailIndex");
+
+                    b.HasIndex("NormalizedUserName")
+                        .IsUnique()
+                        .HasDatabaseName("UserNameIndex");
+
+                    b.ToTable("AspNetUsers", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.WhitelistEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("WhitelistEmails");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AccountLogs")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany()
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AuthHashes")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany("Users")
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("LoginSessions")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Authorizations")
+                        .HasForeignKey("ApplicationId");
+
+                    b.Navigation("Application");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Tokens")
+                        .HasForeignKey("ApplicationId");
+
+                    b.HasOne("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", "Authorization")
+                        .WithMany("Tokens")
+                        .HasForeignKey("AuthorizationId");
+
+                    b.Navigation("Application");
+
+                    b.Navigation("Authorization");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("PastAccountNames")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithOne("Patron")
+                        .HasForeignKey("SS14.Auth.Shared.Data.Patron", "SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Navigation("Users");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Navigation("Authorizations");
+
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Navigation("AccountLogs");
+
+                    b.Navigation("AuthHashes");
+
+                    b.Navigation("LoginSessions");
+
+                    b.Navigation("PastAccountNames");
+
+                    b.Navigation("Patron");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/20250814215250_AddSpaceAppClientSecretCreationDate.cs b/SS14.Auth.Shared/Data/Migrations/20250814215250_AddSpaceAppClientSecretCreationDate.cs
new file mode 100644
index 0000000..ca20dd2
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250814215250_AddSpaceAppClientSecretCreationDate.cs
@@ -0,0 +1,29 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddSpaceAppClientSecretCreationDate : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<DateTime>(
+                name: "SecretCreationDate",
+                table: "OpenIddictApplications",
+                type: "timestamp with time zone",
+                nullable: true);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "SecretCreationDate",
+                table: "OpenIddictApplications");
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
index f48e1b6..ad4e94f 100644
--- a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
+++ b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
@@ -550,6 +550,9 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Property<string>("ClientSecret")
                         .HasColumnType("text");
 
+                    b.Property<string>("ClientSecretDescription")
+                        .HasColumnType("text");
+
                     b.Property<string>("ClientType")
                         .HasMaxLength(50)
                         .HasColumnType("character varying(50)");
@@ -590,6 +593,9 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Property<string>("Requirements")
                         .HasColumnType("text");
 
+                    b.Property<DateTime?>("SecretCreationDate")
+                        .HasColumnType("timestamp with time zone");
+
                     b.Property<string>("Settings")
                         .HasColumnType("text");
 
diff --git a/SS14.Auth.Shared/Data/SpaceApplication.cs b/SS14.Auth.Shared/Data/SpaceApplication.cs
index 5f7150c..5c0554c 100644
--- a/SS14.Auth.Shared/Data/SpaceApplication.cs
+++ b/SS14.Auth.Shared/Data/SpaceApplication.cs
@@ -12,4 +12,8 @@ public sealed class SpaceApplication : OpenIddictEntityFrameworkCoreApplication<
     public SpaceUser? SpaceUser { get; set; }
     public string? LogoUri { get; set; }
     public string? WebsiteUrl { get; set; }
+
+    public string? ClientSecretDescription { get; set; }
+
+    public DateTime? SecretCreationDate { get; set; }
 }
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
index c5f9cb2..4947c3b 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
@@ -24,6 +24,9 @@ public sealed class Consent : PageModel
     public ImmutableArray<string> RequestScopes { get; private set; }
     public string? ReturnUrl { get; set; }
 
+    [TempData]
+    public bool IgnoreChallenge { get; set; }
+
     [BindProperty] public InputModel? Input { get; set; }
 
     [ValidateAntiForgeryToken]
@@ -70,9 +73,13 @@ private async Task<IActionResult> HandleAuthorization(string? returnUrl)
         var result = await HttpContext.AuthenticateAsync();
         var validation = _actionService.ValidateOpenIdAuthentication(
             HttpContext,
+            IgnoreChallenge,
             result,
             AuthRequest);
 
+        // Prevent infinite redirection loops
+        IgnoreChallenge = true;
+
         switch (validation.IsSuccess)
         {
             case false when validation.Error.IsChallenge:
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
index aa66221..06a63f0 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
@@ -6,7 +6,7 @@
 
 @{
     Layout = "/Views/Shared/_Layout.cshtml";
-    //ViewData["Title"] = $"Manage OAuth app {Model.App.Client.ClientName}";
+    ViewData["Title"] = $"Manage OAuth app {Model.App.DisplayName}";
 }
 
 <div class="container">
@@ -18,7 +18,7 @@
     </div>
     <div class="row mb-3">
         <div class="col">
-            <strong>Client ID:</strong> <span class="text-monospace">@*@Model.App.Client.ClientId*@</span><br/>
+            <strong>Client ID:</strong> <span class="text-monospace">@Model.App.ClientId</span><br/>
             Only Authorization Code flow is accepted<br/>
             Available scopes are: <span class="text-monospace">openid</span>, <span class="text-monospace">profile</span>, <span class="text-monospace">email</span><br/>
             SS14 implements OpenID Connect via IdentityServer4. See <a class="text-monospace" href="@Url.Content("~/.well-known/openid-configuration")">.well-known/openid-configuration</a> for config and endpoints.
@@ -69,27 +69,28 @@
             <div class="row">
                 <div class="col">
                     <div class="list-group">
-                        @*@foreach (var secret in Model.App.Client.ClientSecrets.OrderByDescending(a => a.Created))
-                        {
-                            var show = Model.ShowSecret == secret.Id;
-                            if (secret.Type != "SharedSecret")
-                                continue;
+                        @* TODO: Change once I know if I need to support multiple secrets *@
+                        @*@foreach (var secret in Model.App.Client.ClientSecrets.OrderByDescending(a => a.Created))*@
+                        @{
+                            var show = Model.ShowSecretValue != null;//Model.ShowSecret == secret.Id;
+                            //if (secret.Type != "SharedSecret")
+                            //continue;
 
                             <div class="list-group-item d-flex justify-content-between align-items-center @(show ? "list-group-item-success" : "")">
-                                <div>
-                                    <span class="text-monospace">@(show ? Model.ShowSecretValue : secret.Description)</span>
-                                    <br/>
-                                    <span class="text-muted">Created at @secret.Created.ToUniversalTime() UTC</span>
-                                </div>
-                                <form method="post">
-                                    <button type="submit"
-                                            asp-page-handler="DeleteSecret" asp-route-secret="@secret.Id"
-                                            class="btn btn-sm btn-danger">
-                                        Delete
-                                    </button>
-                                </form>
+                            <div>
+                                <span class="text-monospace">@(Model.ShowSecretValue ?? Model.App.ClientSecretDescription)</span>
+                                <br/>
+                                <span class="text-muted">Created at @Model.App. UTC</span>
                             </div>
-                        }*@
+                            @*<form method="post">
+                                <button type="submit"
+                                        asp-page-handler="DeleteSecret" asp-route-secret="@secret.Id"
+                                        class="btn btn-sm btn-danger">
+                                    Delete
+                                </button>
+                            </form>*@
+                        </div>
+                        }
                     </div>
                 </div>
             </div>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index 91bd565..c8fa29c 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -3,14 +3,17 @@
 using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
 using System.Security.Cryptography;
+using System.Text.Json;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
+using OpenIddict.Abstractions;
 using OpenIddict.Core;
 using SS14.Auth.Shared.Data;
 using SS14.Web.Extensions;
+using SS14.Web.OpenId;
 using SS14.Web.OpenId.Extensions;
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
@@ -61,7 +64,7 @@ public Manage(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager
         _appManager = appManager;
     }
 
-    public async Task<IActionResult> OnGetAsync(int client)
+    public async Task<IActionResult> OnGetAsync(string client)
     {
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
@@ -71,57 +74,61 @@ public async Task<IActionResult> OnGetAsync(int client)
         {
             Name = App.DisplayName,
             CallbackUrl = await _appManager.GetFirstRedirectUrl(App) ?? "",
-            HomepageUrl = await _appManager.GetHomePageProperty(App) ?? "",
+            HomepageUrl = App.WebsiteUrl ?? "",
             RequirePkce = await _appManager.GetRequiresPkceSetting(App),
-            //AllowPS256 = App.Client.AllowedIdentityTokenSigningAlgorithms?.Contains("PS256") ?? false
+            AllowPS256 = await _appManager.GetPs256Setting(App),
         };
 
         return Page();
     }
 
-    public async Task<IActionResult> OnPostUpdateAsync(int client)
+    public async Task<IActionResult> OnPostUpdateAsync(string client)
     {
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
 
-        //App.Client.ClientName = Input.Name;
-        //App.Client.RedirectUris = new List<ClientRedirectUri> { new() { RedirectUri = Input.CallbackUrl } };
-        //App.Client.ClientUri = Input.HomepageUrl;
-        //App.Client.RequirePkce = Input.RequirePkce;
-        //App.Client.AllowedIdentityTokenSigningAlgorithms = Input.AllowPS256 ? "PS256" : null;
+        var descriptor = new OpenIddictApplicationDescriptor();
+        await _appManager.PopulateAsync(descriptor, App);
+        descriptor.DisplayName = Input.Name;
+        descriptor.RedirectUris.Clear();
+        descriptor.RedirectUris.Add(new Uri(Input.CallbackUrl));
 
-        await _dbContext.SaveChangesAsync();
+        if (Input.RequirePkce)
+        {
+            descriptor.Requirements.Add(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
+        }
+        else
+        {
+            descriptor.Requirements.Remove(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
+        }
+
+        descriptor.Settings[OpenIdConstants.SigningAlgorithmSetting] = Input.AllowPS256
+            ? OpenIddictConstants.Algorithms.RsaSsaPssSha256
+            : null;
+
+        App.WebsiteUrl = Input.HomepageUrl;
 
+        await _appManager.UpdateAsync(App, descriptor);
         return RedirectToPage(new { client });
     }
 
-    public async Task<IActionResult> OnPostCreateSecretAsync(int client)
+    public async Task<IActionResult> OnPostCreateSecretAsync(string client)
     {
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
 
         var secretVal = Convert.ToBase64String(RandomNumberGenerator.GetBytes(36));
 
-        /*var secret = new ClientSecret
-        {
-            Created = DateTime.UtcNow,
-            Type = "SharedSecret",
-            Description = $"*****{secretVal[^6..]}",
-            Value = secretVal.Sha256()
-        };*/
-
-        //App.Client.ClientSecrets ??= new List<ClientSecret>();
-        //App.Client.ClientSecrets.Add(secret);
+        App.ClientSecretDescription = $"*****{secretVal[^6..]}";
+        await _appManager.UpdateAsync(App, secretVal);
 
-        await _dbContext.SaveChangesAsync();
-
-        //ShowSecret = secret.Id;
         ShowSecretValue = secretVal;
 
         return RedirectToPage(new { client });
     }
 
-    public async Task<IActionResult> OnPostDeleteSecretAsync(int client, int secret)
+    // TODO: Delete if multiple secrets don't need to be supported.
+    public async Task<IActionResult> OnPostDeleteSecretAsync(string client, int secret)
     {
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
@@ -138,29 +145,25 @@ public async Task<IActionResult> OnPostDeleteSecretAsync(int client, int secret)
     }
 
     // Null return indicates everything good.
-    private async Task<IActionResult> GetAppAndVerifyAccess(int client)
+    private async Task<IActionResult> GetAppAndVerifyAccess(string client)
     {
         var user = await _userManager.GetUserAsync(User);
-        //App = await _dbContext.UserOAuthClients
-        //    .Include(c => c.Client)
-        //    .ThenInclude(c => c.RedirectUris)
-        //    .Include(c => c.Client)
-        //    .ThenInclude(c => c.ClientSecrets)
-        //    .SingleOrDefaultAsync(oa => oa.UserOAuthClientId == client);
 
-        //if (App == null)
-        //    return NotFound();
+        App = await _appManager.FindByIdAsync(client);
+        if (App == null)
+            return NotFound();
 
-        //if (!VerifyAppAccess(user, App))
-        //    return Forbid();
+        // ReSharper disable once ConvertIfStatementToReturnStatement
+        if (!VerifyAppAccess(user, App))
+            return Forbid();
 
         return null;
     }
 
-    /*public static bool VerifyAppAccess(
+    public static bool VerifyAppAccess(
         SpaceUser user,
-        UserOAuthClient userClient)
+        SpaceApplication app)
     {
-        return user == userClient.SpaceUser;
-    }*/
+        return user == app.SpaceUser;
+    }
 }
diff --git a/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
index b9a15bc..b77e829 100644
--- a/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
+++ b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
@@ -1,7 +1,13 @@
 #nullable enable
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
 using System.Threading.Tasks;
+using OpenIddict.Abstractions;
 using OpenIddict.Core;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Extensions;
 
 namespace SS14.Web.OpenId.Extensions;
 
@@ -15,19 +21,26 @@ public static class ApplicationManagerExtensions
         return callbackUris.IsEmpty ? null : callbackUris[0];
     }
 
-    public static async ValueTask<string?> GetHomePageProperty(
+    public static async ValueTask<bool> GetRequiresPkceSetting(
         this OpenIddictApplicationManager<SpaceApplication> manager,
         SpaceApplication app)
     {
-        var properties = await manager.GetPropertiesAsync(app);
-        return properties.TryGetValue("homepage", out var homepage) ? homepage.GetString() : null;
+        var settings = await manager.GetSettingsAsync(app);
+        return settings.ContainsKey(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
     }
 
-    public static async ValueTask<bool> GetRequiresPkceSetting(
+    public static async ValueTask<bool> GetPs256Setting(
         this OpenIddictApplicationManager<SpaceApplication> manager,
         SpaceApplication app)
     {
         var settings = await manager.GetSettingsAsync(app);
-        return settings.ContainsKey("ft:pkce");
+        return settings.TryGetValue(OpenIdConstants.SigningAlgorithmSetting, out var value)
+               && value.Equals(OpenIddictConstants.Algorithms.RsaSsaPssSha256);
+    }
+
+    public static async ValueTask<List<SpaceApplication>> FindApplicationsByUserId(this OpenIddictApplicationManager<SpaceApplication> manager, Guid userId, CancellationToken cancel = default)
+    {
+        return await manager.ListAsync(x => x.Where(a => a.SpaceUserId == userId)
+            , cancel).ToListAsync(ct: cancel);
     }
 }
diff --git a/SS14.Web/OpenId/Services/OpenIdActionService.cs b/SS14.Web/OpenId/Services/OpenIdActionService.cs
index c243931..2163a71 100644
--- a/SS14.Web/OpenId/Services/OpenIdActionService.cs
+++ b/SS14.Web/OpenId/Services/OpenIdActionService.cs
@@ -46,26 +46,24 @@ public OpenIdActionService(SignedInIdentityService signedInIdentity,
         _scopeManager = scopeManager;
     }
 
-    public Result<Void, AuthenticationValidationFailure> ValidateOpenIdAuthentication(HttpContext context, AuthenticateResult auth, OpenIddictRequest request)
+    public Result<Void, AuthenticationValidationFailure> ValidateOpenIdAuthentication(
+        HttpContext context,
+        bool ignoreChallenge,
+        AuthenticateResult auth,
+        OpenIddictRequest request)
     {
-        if (auth.Succeeded)
-            return Result<Void, AuthenticationValidationFailure>.Success(Void.Nothing);
-
-        //var ignoreChallenge = context.Session.GetString(IgnoreChallengeKey);
-
+        // Auth succeeded and nothing is forcing re-authentication
         if (auth.Succeeded
             && !request.HasPromptValue(PromptValues.Login)
             && request.MaxAge is not 0
-            && (request.MaxAge is null || auth.Properties?.IssuedUtc is null || TimeProvider.System.GetUtcNow() - auth.Properties.IssuedUtc < TimeSpan.FromSeconds(request.MaxAge.Value))
-            )//&& ignoreChallenge is null or "false")
+            && (request.MaxAge is null || auth.Properties?.IssuedUtc is null || TimeProvider.System.GetUtcNow() - auth.Properties.IssuedUtc < TimeSpan.FromSeconds(request.MaxAge.Value)))
         {
             return Result<Void, AuthenticationValidationFailure>.Success(Void.Nothing);
         }
 
-        if (request.HasPromptValue(PromptValues.None))
+        if (ignoreChallenge || request.HasPromptValue(PromptValues.None))
             return Result<Void, AuthenticationValidationFailure>.Failure(AuthenticationValidationFailure.LoginRequired);
 
-        //context.Session.SetString(IgnoreChallengeKey, "true");
         var properties = new AuthenticationProperties
         {
             RedirectUri = context.Request.PathBase + context.Request.Path + QueryString.Create(
diff --git a/SS14.Web/PersonalDataCollector.cs b/SS14.Web/PersonalDataCollector.cs
index 9bf51b4..a548588 100644
--- a/SS14.Web/PersonalDataCollector.cs
+++ b/SS14.Web/PersonalDataCollector.cs
@@ -13,6 +13,7 @@
 using OpenIddict.Core;
 using SS14.Auth.Shared.Data;
 using SS14.Web.Extensions;
+using SS14.Web.OpenId.Extensions;
 using SS14.WebEverythingShared;
 
 namespace SS14.Web;
@@ -136,11 +137,9 @@ private async Task CollectPatrons(ZipArchive zip, SpaceUser user, CancellationTo
 
     private async Task CollectUserOAuthClients(ZipArchive zip, SpaceUser user, CancellationToken cancel)
     {
-       var applications = await applicationManager.ListAsync(
-           x => x.Where(a => a.SpaceUserId == user.Id)
-           , cancel).ToListAsync(ct: cancel);
+        var applications = await applicationManager.FindApplicationsByUserId(user.Id, cancel);
 
-       var data = applications.Select(x => new SpaceApplicationData(
+        var data = applications.Select(x => new SpaceApplicationData(
            Id: x.Id,
            UserId: x.SpaceUserId,
            ClientId: x.ClientId,
@@ -153,10 +152,10 @@ private async Task CollectUserOAuthClients(ZipArchive zip, SpaceUser user, Cance
            RedirectUris: x.RedirectUris,
            Properties: x.Properties,
            Requirements: x.Requirements,
-           Settings: x.Settings
+           Settings: x.Settings,
+           HomePageUrl: x.WebsiteUrl
        ));
 
-
        SerializeToFile(zip, "OAuthClients.json", data);
     }
 
@@ -211,7 +210,7 @@ private async Task CollectHwidUsers(ZipArchive zip, SpaceUser user, Cancellation
 
         SerializeToFile(zip, "HwidUsers.json", hwidUsers);
     }
-    
+
     private static void StringToFile(ZipArchive archive, string name, string data)
     {
         var entry = archive.CreateEntry(name, CompressionLevel.Optimal);
@@ -251,6 +250,7 @@ private sealed record SpaceApplicationData(
         string? Permissions,
         string? PostLogoutRedirectUris,
         string? RedirectUris,
+        string? HomePageUrl,
         string? Properties,
         string? Requirements,
         string? Settings);

From 2226e2dde1857991370ebbb4c2888d51f43db1ed Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Fri, 15 Aug 2025 16:10:05 +0200
Subject: [PATCH 20/43] Implement multiple client secret support

---
 .../ApplicationDbContextModelSnapshot.cs      |  22 +--
 .../Identity/Pages/Account/Consent.cshtml.cs  |   1 +
 .../Account/Manage/OAuthApps/Manage.cshtml    |   2 +-
 .../Account/Manage/OAuthApps/Manage.cshtml.cs |   2 +-
 SS14.Web/Models/Types/ClientSecretInfo.cs     |   5 +
 SS14.Web/OpenId/Extensions/OpenIdExtension.cs |   2 +
 .../OpenId/Services/OpenIdActionService.cs    |   1 +
 .../Services/SpaceApplicationManager.cs       | 133 ++++++++++++++++++
 .../Types/AuthenticationValidationFailure.cs  |   2 +-
 .../Types/AuthorizationResult.cs              |   3 +-
 .../{Models => OpenId}/Types/ConsentResult.cs |   2 +-
 SS14.Web/SS14.Web.csproj                      |   1 -
 12 files changed, 158 insertions(+), 18 deletions(-)
 create mode 100644 SS14.Web/Models/Types/ClientSecretInfo.cs
 create mode 100644 SS14.Web/OpenId/Services/SpaceApplicationManager.cs
 rename SS14.Web/{Models => OpenId}/Types/AuthenticationValidationFailure.cs (94%)
 rename SS14.Web/{Models => OpenId}/Types/AuthorizationResult.cs (93%)
 rename SS14.Web/{Models => OpenId}/Types/ConsentResult.cs (94%)

diff --git a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
index ad4e94f..082c604 100644
--- a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
+++ b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
@@ -40,7 +40,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 
                     b.HasKey("Id");
 
-                    b.ToTable("DataProtectionKeys");
+                    b.ToTable("DataProtectionKeys", (string)null);
                 });
 
             modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
@@ -177,7 +177,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 
                     b.HasIndex("SpaceUserId");
 
-                    b.ToTable("AccountLogs");
+                    b.ToTable("AccountLogs", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
@@ -210,7 +210,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("Hash", "SpaceUserId")
                         .IsUnique();
 
-                    b.ToTable("AuthHashes");
+                    b.ToTable("AuthHashes", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
@@ -229,7 +229,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("Domain")
                         .IsUnique();
 
-                    b.ToTable("BurnerEmails");
+                    b.ToTable("BurnerEmails", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
@@ -256,7 +256,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("ClientData")
                         .IsUnique();
 
-                    b.ToTable("Hwids");
+                    b.ToTable("Hwids", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
@@ -283,7 +283,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("HwidId", "SpaceUserId")
                         .IsUnique();
 
-                    b.ToTable("HwidUsers");
+                    b.ToTable("HwidUsers", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
@@ -311,7 +311,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("Token")
                         .IsUnique();
 
-                    b.ToTable("ActiveSessions");
+                    b.ToTable("ActiveSessions", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
@@ -479,7 +479,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 
                     b.HasIndex("SpaceUserId");
 
-                    b.ToTable("PastAccountNames");
+                    b.ToTable("PastAccountNames", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
@@ -501,7 +501,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 
                     b.HasKey("Id");
 
-                    b.ToTable("PatreonWebhookLogs");
+                    b.ToTable("PatreonWebhookLogs", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
@@ -530,7 +530,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("SpaceUserId")
                         .IsUnique();
 
-                    b.ToTable("Patrons");
+                    b.ToTable("Patrons", (string)null);
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
@@ -721,7 +721,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("Domain")
                         .IsUnique();
 
-                    b.ToTable("WhitelistEmails");
+                    b.ToTable("WhitelistEmails", (string)null);
                 });
 
             modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
index 4947c3b..3485e03 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Consent.cshtml.cs
@@ -12,6 +12,7 @@
 using SS14.Web.Helpers;
 using SS14.Web.Models.Types;
 using SS14.Web.OpenId.Services;
+using SS14.Web.OpenId.Types;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 
 namespace SS14.Web.Areas.Identity.Pages.Account;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
index 06a63f0..7632aa6 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
@@ -78,7 +78,7 @@
 
                             <div class="list-group-item d-flex justify-content-between align-items-center @(show ? "list-group-item-success" : "")">
                             <div>
-                                <span class="text-monospace">@(Model.ShowSecretValue ?? Model.App.ClientSecretDescription)</span>
+                                @*<span class="text-monospace">@(Model.ShowSecretValue ?? Model.App.ClientSecretDescription)</span>*@
                                 <br/>
                                 <span class="text-muted">Created at @Model.App. UTC</span>
                             </div>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index c8fa29c..99f83af 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -119,7 +119,7 @@ public async Task<IActionResult> OnPostCreateSecretAsync(string client)
 
         var secretVal = Convert.ToBase64String(RandomNumberGenerator.GetBytes(36));
 
-        App.ClientSecretDescription = $"*****{secretVal[^6..]}";
+        //App.ClientSecretDescription = $"*****{secretVal[^6..]}";
         await _appManager.UpdateAsync(App, secretVal);
 
         ShowSecretValue = secretVal;
diff --git a/SS14.Web/Models/Types/ClientSecretInfo.cs b/SS14.Web/Models/Types/ClientSecretInfo.cs
new file mode 100644
index 0000000..f494ecf
--- /dev/null
+++ b/SS14.Web/Models/Types/ClientSecretInfo.cs
@@ -0,0 +1,5 @@
+using System;
+
+namespace SS14.Web.Models.Types;
+
+public sealed record ClientSecretInfo(int Id, DateTime CreatedOn, string Description, bool Legacy);
diff --git a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
index 5ba9901..3b23392 100644
--- a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
@@ -24,6 +24,8 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
         {
             options.UseEntityFrameworkCore().UseDbContext<ApplicationDbContext>()
                 .ReplaceDefaultEntities<SpaceApplication, DefaultAuthorization, DefaultScope, DefaultToken, string>();
+
+            options.ReplaceApplicationManager<SpaceApplication, SpaceApplicationManager>();
         });
 
         openId.AddValidation().UseLocalServer();
diff --git a/SS14.Web/OpenId/Services/OpenIdActionService.cs b/SS14.Web/OpenId/Services/OpenIdActionService.cs
index 2163a71..d7b24f6 100644
--- a/SS14.Web/OpenId/Services/OpenIdActionService.cs
+++ b/SS14.Web/OpenId/Services/OpenIdActionService.cs
@@ -14,6 +14,7 @@
 using SS14.Auth.Shared.Data;
 using SS14.Web.Extensions;
 using SS14.Web.Models.Types;
+using SS14.Web.OpenId.Types;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 using Void = SS14.Web.Models.Types.Void;
 
diff --git a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
new file mode 100644
index 0000000..68f6382
--- /dev/null
+++ b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
@@ -0,0 +1,133 @@
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using OpenIddict.Abstractions;
+using OpenIddict.Core;
+using SS14.Auth.Shared.Data;
+using SS14.Web.Models.Types;
+
+namespace SS14.Web.OpenId.Services;
+
+public class SpaceApplicationManager(
+    IOpenIddictApplicationCache<SpaceApplication> cache,
+    ILogger<OpenIddictApplicationManager<SpaceApplication>> logger,
+    IOptionsMonitor<OpenIddictCoreOptions> options,
+    IOpenIddictApplicationStore<SpaceApplication> store)
+    : OpenIddictApplicationManager<SpaceApplication>(cache, logger, options, store)
+{
+    private const string LegacySecretPrefix = "_OLD_";
+
+    public ClientSecretInfo? FindSecretById(SpaceApplication app,
+        int id,
+        CancellationToken ct = default)
+    {
+        if (app.ClientSecret is null)
+            return null;
+
+        var span = app.ClientSecret.AsSpan();
+        var secrets = span.SplitAny(',', '.');
+        while (secrets.MoveNext())
+        {
+            if (int.Parse(span[secrets.Current]) == id)
+                return ParseSecretInfo(span, secrets);
+
+            secrets.MoveNext(); //timestamp
+            secrets.MoveNext(); //key
+            secrets.MoveNext(); //description
+        }
+
+        return null;
+    }
+
+    public List<ClientSecretInfo> ListSecrets(SpaceApplication app,
+        CancellationToken ct = default)
+    {
+        var result = new List<ClientSecretInfo>();
+        if (app.ClientSecret is null)
+            return result;
+
+        var span = app.ClientSecret.AsSpan();
+        var secrets = span.SplitAny(',', '.');
+        while (secrets.MoveNext())
+        {
+            result.Add(ParseSecretInfo(span, secrets));
+        }
+
+        return result;
+    }
+
+    // MoveNext() needs to have been called for parts once already. This is to allow checking the client secret id
+    private ClientSecretInfo ParseSecretInfo(ReadOnlySpan<char> span, MemoryExtensions.SpanSplitEnumerator<char> parts)
+    {
+        var id = span[parts.Current];
+        parts.MoveNext();
+        var timestamp = span[parts.Current];
+        parts.MoveNext();
+        var isLegacy = span[parts.Current];
+        parts.MoveNext();
+        var description = span[parts.Current];
+
+        return new ClientSecretInfo(
+            int.Parse(id),
+            DateTime.Parse(timestamp),
+            description.ToString(),
+            isLegacy.StartsWith(LegacySecretPrefix)
+        );
+    }
+
+    protected override async ValueTask<string> ObfuscateClientSecretAsync(string secret, CancellationToken ct = new())
+    {
+        var legacy = secret.StartsWith(LegacySecretPrefix);
+        if (legacy)
+            secret = secret[5..];
+
+        var secrets = secret.Split(',');
+        var timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString();
+        var obfuscatedSecrets = new string[secrets.Length];
+
+        for (var i = 0; i < secrets.Length; i++)
+        {
+            // Legacy secrets are from a migration and are already hashed
+            var obfuscatedSecret = !legacy
+                ? await base.ObfuscateClientSecretAsync(secrets[i], ct)
+                : $"{LegacySecretPrefix}{secrets[i]}";
+            var description = legacy ? "legacy-please-regenerate" : secrets[i][^6..];
+            obfuscatedSecrets[i] = $"{i}.{timestamp}.{obfuscatedSecret}.{description}";
+        }
+
+        return string.Join(",", obfuscatedSecrets);
+    }
+
+    protected override async ValueTask<bool> ValidateClientSecretAsync(string secret,
+        string comparand,
+        CancellationToken ct = new())
+    {
+        var secrets = secret.Split(',');
+        foreach (var pair in secrets)
+        {
+            var value = pair.Split('.')[2];
+            var legacy = value.StartsWith(LegacySecretPrefix);
+
+            // ReSharper disable once ConvertIfStatementToSwitchStatement
+            if (legacy)
+                value = value[5..];
+
+            if (!legacy && await base.ValidateClientSecretAsync(value, comparand, ct))
+                return true;
+
+            if (legacy && await ValidateLegacySecret(value, comparand, ct))
+                return true;
+        }
+
+        return false;
+    }
+
+    private async ValueTask<bool> ValidateLegacySecret(string value, string comparand, CancellationToken ct)
+    {
+        throw new NotImplementedException();
+    }
+}
diff --git a/SS14.Web/Models/Types/AuthenticationValidationFailure.cs b/SS14.Web/OpenId/Types/AuthenticationValidationFailure.cs
similarity index 94%
rename from SS14.Web/Models/Types/AuthenticationValidationFailure.cs
rename to SS14.Web/OpenId/Types/AuthenticationValidationFailure.cs
index 3c61cff..9309862 100644
--- a/SS14.Web/Models/Types/AuthenticationValidationFailure.cs
+++ b/SS14.Web/OpenId/Types/AuthenticationValidationFailure.cs
@@ -2,7 +2,7 @@
 using Microsoft.AspNetCore.Authentication;
 using OpenIddict.Abstractions;
 
-namespace SS14.Web.Models.Types;
+namespace SS14.Web.OpenId.Types;
 
 public record AuthenticationValidationFailure(
     string? Error = null,
diff --git a/SS14.Web/Models/Types/AuthorizationResult.cs b/SS14.Web/OpenId/Types/AuthorizationResult.cs
similarity index 93%
rename from SS14.Web/Models/Types/AuthorizationResult.cs
rename to SS14.Web/OpenId/Types/AuthorizationResult.cs
index 6423073..d7e1116 100644
--- a/SS14.Web/Models/Types/AuthorizationResult.cs
+++ b/SS14.Web/OpenId/Types/AuthorizationResult.cs
@@ -1,10 +1,9 @@
 #nullable enable
 using System.Collections.Immutable;
 using System.Security.Claims;
-using OpenIddict.EntityFrameworkCore.Models;
 using SS14.Auth.Shared.Data;
 
-namespace SS14.Web.Models.Types;
+namespace SS14.Web.OpenId.Types;
 
 public record AuthorizationResult(
     AuthorizationResult.ResultType Type,
diff --git a/SS14.Web/Models/Types/ConsentResult.cs b/SS14.Web/OpenId/Types/ConsentResult.cs
similarity index 94%
rename from SS14.Web/Models/Types/ConsentResult.cs
rename to SS14.Web/OpenId/Types/ConsentResult.cs
index 99429ee..547e87f 100644
--- a/SS14.Web/Models/Types/ConsentResult.cs
+++ b/SS14.Web/OpenId/Types/ConsentResult.cs
@@ -1,7 +1,7 @@
 #nullable enable
 using System.Security.Claims;
 
-namespace SS14.Web.Models.Types;
+namespace SS14.Web.OpenId.Types;
 
 public record ConsentResult(ConsentResult.ResultType Type, string? ErrorName, ClaimsPrincipal? Principal)
 {
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index 7a8eb7a..1aa8c10 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -2,7 +2,6 @@
 
     <PropertyGroup>
         <TargetFramework>net9.0</TargetFramework>
-        <LangVersion>12</LangVersion>
     </PropertyGroup>
 
     <ItemGroup>

From 96ebfc9cbf9ec9adbe6d58d4f39a6d100edcc9c1 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Fri, 15 Aug 2025 20:59:23 +0200
Subject: [PATCH 21/43] Make a migration

---
 ...ceAppSecretDescriptionProperty.Designer.cs | 927 ++++++++++++++++++
 ...RemoveSpaceAppSecretDescriptionProperty.cs |  22 +
 .../ApplicationDbContextModelSnapshot.cs      |  22 +-
 3 files changed, 960 insertions(+), 11 deletions(-)
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250815165542_RemoveSpaceAppSecretDescriptionProperty.Designer.cs
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250815165542_RemoveSpaceAppSecretDescriptionProperty.cs

diff --git a/SS14.Auth.Shared/Data/Migrations/20250815165542_RemoveSpaceAppSecretDescriptionProperty.Designer.cs b/SS14.Auth.Shared/Data/Migrations/20250815165542_RemoveSpaceAppSecretDescriptionProperty.Designer.cs
new file mode 100644
index 0000000..2bb92a5
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250815165542_RemoveSpaceAppSecretDescriptionProperty.Designer.cs
@@ -0,0 +1,927 @@
+// <auto-generated />
+using System;
+using System.Net;
+using System.Text.Json;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using SS14.Auth.Shared.Data;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    [DbContext(typeof(ApplicationDbContext))]
+    [Migration("20250815165542_RemoveSpaceAppSecretDescriptionProperty")]
+    partial class RemoveSpaceAppSecretDescriptionProperty
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "9.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetRoleClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderDisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("LoginProvider", "ProviderKey");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserLogins", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("UserId", "RoleId");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetUserRoles", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("UserId", "LoginProvider", "Name");
+
+                    b.ToTable("AspNetUserTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<Guid?>("Actor")
+                        .HasColumnType("uuid");
+
+                    b.Property<IPAddress>("ActorAddress")
+                        .HasColumnType("inet");
+
+                    b.Property<JsonDocument>("Data")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("AccountLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.Property<long>("AuthHashId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("AuthHashId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte[]>("Hash")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<long?>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("AuthHashId");
+
+                    b.HasIndex("HwidId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Hash", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("AuthHashes");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("BurnerEmails");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<byte[]>("ClientData")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<int>("TypeCode")
+                        .HasColumnType("integer");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientData")
+                        .IsUnique();
+
+                    b.ToTable("Hwids");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("FirstSeen")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("HwidId", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("HwidUsers");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.Property<long>("LoginSessionId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte[]>("Token")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("LoginSessionId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("ActiveSessions");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Scopes")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictAuthorizations", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultScope", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Descriptions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Resources")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Name")
+                        .IsUnique();
+
+                    b.ToTable("OpenIddictScopes", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("AuthorizationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Payload")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RedemptionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ReferenceId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("AuthorizationId");
+
+                    b.HasIndex("ReferenceId")
+                        .IsUnique();
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("ChangeTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PastName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("PastAccountNames");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Content")
+                        .HasColumnType("jsonb");
+
+                    b.Property<DateTimeOffset>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Trigger")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("PatreonWebhookLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("CurrentTier")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PatreonId")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("PatreonId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("Patrons");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ClientId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("ClientSecret")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientSecretDescription")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConsentType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("JsonWebKeySet")
+                        .HasColumnType("text");
+
+                    b.Property<string>("LogoUri")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PostLogoutRedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Requirements")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("SecretCreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("WebsiteUrl")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("OpenIddictApplications", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceRole", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedName")
+                        .IsUnique()
+                        .HasDatabaseName("RoleNameIndex");
+
+                    b.ToTable("AspNetRoles", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AdminLocked")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("AdminNotes")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("CreatedTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("EmailConfirmed")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("LastUsernameChange")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("NormalizedEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedUserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("PasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<string>("SecurityStamp")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("TwoFactorEnabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("UserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedEmail")
+                        .HasDatabaseName("EmailIndex");
+
+                    b.HasIndex("NormalizedUserName")
+                        .IsUnique()
+                        .HasDatabaseName("UserNameIndex");
+
+                    b.ToTable("AspNetUsers", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.WhitelistEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("WhitelistEmails");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AccountLogs")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany()
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AuthHashes")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany("Users")
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("LoginSessions")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Authorizations")
+                        .HasForeignKey("ApplicationId");
+
+                    b.Navigation("Application");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Tokens")
+                        .HasForeignKey("ApplicationId");
+
+                    b.HasOne("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", "Authorization")
+                        .WithMany("Tokens")
+                        .HasForeignKey("AuthorizationId");
+
+                    b.Navigation("Application");
+
+                    b.Navigation("Authorization");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("PastAccountNames")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithOne("Patron")
+                        .HasForeignKey("SS14.Auth.Shared.Data.Patron", "SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Navigation("Users");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Navigation("Authorizations");
+
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Navigation("AccountLogs");
+
+                    b.Navigation("AuthHashes");
+
+                    b.Navigation("LoginSessions");
+
+                    b.Navigation("PastAccountNames");
+
+                    b.Navigation("Patron");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/20250815165542_RemoveSpaceAppSecretDescriptionProperty.cs b/SS14.Auth.Shared/Data/Migrations/20250815165542_RemoveSpaceAppSecretDescriptionProperty.cs
new file mode 100644
index 0000000..b950e31
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250815165542_RemoveSpaceAppSecretDescriptionProperty.cs
@@ -0,0 +1,22 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    /// <inheritdoc />
+    public partial class RemoveSpaceAppSecretDescriptionProperty : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
index 082c604..ad4e94f 100644
--- a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
+++ b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
@@ -40,7 +40,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 
                     b.HasKey("Id");
 
-                    b.ToTable("DataProtectionKeys", (string)null);
+                    b.ToTable("DataProtectionKeys");
                 });
 
             modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
@@ -177,7 +177,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 
                     b.HasIndex("SpaceUserId");
 
-                    b.ToTable("AccountLogs", (string)null);
+                    b.ToTable("AccountLogs");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
@@ -210,7 +210,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("Hash", "SpaceUserId")
                         .IsUnique();
 
-                    b.ToTable("AuthHashes", (string)null);
+                    b.ToTable("AuthHashes");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
@@ -229,7 +229,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("Domain")
                         .IsUnique();
 
-                    b.ToTable("BurnerEmails", (string)null);
+                    b.ToTable("BurnerEmails");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
@@ -256,7 +256,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("ClientData")
                         .IsUnique();
 
-                    b.ToTable("Hwids", (string)null);
+                    b.ToTable("Hwids");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
@@ -283,7 +283,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("HwidId", "SpaceUserId")
                         .IsUnique();
 
-                    b.ToTable("HwidUsers", (string)null);
+                    b.ToTable("HwidUsers");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
@@ -311,7 +311,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("Token")
                         .IsUnique();
 
-                    b.ToTable("ActiveSessions", (string)null);
+                    b.ToTable("ActiveSessions");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
@@ -479,7 +479,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 
                     b.HasIndex("SpaceUserId");
 
-                    b.ToTable("PastAccountNames", (string)null);
+                    b.ToTable("PastAccountNames");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
@@ -501,7 +501,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 
                     b.HasKey("Id");
 
-                    b.ToTable("PatreonWebhookLogs", (string)null);
+                    b.ToTable("PatreonWebhookLogs");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
@@ -530,7 +530,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("SpaceUserId")
                         .IsUnique();
 
-                    b.ToTable("Patrons", (string)null);
+                    b.ToTable("Patrons");
                 });
 
             modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
@@ -721,7 +721,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.HasIndex("Domain")
                         .IsUnique();
 
-                    b.ToTable("WhitelistEmails", (string)null);
+                    b.ToTable("WhitelistEmails");
                 });
 
             modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>

From 952ec46c6393b2d41106fae7599240affd70c26e Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sun, 17 Aug 2025 18:21:01 +0200
Subject: [PATCH 22/43] Implement methods for working with multiple secrets
 Implement unit tests for multiple secret handling methods

---
 .../TestMultipleClientSecretHandling.cs       |  44 +++++
 .../Account/Manage/OAuthApps/Manage.cshtml.cs |   7 +-
 SS14.Web/Models/Types/ClientSecretInfo.cs     |   2 +-
 .../Services/SpaceApplicationManager.cs       | 164 ++++++++++++++----
 4 files changed, 175 insertions(+), 42 deletions(-)
 create mode 100644 SS14.Web.Tests/TestMultipleClientSecretHandling.cs

diff --git a/SS14.Web.Tests/TestMultipleClientSecretHandling.cs b/SS14.Web.Tests/TestMultipleClientSecretHandling.cs
new file mode 100644
index 0000000..7901bc7
--- /dev/null
+++ b/SS14.Web.Tests/TestMultipleClientSecretHandling.cs
@@ -0,0 +1,44 @@
+#nullable enable
+using System;
+using JetBrains.Annotations;
+using NUnit.Framework;
+using SS14.Web.Models.Types;
+using SS14.Web.OpenId.Services;
+
+namespace SS14.Web.Tests;
+
+public class TestMultipleClientSecretHandling
+{
+    [TestCase( "0.1755342104.key1111.desc", 0, ExpectedResult = 0)]
+    [TestCase( "0.1755342104.key1111.desc", 1, ExpectedResult = null)]
+    [TestCase( "0.1755342104.key1111.desc,1.1755342104.key2222.desc", 1, ExpectedResult = 1)]
+    public int? TestFindById(string secrets, int id)
+    {
+        return SpaceApplicationManager.Functions.FindById(secrets, id)?.Id;
+    }
+
+    [TestCase( "0.1755342104.key1111.desc", "key2222", 2, 1)]
+    [TestCase( null, "key2222", 1, 0)]
+    [TestCase( "1.1755342104.key1111.desc", "key2222", 2, 2)]
+    public void TestAdd(string? secrets, string obfuscatedSecret, int count, int id)
+    {
+        var result = SpaceApplicationManager.Functions.AddSecret(secrets, obfuscatedSecret);
+        // 3 dots for each secret.
+        Assert.That(() => result.Item1.AsSpan().Count('.'), Is.EqualTo(count * 3));
+        Assert.That(() => result.Item2.Id, Is.EqualTo(id));
+        Assert.That(() => result.Item2.Description, Is.EqualTo(obfuscatedSecret[^6..]));
+    }
+
+    [TestCase( "0.1755342104.key1111.desc", 0, ExpectedResult = null)]
+    [TestCase( "0.1755342104.key1111.desc", 1, ExpectedResult = "0.1755342104.key1111.desc")]
+    [TestCase( "0.1755342104.key1111.desc,1.1755342104.key2222.desc", 1,
+        ExpectedResult = "0.1755342104.key1111.desc")]
+    [TestCase( "0.1755342104.key1111.desc,1.1755342104.key2222.desc", 0,
+        ExpectedResult = "1.1755342104.key2222.desc")]
+    [TestCase( "0.1755342104.key1111.desc,1.1755342104.key2222.desc,2.1755342104.key3333.desc", 1,
+        ExpectedResult = "0.1755342104.key1111.desc,2.1755342104.key3333.desc")]
+    public string? TestRemove(string secrets, int id)
+    {
+        return SpaceApplicationManager.Functions.RemoveSecret(secrets, id);
+    }
+}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index 99f83af..ea80a7d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -15,6 +15,7 @@
 using SS14.Web.Extensions;
 using SS14.Web.OpenId;
 using SS14.Web.OpenId.Extensions;
+using SS14.Web.OpenId.Services;
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
 
@@ -24,7 +25,7 @@ public class Manage : PageModel
 {
     private readonly ApplicationDbContext _dbContext;
     private readonly UserManager<SpaceUser> _userManager;
-    private readonly OpenIddictApplicationManager<SpaceApplication> _appManager;
+    private readonly SpaceApplicationManager _appManager;
 
     //public UserOAuthClient App { get; set; }
     public SpaceApplication App { get; set; }
@@ -57,7 +58,7 @@ public sealed class InputModel
         public bool AllowPS256 { get; set; } = true;
     }
 
-    public Manage(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager, OpenIddictApplicationManager<SpaceApplication> appManager)
+    public Manage(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager, SpaceApplicationManager appManager)
     {
         _dbContext = dbContext;
         _userManager = userManager;
@@ -121,7 +122,7 @@ public async Task<IActionResult> OnPostCreateSecretAsync(string client)
 
         //App.ClientSecretDescription = $"*****{secretVal[^6..]}";
         await _appManager.UpdateAsync(App, secretVal);
-
+        ShowSecret = 1;
         ShowSecretValue = secretVal;
 
         return RedirectToPage(new { client });
diff --git a/SS14.Web/Models/Types/ClientSecretInfo.cs b/SS14.Web/Models/Types/ClientSecretInfo.cs
index f494ecf..a2d0ba8 100644
--- a/SS14.Web/Models/Types/ClientSecretInfo.cs
+++ b/SS14.Web/Models/Types/ClientSecretInfo.cs
@@ -2,4 +2,4 @@
 
 namespace SS14.Web.Models.Types;
 
-public sealed record ClientSecretInfo(int Id, DateTime CreatedOn, string Description, bool Legacy);
+public sealed record ClientSecretInfo(int Id, DateTimeOffset CreatedOn, string Description, bool Legacy);
diff --git a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
index 68f6382..ebeff59 100644
--- a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
+++ b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
@@ -21,30 +21,12 @@ public class SpaceApplicationManager(
 {
     private const string LegacySecretPrefix = "_OLD_";
 
-    public ClientSecretInfo? FindSecretById(SpaceApplication app,
-        int id,
-        CancellationToken ct = default)
+    public ClientSecretInfo? FindSecretById(SpaceApplication app, int id, CancellationToken ct = default)
     {
-        if (app.ClientSecret is null)
-            return null;
-
-        var span = app.ClientSecret.AsSpan();
-        var secrets = span.SplitAny(',', '.');
-        while (secrets.MoveNext())
-        {
-            if (int.Parse(span[secrets.Current]) == id)
-                return ParseSecretInfo(span, secrets);
-
-            secrets.MoveNext(); //timestamp
-            secrets.MoveNext(); //key
-            secrets.MoveNext(); //description
-        }
-
-        return null;
+        return app.ClientSecret is null ? null : Functions.FindById(app.ClientSecret, id);
     }
 
-    public List<ClientSecretInfo> ListSecrets(SpaceApplication app,
-        CancellationToken ct = default)
+    public List<ClientSecretInfo> ListSecrets(SpaceApplication app, CancellationToken ct = default)
     {
         var result = new List<ClientSecretInfo>();
         if (app.ClientSecret is null)
@@ -54,29 +36,30 @@ public List<ClientSecretInfo> ListSecrets(SpaceApplication app,
         var secrets = span.SplitAny(',', '.');
         while (secrets.MoveNext())
         {
-            result.Add(ParseSecretInfo(span, secrets));
+            result.Add(Functions.ParseSecretInfo(span, secrets));
         }
 
         return result;
     }
 
-    // MoveNext() needs to have been called for parts once already. This is to allow checking the client secret id
-    private ClientSecretInfo ParseSecretInfo(ReadOnlySpan<char> span, MemoryExtensions.SpanSplitEnumerator<char> parts)
+    public async ValueTask<ClientSecretInfo> AddSecret(SpaceApplication app, string secret, CancellationToken ct = default)
+    {
+        var key = await base.ObfuscateClientSecretAsync(secret, ct);
+        var (secretsString, info) = Functions.AddSecret(app.ClientSecret, key);
+        await Store.SetClientSecretAsync(app, secretsString, ct);
+        return info;
+    }
+
+    public async ValueTask RemoveSecret(SpaceApplication app, int id, CancellationToken ct = default)
     {
-        var id = span[parts.Current];
-        parts.MoveNext();
-        var timestamp = span[parts.Current];
-        parts.MoveNext();
-        var isLegacy = span[parts.Current];
-        parts.MoveNext();
-        var description = span[parts.Current];
-
-        return new ClientSecretInfo(
-            int.Parse(id),
-            DateTime.Parse(timestamp),
-            description.ToString(),
-            isLegacy.StartsWith(LegacySecretPrefix)
-        );
+        if (app.ClientSecret is null)
+            return;
+
+        var result = Functions.RemoveSecret(app.ClientSecret, id);
+        if (result == app.ClientSecret)
+            return;
+
+        await Store.SetClientSecretAsync(app, result, ct);
     }
 
     protected override async ValueTask<string> ObfuscateClientSecretAsync(string secret, CancellationToken ct = new())
@@ -130,4 +113,109 @@ private async ValueTask<bool> ValidateLegacySecret(string value, string comparan
     {
         throw new NotImplementedException();
     }
+
+    public static class Functions
+    {
+        // MoveNext() needs to have been called for parts once already. This is to allow checking the client secret id
+        public static ClientSecretInfo ParseSecretInfo(ReadOnlySpan<char> span, MemoryExtensions.SpanSplitEnumerator<char> parts)
+        {
+            var id = span[parts.Current];
+            parts.MoveNext();
+            var timestamp = span[parts.Current];
+            parts.MoveNext();
+            var isLegacy = span[parts.Current];
+            parts.MoveNext();
+            var description = span[parts.Current];
+
+            return new ClientSecretInfo(
+                int.Parse(id),
+                DateTimeOffset.FromUnixTimeSeconds(long.Parse(timestamp)),
+                description.ToString(),
+                isLegacy.StartsWith(LegacySecretPrefix)
+            );
+        }
+
+        public static ClientSecretInfo? FindById(string secret, int id)
+        {
+            var span = secret.AsSpan();
+            var parts = span.SplitAny(',', '.');
+            while (parts.MoveNext())
+            {
+                if (int.Parse(span[parts.Current]) == id)
+                    return Functions.ParseSecretInfo(span, parts);
+
+                parts.MoveNext(); //timestamp
+                parts.MoveNext(); //key
+                parts.MoveNext(); //description
+            }
+
+            return null;
+        }
+
+        public static (string, ClientSecretInfo) AddSecret(string? secrets, string obfuscatedSecret)
+        {
+            var id = 0;
+
+            if (secrets is not null)
+            {
+                var span = secrets.AsSpan();
+                var parts = span.SplitAny(',', '.');
+                while (parts.MoveNext())
+                {
+                    if (int.Parse(span[parts.Current]) >= id)
+                        id = int.Parse(span[parts.Current]) + 1;
+
+                    parts.MoveNext(); //timestamp
+                    parts.MoveNext(); //key
+                    parts.MoveNext(); //description
+                }
+            }
+
+            var timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString();
+            var description = obfuscatedSecret[^6..];
+            var secretInfoString = $"{id}.{timestamp}.{obfuscatedSecret}.{description}";
+            var secretsString = secrets is null ? secretInfoString : $"{secrets},{secretInfoString}";
+            var secretInfo = new ClientSecretInfo(id, DateTimeOffset.UtcNow, description, false);
+            return (secretsString, secretInfo);
+        }
+
+        public static string? RemoveSecret(string secrets, int id)
+        {
+            var span = secrets.AsSpan();
+            var parts = span.SplitAny(',', '.');
+            while (parts.MoveNext())
+            {
+                if (int.Parse(span[parts.Current]) == id)
+                {
+                    var start = span[..parts.Current.Start.Value];
+                    if (start.StartsWith(','))
+                        start = start[1..];
+
+                    if (start.EndsWith(','))
+                        start = start[..^1];
+
+                    parts.MoveNext(); //timestamp
+                    parts.MoveNext(); //key
+                    parts.MoveNext(); //description
+
+                    var end = span[parts.Current.End.Value..];
+                    if (end.StartsWith(','))
+                        end = end[1..];
+
+                    if (end.EndsWith(','))
+                        end = end[..^1];
+
+                    var comma = start.IsEmpty || end.IsEmpty ? string.Empty : ",";
+                    var result = $"{start}{comma}{end}";
+                    return result.Equals(string.Empty) ? null : result;
+                }
+
+                parts.MoveNext(); //timestamp
+                parts.MoveNext(); //key
+                parts.MoveNext(); //description
+            }
+
+            return secrets;
+        }
+    }
 }

From 49d3d26288f2852b6e841c0a50f3a151555b3def Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sun, 17 Aug 2025 20:51:18 +0200
Subject: [PATCH 23/43] Re-Implement developer and oauth manage page

---
 ...RemoveSecretDescriptionAndDate.Designer.cs | 921 ++++++++++++++++++
 ...17184858_RemoveSecretDescriptionAndDate.cs |  39 +
 .../ApplicationDbContextModelSnapshot.cs      |   6 -
 SS14.Auth.Shared/Data/SpaceApplication.cs     |   4 -
 .../Pages/Account/Manage/Developer.cshtml     |   8 +-
 .../Pages/Account/Manage/Developer.cshtml.cs  |  19 +-
 .../Account/Manage/OAuthApps/Manage.cshtml    |  22 +-
 .../Account/Manage/OAuthApps/Manage.cshtml.cs |  23 +-
 .../ApplicationManagerExtensions.cs           |   6 +-
 SS14.Web/OpenId/Extensions/OpenIdExtension.cs |   1 +
 .../Services/SpaceApplicationManager.cs       |  14 +-
 11 files changed, 1004 insertions(+), 59 deletions(-)
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250817184858_RemoveSecretDescriptionAndDate.Designer.cs
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250817184858_RemoveSecretDescriptionAndDate.cs

diff --git a/SS14.Auth.Shared/Data/Migrations/20250817184858_RemoveSecretDescriptionAndDate.Designer.cs b/SS14.Auth.Shared/Data/Migrations/20250817184858_RemoveSecretDescriptionAndDate.Designer.cs
new file mode 100644
index 0000000..11539c0
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250817184858_RemoveSecretDescriptionAndDate.Designer.cs
@@ -0,0 +1,921 @@
+// <auto-generated />
+using System;
+using System.Net;
+using System.Text.Json;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using SS14.Auth.Shared.Data;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    [DbContext(typeof(ApplicationDbContext))]
+    [Migration("20250817184858_RemoveSecretDescriptionAndDate")]
+    partial class RemoveSecretDescriptionAndDate
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "9.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetRoleClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderDisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("LoginProvider", "ProviderKey");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserLogins", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("UserId", "RoleId");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetUserRoles", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("UserId", "LoginProvider", "Name");
+
+                    b.ToTable("AspNetUserTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<Guid?>("Actor")
+                        .HasColumnType("uuid");
+
+                    b.Property<IPAddress>("ActorAddress")
+                        .HasColumnType("inet");
+
+                    b.Property<JsonDocument>("Data")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("AccountLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.Property<long>("AuthHashId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("AuthHashId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte[]>("Hash")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<long?>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("AuthHashId");
+
+                    b.HasIndex("HwidId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Hash", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("AuthHashes");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("BurnerEmails");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<byte[]>("ClientData")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<int>("TypeCode")
+                        .HasColumnType("integer");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientData")
+                        .IsUnique();
+
+                    b.ToTable("Hwids");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("FirstSeen")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("HwidId", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("HwidUsers");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.Property<long>("LoginSessionId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte[]>("Token")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("LoginSessionId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("ActiveSessions");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Scopes")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictAuthorizations", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultScope", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Descriptions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Resources")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Name")
+                        .IsUnique();
+
+                    b.ToTable("OpenIddictScopes", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("AuthorizationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Payload")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RedemptionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ReferenceId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("AuthorizationId");
+
+                    b.HasIndex("ReferenceId")
+                        .IsUnique();
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("ChangeTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PastName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("PastAccountNames");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Content")
+                        .HasColumnType("jsonb");
+
+                    b.Property<DateTimeOffset>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Trigger")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("PatreonWebhookLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("CurrentTier")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PatreonId")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("PatreonId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("Patrons");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ClientId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("ClientSecret")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConsentType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("JsonWebKeySet")
+                        .HasColumnType("text");
+
+                    b.Property<string>("LogoUri")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PostLogoutRedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Requirements")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("WebsiteUrl")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("OpenIddictApplications", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceRole", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedName")
+                        .IsUnique()
+                        .HasDatabaseName("RoleNameIndex");
+
+                    b.ToTable("AspNetRoles", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AdminLocked")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("AdminNotes")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("CreatedTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("EmailConfirmed")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("LastUsernameChange")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("NormalizedEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedUserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("PasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<string>("SecurityStamp")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("TwoFactorEnabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("UserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedEmail")
+                        .HasDatabaseName("EmailIndex");
+
+                    b.HasIndex("NormalizedUserName")
+                        .IsUnique()
+                        .HasDatabaseName("UserNameIndex");
+
+                    b.ToTable("AspNetUsers", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.WhitelistEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("WhitelistEmails");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AccountLogs")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany()
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AuthHashes")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany("Users")
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("LoginSessions")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Authorizations")
+                        .HasForeignKey("ApplicationId");
+
+                    b.Navigation("Application");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Tokens")
+                        .HasForeignKey("ApplicationId");
+
+                    b.HasOne("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", "Authorization")
+                        .WithMany("Tokens")
+                        .HasForeignKey("AuthorizationId");
+
+                    b.Navigation("Application");
+
+                    b.Navigation("Authorization");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("PastAccountNames")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithOne("Patron")
+                        .HasForeignKey("SS14.Auth.Shared.Data.Patron", "SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Navigation("Users");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Navigation("Authorizations");
+
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Navigation("AccountLogs");
+
+                    b.Navigation("AuthHashes");
+
+                    b.Navigation("LoginSessions");
+
+                    b.Navigation("PastAccountNames");
+
+                    b.Navigation("Patron");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/20250817184858_RemoveSecretDescriptionAndDate.cs b/SS14.Auth.Shared/Data/Migrations/20250817184858_RemoveSecretDescriptionAndDate.cs
new file mode 100644
index 0000000..94b4caf
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250817184858_RemoveSecretDescriptionAndDate.cs
@@ -0,0 +1,39 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    /// <inheritdoc />
+    public partial class RemoveSecretDescriptionAndDate : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "ClientSecretDescription",
+                table: "OpenIddictApplications");
+
+            migrationBuilder.DropColumn(
+                name: "SecretCreationDate",
+                table: "OpenIddictApplications");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<string>(
+                name: "ClientSecretDescription",
+                table: "OpenIddictApplications",
+                type: "text",
+                nullable: true);
+
+            migrationBuilder.AddColumn<DateTime>(
+                name: "SecretCreationDate",
+                table: "OpenIddictApplications",
+                type: "timestamp with time zone",
+                nullable: true);
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
index ad4e94f..f48e1b6 100644
--- a/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
+++ b/SS14.Auth.Shared/Data/Migrations/ApplicationDbContextModelSnapshot.cs
@@ -550,9 +550,6 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Property<string>("ClientSecret")
                         .HasColumnType("text");
 
-                    b.Property<string>("ClientSecretDescription")
-                        .HasColumnType("text");
-
                     b.Property<string>("ClientType")
                         .HasMaxLength(50)
                         .HasColumnType("character varying(50)");
@@ -593,9 +590,6 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Property<string>("Requirements")
                         .HasColumnType("text");
 
-                    b.Property<DateTime?>("SecretCreationDate")
-                        .HasColumnType("timestamp with time zone");
-
                     b.Property<string>("Settings")
                         .HasColumnType("text");
 
diff --git a/SS14.Auth.Shared/Data/SpaceApplication.cs b/SS14.Auth.Shared/Data/SpaceApplication.cs
index 5c0554c..5f7150c 100644
--- a/SS14.Auth.Shared/Data/SpaceApplication.cs
+++ b/SS14.Auth.Shared/Data/SpaceApplication.cs
@@ -12,8 +12,4 @@ public sealed class SpaceApplication : OpenIddictEntityFrameworkCoreApplication<
     public SpaceUser? SpaceUser { get; set; }
     public string? LogoUri { get; set; }
     public string? WebsiteUrl { get; set; }
-
-    public string? ClientSecretDescription { get; set; }
-
-    public DateTime? SecretCreationDate { get; set; }
 }
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml
index b7d6720..eff5c32 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml
@@ -18,10 +18,8 @@
 </p>
 
 <div class="list-group-flush">
-    @*@foreach (var app in Model.OAuthClients)
+    @foreach (var app in Model.Apps)
     {
-        TODO: Replace identityserver4 code in this file
-
-        <a asp-page="./OAuthApps/Manage" asp-route-client="@app.UserOAuthClientId" class="list-group-item">@app.Client.ClientName</a>
-    }*@
+        <a asp-page="./OAuthApps/Manage" asp-route-client="@app.Id" class="list-group-item">@app.DisplayName</a>
+    }
 </div>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
index 3cd4c6c..c52c9d0 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
@@ -1,33 +1,32 @@
-using System.Collections.Generic;
+#nullable enable
+using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
 using SS14.Auth.Shared.Data;
+using SS14.Web.OpenId.Extensions;
+using SS14.Web.OpenId.Services;
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage;
 
 public class Developer : PageModel
 {
-    private readonly ApplicationDbContext _dbContext;
     private readonly UserManager<SpaceUser> _userManager;
+    private readonly SpaceApplicationManager _appManager;
 
-    //public List<UserOAuthClient> OAuthClients { get; set; }
+    public List<SpaceApplication> Apps { get; set; } = [];
 
-    public Developer(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager)
+    public Developer(UserManager<SpaceUser> userManager, SpaceApplicationManager appManager)
     {
-        _dbContext = dbContext;
         _userManager = userManager;
+        _appManager = appManager;
     }
 
     public async Task OnGetAsync()
     {
         var user = await _userManager.GetUserAsync(User);
-
-        /*OAuthClients = await _dbContext.UserOAuthClients
-            .Include(oa => oa.Client)
-            .Where(oa => oa.SpaceUser == user)
-            .ToListAsync();*/
+        Apps = await _appManager.FindApplicationsByUserId(user!.Id);
     }
 }
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
index 7632aa6..7ce4359 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
@@ -21,7 +21,7 @@
             <strong>Client ID:</strong> <span class="text-monospace">@Model.App.ClientId</span><br/>
             Only Authorization Code flow is accepted<br/>
             Available scopes are: <span class="text-monospace">openid</span>, <span class="text-monospace">profile</span>, <span class="text-monospace">email</span><br/>
-            SS14 implements OpenID Connect via IdentityServer4. See <a class="text-monospace" href="@Url.Content("~/.well-known/openid-configuration")">.well-known/openid-configuration</a> for config and endpoints.
+            SS14 implements OpenID Connect via OpenIddict. See <a class="text-monospace" href="@Url.Content("~/.well-known/openid-configuration")">.well-known/openid-configuration</a> for config and endpoints.
         </div>
     </div>
     <div class="row">
@@ -70,25 +70,23 @@
                 <div class="col">
                     <div class="list-group">
                         @* TODO: Change once I know if I need to support multiple secrets *@
-                        @*@foreach (var secret in Model.App.Client.ClientSecrets.OrderByDescending(a => a.Created))*@
-                        @{
-                            var show = Model.ShowSecretValue != null;//Model.ShowSecret == secret.Id;
-                            //if (secret.Type != "SharedSecret")
-                            //continue;
+                        @foreach (var secret in Model.Secrets.OrderByDescending(a => a.CreatedOn))
+                        {
+                            var show = Model.ShowSecret == secret.Id;
 
                             <div class="list-group-item d-flex justify-content-between align-items-center @(show ? "list-group-item-success" : "")">
                             <div>
-                                @*<span class="text-monospace">@(Model.ShowSecretValue ?? Model.App.ClientSecretDescription)</span>*@
+                                <span class="text-monospace">@(show ? Model.ShowSecretValue : $"****************************{secret.Description}")</span>
                                 <br/>
-                                <span class="text-muted">Created at @Model.App. UTC</span>
+                                <span class="text-muted">Created at @secret.CreatedOn UTC</span>
                             </div>
-                            @*<form method="post">
+                            <form method="post">
                                 <button type="submit"
                                         asp-page-handler="DeleteSecret" asp-route-secret="@secret.Id"
                                         class="btn btn-sm btn-danger">
                                     Delete
                                 </button>
-                            </form>*@
+                            </form>
                         </div>
                         }
                     </div>
@@ -98,11 +96,11 @@
     </div>
     <div class="row">
         <div class="col">
-            @*<a asp-page="./ConfirmDelete" class="btn btn-danger" asp-route-client="@Model.App.UserOAuthClientId">Delete</a>
+            <a asp-page="./ConfirmDelete" class="btn btn-danger" asp-route-client="@Model.App.Id">Delete</a>
             @if (User.IsInRole(AuthConstants.RoleSysAdmin))
             {
                 <a asp-area="Admin" asp-page="/Clients/Client" class="btn btn-primary" asp-route-id="@Model.App.ClientId">Hub Admin</a>
-            }*@
+            }
         </div>
     </div>
 </div>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index ea80a7d..3c95140 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -13,6 +13,7 @@
 using OpenIddict.Core;
 using SS14.Auth.Shared.Data;
 using SS14.Web.Extensions;
+using SS14.Web.Models.Types;
 using SS14.Web.OpenId;
 using SS14.Web.OpenId.Extensions;
 using SS14.Web.OpenId.Services;
@@ -32,7 +33,9 @@ public class Manage : PageModel
 
     [BindProperty] public InputModel Input { get; set; }
 
-    [TempData] public int ShowSecret { get; set; }
+    public List<ClientSecretInfo> Secrets { get; set; }
+
+    [TempData] public int? ShowSecret { get; set; }
     [TempData] public string ShowSecretValue { get; set; }
 
     public sealed class InputModel
@@ -70,16 +73,17 @@ public async Task<IActionResult> OnGetAsync(string client)
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
 
-
         Input = new InputModel
         {
             Name = App.DisplayName,
             CallbackUrl = await _appManager.GetFirstRedirectUrl(App) ?? "",
             HomepageUrl = App.WebsiteUrl ?? "",
-            RequirePkce = await _appManager.GetRequiresPkceSetting(App),
+            RequirePkce = await _appManager.GetRequiresPkce(App),
             AllowPS256 = await _appManager.GetPs256Setting(App),
         };
 
+        Secrets = _appManager.ListSecrets(App);
+
         return Page();
     }
 
@@ -121,26 +125,19 @@ public async Task<IActionResult> OnPostCreateSecretAsync(string client)
         var secretVal = Convert.ToBase64String(RandomNumberGenerator.GetBytes(36));
 
         //App.ClientSecretDescription = $"*****{secretVal[^6..]}";
-        await _appManager.UpdateAsync(App, secretVal);
-        ShowSecret = 1;
+        var secretInfo = await _appManager.AddSecret(App, secretVal);
+        ShowSecret = secretInfo.Id;
         ShowSecretValue = secretVal;
 
         return RedirectToPage(new { client });
     }
 
-    // TODO: Delete if multiple secrets don't need to be supported.
     public async Task<IActionResult> OnPostDeleteSecretAsync(string client, int secret)
     {
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
 
-        //var dbSecret = App.Client.ClientSecrets.Find(p => p.Id == secret);
-        //if (dbSecret == null)
-        //    return NotFound("Secret not found");
-
-        //_dbContext.ClientSecrets.Remove(dbSecret);
-
-        await _dbContext.SaveChangesAsync();
+        await _appManager.RemoveSecret(App, secret);
 
         return RedirectToPage(new {id = client});
     }
diff --git a/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
index b77e829..1d9a313 100644
--- a/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
+++ b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
@@ -21,12 +21,12 @@ public static class ApplicationManagerExtensions
         return callbackUris.IsEmpty ? null : callbackUris[0];
     }
 
-    public static async ValueTask<bool> GetRequiresPkceSetting(
+    public static async ValueTask<bool> GetRequiresPkce(
         this OpenIddictApplicationManager<SpaceApplication> manager,
         SpaceApplication app)
     {
-        var settings = await manager.GetSettingsAsync(app);
-        return settings.ContainsKey(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
+        var requirements = await manager.GetRequirementsAsync(app);
+        return requirements.Contains(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
     }
 
     public static async ValueTask<bool> GetPs256Setting(
diff --git a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
index 3b23392..fb09f85 100644
--- a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
@@ -35,6 +35,7 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
         openId.AddServer().UseAspNetCore().EnableAuthorizationEndpointPassthrough().EnableStatusCodePagesIntegration();
         ConfigureCertificates(openId, builder);
 
+        builder.Services.AddScoped<SpaceApplicationManager>();
         builder.Services.AddHostedService<TestDataSeeder>();
         builder.Services.AddScoped<IdentityClaimsProvider>();
         builder.Services.AddScoped<SignedInIdentityService>();
diff --git a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
index ebeff59..e62fc06 100644
--- a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
+++ b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
@@ -36,7 +36,7 @@ public List<ClientSecretInfo> ListSecrets(SpaceApplication app, CancellationToke
         var secrets = span.SplitAny(',', '.');
         while (secrets.MoveNext())
         {
-            result.Add(Functions.ParseSecretInfo(span, secrets));
+            result.Add(Functions.ParseSecretInfo(span, ref secrets));
         }
 
         return result;
@@ -45,8 +45,9 @@ public List<ClientSecretInfo> ListSecrets(SpaceApplication app, CancellationToke
     public async ValueTask<ClientSecretInfo> AddSecret(SpaceApplication app, string secret, CancellationToken ct = default)
     {
         var key = await base.ObfuscateClientSecretAsync(secret, ct);
-        var (secretsString, info) = Functions.AddSecret(app.ClientSecret, key);
+        var (secretsString, info) = Functions.AddSecret(app.ClientSecret, key, secret[^6..]);
         await Store.SetClientSecretAsync(app, secretsString, ct);
+        await base.UpdateAsync(app, ct);
         return info;
     }
 
@@ -60,6 +61,7 @@ public async ValueTask RemoveSecret(SpaceApplication app, int id, CancellationTo
             return;
 
         await Store.SetClientSecretAsync(app, result, ct);
+        await base.UpdateAsync(app, ct);
     }
 
     protected override async ValueTask<string> ObfuscateClientSecretAsync(string secret, CancellationToken ct = new())
@@ -117,7 +119,7 @@ private async ValueTask<bool> ValidateLegacySecret(string value, string comparan
     public static class Functions
     {
         // MoveNext() needs to have been called for parts once already. This is to allow checking the client secret id
-        public static ClientSecretInfo ParseSecretInfo(ReadOnlySpan<char> span, MemoryExtensions.SpanSplitEnumerator<char> parts)
+        public static ClientSecretInfo ParseSecretInfo(ReadOnlySpan<char> span, ref MemoryExtensions.SpanSplitEnumerator<char> parts)
         {
             var id = span[parts.Current];
             parts.MoveNext();
@@ -142,7 +144,7 @@ public static ClientSecretInfo ParseSecretInfo(ReadOnlySpan<char> span, MemoryEx
             while (parts.MoveNext())
             {
                 if (int.Parse(span[parts.Current]) == id)
-                    return Functions.ParseSecretInfo(span, parts);
+                    return Functions.ParseSecretInfo(span, ref parts);
 
                 parts.MoveNext(); //timestamp
                 parts.MoveNext(); //key
@@ -152,7 +154,7 @@ public static ClientSecretInfo ParseSecretInfo(ReadOnlySpan<char> span, MemoryEx
             return null;
         }
 
-        public static (string, ClientSecretInfo) AddSecret(string? secrets, string obfuscatedSecret)
+        public static (string, ClientSecretInfo) AddSecret(string? secrets, string obfuscatedSecret, string? desc = null)
         {
             var id = 0;
 
@@ -172,7 +174,7 @@ public static (string, ClientSecretInfo) AddSecret(string? secrets, string obfus
             }
 
             var timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString();
-            var description = obfuscatedSecret[^6..];
+            var description = desc ?? obfuscatedSecret[^6..];
             var secretInfoString = $"{id}.{timestamp}.{obfuscatedSecret}.{description}";
             var secretsString = secrets is null ? secretInfoString : $"{secrets},{secretInfoString}";
             var secretInfo = new ClientSecretInfo(id, DateTimeOffset.UtcNow, description, false);

From df74a59c0a8b3808ec41d5bd45f520a3b12bf8d0 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sun, 17 Aug 2025 21:53:08 +0200
Subject: [PATCH 24/43] Re-Implement oauth application create page

---
 .../Pages/Account/Manage/Developer.cshtml.cs  |  2 -
 .../Account/Manage/OAuthApps/Create.cshtml.cs | 79 ++++++++++---------
 .../Account/Manage/OAuthApps/Manage.cshtml    |  5 +-
 .../Account/Manage/OAuthApps/Manage.cshtml.cs | 12 +--
 4 files changed, 42 insertions(+), 56 deletions(-)

diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
index c52c9d0..7af3bd8 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Developer.cshtml.cs
@@ -1,10 +1,8 @@
 #nullable enable
 using System.Collections.Generic;
-using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.EntityFrameworkCore;
 using SS14.Auth.Shared.Data;
 using SS14.Web.OpenId.Extensions;
 using SS14.Web.OpenId.Services;
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
index 1d0198a..0cb00d5 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
@@ -1,40 +1,47 @@
-using System.ComponentModel;
+#nullable enable
+using System;
+using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
+using System.Security.Cryptography;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
+using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
+using SS14.Web.OpenId.Services;
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
 
 [ValidateAntiForgeryToken]
 public class Create : PageModel
 {
-    private readonly ApplicationDbContext _dbContext;
     private readonly UserManager<SpaceUser> _userManager;
+    private readonly SpaceApplicationManager _appManager;
 
-    [BindProperty] public InputModel Input { get; set; }
+    [BindProperty] public InputModel Input { get; set; }  = null!;
 
     public sealed class InputModel
     {
         [Required]
         [DisplayName("Application name")]
-        public string Name { get; set; }
+        public string Name { get; set; } = null!;
 
+        //[Url(ErrorMessage = "The Homepage URL field is not a valid fully-qualified http or https URL.")]
         [Required]
         [DisplayName("Homepage URL")]
-        public string HomepageUrl { get; set; }
+        public string HomepageUrl { get; set; }  = null!;
 
+        //[Url(ErrorMessage = "The Authorization callback URL field is not a valid fully-qualified http or https URL.")]
         [Required]
         [DisplayName("Authorization callback URL")]
-        public string CallbackUrl { get; set; }
+        public string CallbackUrl { get; set; }  = null!;
     }
 
-    public Create(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager)
+    public Create(UserManager<SpaceUser> userManager, SpaceApplicationManager appManager)
     {
-        _dbContext = dbContext;
         _userManager = userManager;
+        _appManager = appManager;
     }
 
     public void OnGet()
@@ -44,43 +51,37 @@ public void OnGet()
     public async Task<IActionResult> OnPostAsync()
     {
         var user = await _userManager.GetUserAsync(User);
-        // TODO: Replace identityserver4 code in this file
-
-        /*var client = new Client
+        var appDescriptor = new OpenIddictApplicationDescriptor
         {
-            ClientName = Input.Name,
             ClientId = Guid.NewGuid().ToString(),
-            AllowedGrantTypes = new List<ClientGrantType>
-            {
-                new() { GrantType = "authorization_code" }
-            },
-            AllowedScopes = new List<ClientScope>
-            {
-                new() { Scope = "openid" },
-                new() { Scope = "profile" },
-                new() { Scope = "email" }
-            },
-            AllowedIdentityTokenSigningAlgorithms = "PS256",
-            RedirectUris = new List<ClientRedirectUri>
+            ClientSecret = Convert.ToBase64String(RandomNumberGenerator.GetBytes(36)),
+            ClientType = OpenIddictConstants.ClientTypes.Confidential,
+            ConsentType = OpenIddictConstants.ConsentTypes.Explicit,
+            DisplayName = Input.Name,
+            RedirectUris = { new Uri(Input.CallbackUrl) },
+            Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
+            Permissions =
             {
-                new() { RedirectUri = Input.CallbackUrl }
+                OpenIddictConstants.Permissions.Endpoints.Authorization,
+                OpenIddictConstants.Permissions.Endpoints.Token,
+                OpenIddictConstants.Permissions.Endpoints.Introspection,
+                OpenIddictConstants.Permissions.Endpoints.EndSession,
+                OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
+                OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
+                OpenIddictConstants.Permissions.ResponseTypes.Code,
+                OpenIddictConstants.Permissions.Scopes.Email,
+                OpenIddictConstants.Permissions.Scopes.Profile,
+                OpenIddictConstants.Permissions.Scopes.Roles,
             },
-            ClientUri = Input.HomepageUrl,
-            RequireConsent = true
         };
 
-        var userClient = new UserOAuthClient
-        {
-            SpaceUser = user,
-            Client = client
-        };
-
-        _dbContext.Clients.Add(client);
-        _dbContext.UserOAuthClients.Add(userClient);
-
-        await _dbContext.SaveChangesAsync();
+        var app = await _appManager.CreateAsync(appDescriptor);
+        app.SpaceUserId = user!.Id;
+        app.WebsiteUrl = Input.HomepageUrl;
+        await _appManager.UpdateAsync(app);
 
-        return RedirectToPage("Manage", new { client = userClient.UserOAuthClientId });*/
-        return NotFound();
+        TempData["ShowSecret"] = 0;
+        TempData["ShowSecretValue"] = appDescriptor.ClientSecret;
+        return RedirectToPage("Manage", new { client = app.Id });
     }
 }
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
index 7ce4359..1cf31b3 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
@@ -2,8 +2,6 @@
 @using SS14.Auth.Shared
 @model SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps.Manage
 
-@* TODO: Replace identityserver4 code in this file *@
-
 @{
     Layout = "/Views/Shared/_Layout.cshtml";
     ViewData["Title"] = $"Manage OAuth app {Model.App.DisplayName}";
@@ -69,14 +67,13 @@
             <div class="row">
                 <div class="col">
                     <div class="list-group">
-                        @* TODO: Change once I know if I need to support multiple secrets *@
                         @foreach (var secret in Model.Secrets.OrderByDescending(a => a.CreatedOn))
                         {
                             var show = Model.ShowSecret == secret.Id;
 
                             <div class="list-group-item d-flex justify-content-between align-items-center @(show ? "list-group-item-success" : "")">
                             <div>
-                                <span class="text-monospace">@(show ? Model.ShowSecretValue : $"****************************{secret.Description}")</span>
+                                <span class="text-monospace">@(show ? Model.ShowSecretValue : $"*****{secret.Description}")</span>
                                 <br/>
                                 <span class="text-muted">Created at @secret.CreatedOn UTC</span>
                             </div>
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index 3c95140..65a68a3 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -3,16 +3,12 @@
 using System.ComponentModel;
 using System.ComponentModel.DataAnnotations;
 using System.Security.Cryptography;
-using System.Text.Json;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.EntityFrameworkCore;
 using OpenIddict.Abstractions;
-using OpenIddict.Core;
 using SS14.Auth.Shared.Data;
-using SS14.Web.Extensions;
 using SS14.Web.Models.Types;
 using SS14.Web.OpenId;
 using SS14.Web.OpenId.Extensions;
@@ -20,15 +16,11 @@
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
 
-// TODO: Replace identityserver4 code in this file
-
 public class Manage : PageModel
 {
-    private readonly ApplicationDbContext _dbContext;
     private readonly UserManager<SpaceUser> _userManager;
     private readonly SpaceApplicationManager _appManager;
 
-    //public UserOAuthClient App { get; set; }
     public SpaceApplication App { get; set; }
 
     [BindProperty] public InputModel Input { get; set; }
@@ -61,9 +53,8 @@ public sealed class InputModel
         public bool AllowPS256 { get; set; } = true;
     }
 
-    public Manage(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager, SpaceApplicationManager appManager)
+    public Manage(UserManager<SpaceUser> userManager, SpaceApplicationManager appManager)
     {
-        _dbContext = dbContext;
         _userManager = userManager;
         _appManager = appManager;
     }
@@ -124,7 +115,6 @@ public async Task<IActionResult> OnPostCreateSecretAsync(string client)
 
         var secretVal = Convert.ToBase64String(RandomNumberGenerator.GetBytes(36));
 
-        //App.ClientSecretDescription = $"*****{secretVal[^6..]}";
         var secretInfo = await _appManager.AddSecret(App, secretVal);
         ShowSecret = secretInfo.Id;
         ShowSecretValue = secretVal;

From 7effe54417af5ddcdd5b4c351a7020ece531f5f9 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sun, 17 Aug 2025 23:05:17 +0200
Subject: [PATCH 25/43] Re-Implement confirm delete page Implement custom url
 validator

---
 .../Manage/OAuthApps/ConfirmDelete.cshtml     |  4 +-
 .../Manage/OAuthApps/ConfirmDelete.cshtml.cs  | 50 ++++++++-----------
 .../Account/Manage/OAuthApps/Create.cshtml.cs |  6 +++
 .../Account/Manage/OAuthApps/Manage.cshtml.cs |  6 +++
 SS14.Web/Models/SpaceUrlAttribute.cs          | 18 +++++++
 5 files changed, 53 insertions(+), 31 deletions(-)
 create mode 100644 SS14.Web/Models/SpaceUrlAttribute.cs

diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml
index f5e25ca..0d2b93f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml
@@ -3,9 +3,7 @@
 
 @{
     Layout = "/Views/Shared/_Layout.cshtml";
-    // TODO: Replace identityserver4 code in this file
-
-    //ViewData["Title"] = $"Delete OAuth app {Model.App.Client.ClientName}?";
+    ViewData["Title"] = $"Delete OAuth app {Model.App.DisplayName}?";
 }
 
 <div class="container">
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
index af469b7..ba3ae7b 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/ConfirmDelete.cshtml.cs
@@ -1,58 +1,52 @@
-using System.Threading.Tasks;
+#nullable enable
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
 using SS14.Auth.Shared.Data;
+using SS14.Web.OpenId.Services;
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
 
-// TODO: Replace identityserver4 code in this file
-
 public class ConfirmDelete : PageModel
 {
-    private readonly ApplicationDbContext _dbContext;
     private readonly UserManager<SpaceUser> _userManager;
+    private readonly SpaceApplicationManager _appManager;
+
+    public SpaceApplication App { get; set; } = null!;
 
-    public ConfirmDelete(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager)
+    public ConfirmDelete(UserManager<SpaceUser> userManager, SpaceApplicationManager appManager)
     {
-        _dbContext = dbContext;
         _userManager = userManager;
+        _appManager = appManager;
     }
 
-    //public UserOAuthClient App { get; set; }
-
-    public async Task<IActionResult> OnGetAsync(int client)
+    public async Task<IActionResult> OnGetAsync(string client)
     {
         var user = await _userManager.GetUserAsync(User);
-        //App = await _dbContext.UserOAuthClients.Include(a => a.Client)
-        //    .SingleOrDefaultAsync(ac => ac.UserOAuthClientId == client);
-
-        //if (App == null)
-        //    return NotFound();
+        var app = await _appManager.FindByIdAsync(client);
+        if (app == null)
+            return NotFound();
 
-        //if (!Manage.VerifyAppAccess(user, App))
-        //    return Forbid();
+        if (app.SpaceUserId != user!.Id)
+            return Forbid();
 
+        App = app;
         return Page();
     }
 
-    public async Task<IActionResult> OnPostDeleteAsync(int client)
+    public async Task<IActionResult> OnPostDeleteAsync(string client)
     {
         var user = await _userManager.GetUserAsync(User);
-        //App = await _dbContext.UserOAuthClients.Include(a => a.Client)
-        //    .SingleOrDefaultAsync(ac => ac.UserOAuthClientId == client);
-
-        //if (App == null)
-        //    return NotFound();
-
-        //if (!Manage.VerifyAppAccess(user, App))
-        //    return Forbid();
-
-       // _dbContext.Remove(App.Client);
+        var app = await _appManager.FindByIdAsync(client);
+        if (app == null)
+            return NotFound();
 
-        await _dbContext.SaveChangesAsync();
+        if (app.SpaceUserId != user!.Id)
+            return Forbid();
 
+        await _appManager.DeleteAsync(app);
         return RedirectToPage("../Developer");
     }
 }
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
index 0cb00d5..8d03920 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
@@ -9,6 +9,7 @@
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Models;
 using SS14.Web.OpenId.Services;
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
@@ -29,11 +30,13 @@ public sealed class InputModel
 
         //[Url(ErrorMessage = "The Homepage URL field is not a valid fully-qualified http or https URL.")]
         [Required]
+        [SpaceUrl]
         [DisplayName("Homepage URL")]
         public string HomepageUrl { get; set; }  = null!;
 
         //[Url(ErrorMessage = "The Authorization callback URL field is not a valid fully-qualified http or https URL.")]
         [Required]
+        [SpaceUrl]
         [DisplayName("Authorization callback URL")]
         public string CallbackUrl { get; set; }  = null!;
     }
@@ -50,6 +53,9 @@ public void OnGet()
 
     public async Task<IActionResult> OnPostAsync()
     {
+        if (!ModelState.IsValid)
+            return Page();
+
         var user = await _userManager.GetUserAsync(User);
         var appDescriptor = new OpenIddictApplicationDescriptor
         {
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index 65a68a3..9ff55e2 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -9,6 +9,7 @@
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Models;
 using SS14.Web.Models.Types;
 using SS14.Web.OpenId;
 using SS14.Web.OpenId.Extensions;
@@ -37,10 +38,12 @@ public sealed class InputModel
         public string Name { get; set; }
 
         [Required]
+        [SpaceUrl]
         [DisplayName("Homepage URL")]
         public string HomepageUrl { get; set; }
 
         [Required]
+        [SpaceUrl]
         [DisplayName("Authorization callback URL")]
         public string CallbackUrl { get; set; }
 
@@ -80,6 +83,9 @@ public async Task<IActionResult> OnGetAsync(string client)
 
     public async Task<IActionResult> OnPostUpdateAsync(string client)
     {
+        if (!ModelState.IsValid)
+            return Page();
+
         if (await GetAppAndVerifyAccess(client) is { } err)
             return err;
 
diff --git a/SS14.Web/Models/SpaceUrlAttribute.cs b/SS14.Web/Models/SpaceUrlAttribute.cs
new file mode 100644
index 0000000..4df65d8
--- /dev/null
+++ b/SS14.Web/Models/SpaceUrlAttribute.cs
@@ -0,0 +1,18 @@
+using System;
+using System.ComponentModel.DataAnnotations;
+
+namespace SS14.Web.Models;
+
+[AttributeUsage(AttributeTargets.Property | AttributeTargets.Field | AttributeTargets.Parameter)]
+public class SpaceUrlAttribute : ValidationAttribute
+{
+    protected override ValidationResult IsValid(object value, ValidationContext context)
+    {
+        var url = value?.ToString();
+        // ReSharper disable once ConvertIfStatementToReturnStatement
+        if (!Uri.TryCreate(url, UriKind.Absolute, out _))
+            return new ValidationResult(ErrorMessage ?? "Invalid URL");
+
+        return ValidationResult.Success;
+    }
+}

From 435ea913aeec3b01244f79fce3a81b760b8ed8f1 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sun, 17 Aug 2025 23:37:47 +0200
Subject: [PATCH 26/43] Implement identityserver4 legacy SHA256 client secret
 validation

---
 SS14.Web/OpenId/Services/SpaceApplicationManager.cs | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
index e62fc06..bdeed91 100644
--- a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
+++ b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
@@ -1,6 +1,8 @@
 #nullable enable
 using System;
 using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
@@ -104,16 +106,20 @@ protected override async ValueTask<bool> ValidateClientSecretAsync(string secret
             if (!legacy && await base.ValidateClientSecretAsync(value, comparand, ct))
                 return true;
 
-            if (legacy && await ValidateLegacySecret(value, comparand, ct))
+            if (legacy && ValidateLegacySecret(value, comparand))
                 return true;
         }
 
         return false;
     }
 
-    private async ValueTask<bool> ValidateLegacySecret(string value, string comparand, CancellationToken ct)
+    // TODO: Write a unit test for this.
+    private bool ValidateLegacySecret(string secret, string comparand)
     {
-        throw new NotImplementedException();
+        var bytes = Encoding.UTF8.GetBytes(secret);
+        var hash = SHA256.HashData(bytes);
+        var comparandValue = Convert.FromBase64String(comparand.Remove(0, LegacySecretPrefix.Length));
+        return CryptographicOperations.FixedTimeEquals(hash, comparandValue);
     }
 
     public static class Functions

From fd67c7e591652d1bf30aae684e0786d50ddbbb35 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 18 Aug 2025 11:28:27 +0200
Subject: [PATCH 27/43] Re-Implement oauth client admin index and delete pages

---
 .../Admin/Pages/Clients/ConfirmDelete.cshtml  |  8 +--
 .../Pages/Clients/ConfirmDelete.cshtml.cs     | 42 +++++------
 .../Areas/Admin/Pages/Clients/Index.cshtml    | 14 ++--
 .../Areas/Admin/Pages/Clients/Index.cshtml.cs | 69 +++++++++++++------
 SS14.Web/OpenId/TestDataSeeder.cs             | 18 +++++
 5 files changed, 92 insertions(+), 59 deletions(-)

diff --git a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml
index 4bbb077..e4be3b8 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml
+++ b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml
@@ -2,20 +2,18 @@
 @model SS14.Web.Areas.Admin.Pages.Clients.ConfirmDelete
 
 @{
-    // TODO: Replace identityserver4 code in this file
-
-    //ViewData["Title"] = $"Delete {Model.Title}?";
+    ViewData["Title"] = $"Delete {Model.Title}?";
 }
 
 <nav aria-label="breadcrumb">
     <ol class="breadcrumb">
         <li class="breadcrumb-item"><a asp-page="../Index">Hub Admin</a></li>
         <li class="breadcrumb-item"><a asp-page="./Index">OAuth Clients</a></li>
-        @*<li class="breadcrumb-item "><a asp-page="./ViewUser" asp-route-id="@Model.DbClient.Id">@Model.Title</a></li>*@
+        <li class="breadcrumb-item "><a asp-page="./ViewUser" asp-route-id="@Model.App?.Id">@Model.Title</a></li>
         <li class="breadcrumb-item active" aria-current="page">Confirm Deletion</li>
     </ol>
 </nav>
 
 <form method="post">
-    @*<button id="delete-button" type="submit" asp-page-handler="Delete" asp-route-id="@Model.DbClient.Id" class="btn btn-danger">Delete</button>*@
+    <button id="delete-button" type="submit" asp-page-handler="Delete" asp-route-id="@Model.App?.Id" class="btn btn-danger">Delete</button>
 </form>
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
index 9c904a1..15633be 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
@@ -1,51 +1,43 @@
-using System.Threading.Tasks;
+#nullable enable
+
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.EntityFrameworkCore;
 using SS14.Auth.Shared.Data;
+using SS14.Web.OpenId.Services;
 
 namespace SS14.Web.Areas.Admin.Pages.Clients;
 
-// TODO: Replace identityserver4 code in this file
-
 public class ConfirmDelete : PageModel
 {
-    private readonly ApplicationDbContext _dbContext;
+    private readonly SpaceApplicationManager _applicationManager;
 
-    public ConfirmDelete(ApplicationDbContext dbContext)
+    public ConfirmDelete(SpaceApplicationManager applicationManager)
     {
-        _dbContext = dbContext;
+        _applicationManager = applicationManager;
     }
 
-    //public DbClient DbClient { get; set; }
-    //public string Title => DbClient.ClientName ?? DbClient.ClientId;
+    public SpaceApplication? App { get; set; }
+    public string Title => App?.DisplayName ?? App?.ClientId ?? string.Empty;
 
-    public async Task<IActionResult> OnGetAsync(int id)
+    public async Task<IActionResult> OnGetAsync(string id)
     {
-        /*DbClient = await _dbContext.Clients.FirstOrDefaultAsync(c => c.Id == id);
-
-        if (DbClient == null)
-        {
+        App = await _applicationManager.FindByIdAsync(id);
+        if (App == null)
             return NotFound("Unknown client");
-        }*/
 
         return Page();
     }
 
-    public async Task<IActionResult> OnPostDeleteAsync(int id)
+    public async Task<IActionResult> OnPostDeleteAsync(string id)
     {
-        /*DbClient = await _dbContext.Clients.FirstOrDefaultAsync(c => c.Id == id);
-
-        if (DbClient == null)
-        {
+        var app = await _applicationManager.FindByIdAsync(id);
+        if (app == null)
             return NotFound("Unknown client");
-        }
-
-        _dbContext.Clients.Remove(DbClient);
 
-        await _dbContext.SaveChangesAsync();
+        await _applicationManager.DeleteAsync(app);
 
-        TempData["StatusMessage"] = "OAuth client deleted";*/
+        TempData["StatusMessage"] = "OAuth client deleted";
         return RedirectToPage("./Index");
     }
 }
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml
index 59809c2..94e58d9 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml
@@ -31,22 +31,22 @@
     </tr>
     </thead>
     <tbody>
-        @*@foreach (var (client, userClient) in Model.Clients)
+        @foreach (var app in Model.Apps)
         {
             <tr>
-                <td>@client.ClientId</td>
-                <td>@client.ClientName</td>
+                <td>@app.ClientId</td>
+                <td>@app.DisplayName</td>
                 <td>
-                    @if (userClient?.SpaceUser is { } user)
+                    @if (app.SpaceUserId is { } id)
                     {
-                        <a asp-page="../Users/ViewUser" asp-route-id="@user.Id">@user.UserName</a>
+                        <a asp-page="../Users/ViewUser" asp-route-id="@id">@(await Model.GetUserNameAsync(id))</a>
                     }
                 </td>
                 <td>
-                    <a asp-page="./Client" asp-route-id="@client.Id">View</a>
+                    <a asp-page="./Client" asp-route-id="@app.Id">View</a>
                 </td>
             </tr>
-        }*@
+        }
     </tbody>
 </table>
 
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
index 5235a3d..335474a 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
@@ -1,48 +1,73 @@
-using System.Threading.Tasks;
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
+using JetBrains.Annotations;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
+using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Extensions;
+using SS14.Web.OpenId.Services;
 
 namespace SS14.Web.Areas.Admin.Pages.Clients;
 
-// TODO: Replace identityserver4 code in this file
-
 public class Index : PageModel
 {
-    private readonly ApplicationDbContext _dbContext;
+    private readonly SpaceApplicationManager _appManager;
+    private readonly SpaceUserManager _userManager;
 
-    //public IEnumerable<(DbClient, UserOAuthClient)> Clients { get; set; }
+    public IEnumerable<SpaceApplication> Apps { get; set; }
 
-    public Index(ApplicationDbContext dbContext)
+    public Index(SpaceApplicationManager appManager, SpaceUserManager userManager)
     {
-        _dbContext = dbContext;
+        _appManager = appManager;
+        _userManager = userManager;
     }
 
     public async Task OnGetAsync()
     {
-        /*// This is a left join
-        var query = from c in _dbContext.Clients
-            join uc in _dbContext.UserOAuthClients.Include(c => c.SpaceUser)
-                on c.Id equals uc.ClientId into grouping
-            from uc in grouping.DefaultIfEmpty()
-            orderby c.Created
-            select new { c, uc };
-
-        Clients = (await query.ToListAsync()).Select(c => (c.c, c.uc));*/
+        Apps = await _appManager.ListAsync().ToListAsync();
     }
 
     public async Task<IActionResult> OnPostNewClientAsync()
     {
-        /*var client = new IdentityServer4.EntityFramework.Entities.Client
+
+        var appDescriptor = new OpenIddictApplicationDescriptor
         {
             ClientId = Guid.NewGuid().ToString(),
+            ClientSecret = Convert.ToBase64String(RandomNumberGenerator.GetBytes(36)),
+            ClientType = OpenIddictConstants.ClientTypes.Confidential,
+            ConsentType = OpenIddictConstants.ConsentTypes.Explicit,
+            DisplayName = "New Client",
+            Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
+            Permissions =
+            {
+                OpenIddictConstants.Permissions.Endpoints.Authorization,
+                OpenIddictConstants.Permissions.Endpoints.Token,
+                OpenIddictConstants.Permissions.Endpoints.Introspection,
+                OpenIddictConstants.Permissions.Endpoints.EndSession,
+                OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
+                OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
+                OpenIddictConstants.Permissions.ResponseTypes.Code,
+                OpenIddictConstants.Permissions.Scopes.Email,
+                OpenIddictConstants.Permissions.Scopes.Profile,
+                OpenIddictConstants.Permissions.Scopes.Roles,
+            },
         };
 
-        // ReSharper disable once MethodHasAsyncOverload
-        _dbContext.Clients.Add(client);*/
-        await _dbContext.SaveChangesAsync();
+        var app = await _appManager.CreateAsync(appDescriptor);
+
+        TempData["ShowSecret"] = 0;
+        TempData["ShowSecretValue"] = appDescriptor.ClientSecret;
+        return RedirectToPage("./Client", new { id = app.Id });
+    }
+
 
-        //return RedirectToPage("./Client", new { id = client.Id });
-        return NotFound();
+    public async Task<string?> GetUserNameAsync(Guid userId)
+    {
+        return (await _userManager.FindByIdAsync(userId.ToString()))?.UserName;
     }
 }
diff --git a/SS14.Web/OpenId/TestDataSeeder.cs b/SS14.Web/OpenId/TestDataSeeder.cs
index 7e60d50..2de2fa0 100644
--- a/SS14.Web/OpenId/TestDataSeeder.cs
+++ b/SS14.Web/OpenId/TestDataSeeder.cs
@@ -5,6 +5,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using OpenIddict.Abstractions;
+using SS14.Auth.Shared;
 using SS14.Auth.Shared.Data;
 
 namespace SS14.Web.OpenId;
@@ -66,6 +67,21 @@ private async ValueTask PopulateInternalApps(IServiceScope scope, CancellationTo
     private async ValueTask PopulateUsersAsync(IServiceScope scope)
     {
         var userManager = scope.ServiceProvider.GetRequiredService<UserManager<SpaceUser>>();
+        var roleManager = scope.ServiceProvider.GetRequiredService<RoleManager<SpaceRole>>();
+
+        var sysAdmin = new SpaceRole
+        {
+            Name = AuthConstants.RoleSysAdmin,
+        };
+
+        await roleManager.CreateAsync(sysAdmin);
+
+        var hubAdmin = new SpaceRole
+        {
+            Name = AuthConstants.RoleServerHubAdmin,
+        };
+
+        await roleManager.CreateAsync(hubAdmin);
 
         var user = new SpaceUser
         {
@@ -75,5 +91,7 @@ private async ValueTask PopulateUsersAsync(IServiceScope scope)
         };
 
         await userManager.CreateAsync(user, "Test123456$");
+        await userManager.AddToRoleAsync(user, AuthConstants.RoleSysAdmin);
+        await userManager.AddToRoleAsync(user, AuthConstants.RoleServerHubAdmin);
     }
 }

From 8975aa95a01f56b0a5e491700f3465c5b2d2c4e9 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Fri, 29 Aug 2025 21:12:43 +0200
Subject: [PATCH 28/43] Implement plain pkce option Work on admin oauth app
 settings page

---
 .../Areas/Admin/Pages/Clients/Client.cshtml   | 238 ++-----------
 .../Admin/Pages/Clients/Client.cshtml.cs      | 325 +++++++-----------
 .../Pages/Clients/ConfirmDelete.cshtml.cs     |   2 +-
 .../Areas/Admin/Pages/Clients/Index.cshtml    |   1 -
 .../Areas/Admin/Pages/Clients/Index.cshtml.cs |   4 +-
 .../Account/Manage/OAuthApps/Create.cshtml.cs |   2 +
 .../AuthorizationPkceVerificationHandler.cs   |  38 ++
 .../EventHandlers/TokenSigningHandler.cs      |   4 +
 .../ApplicationManagerExtensions.cs           |  55 ++-
 SS14.Web/OpenId/Extensions/OpenIdExtension.cs |   3 +
 SS14.Web/OpenId/OpenIdConstants.cs            |   7 +-
 SS14.Web/OpenId/TestDataSeeder.cs             |   6 +-
 12 files changed, 260 insertions(+), 425 deletions(-)
 create mode 100644 SS14.Web/OpenId/EventHandlers/AuthorizationPkceVerificationHandler.cs

diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml
index af46e15..3172c07 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml
@@ -4,14 +4,14 @@
 @{
     // TODO: Replace identityserver4 code in this file
 
-    //ViewData["Title"] = $"OAuth Client: {Model.Title}";
+    ViewData["Title"] = $"OAuth Client: {Model.Title}";
 }
 
 <nav aria-label="breadcrumb">
     <ol class="breadcrumb">
         <li class="breadcrumb-item"><a asp-page="../Index">Hub Admin</a></li>
         <li class="breadcrumb-item"><a asp-page="./Index">OAuth Clients</a></li>
-        @*<li class="breadcrumb-item active" aria-current="page">@Model.Title</li>*@
+        <li class="breadcrumb-item active" aria-current="page">@Model.Title</li>
     </ol>
 </nav>
 
@@ -39,8 +39,8 @@
 </div>
 
 <div class="form-group row">
-    <label asp-for="Input.ProtocolType" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.ProtocolType" class="form-control col-sm-9"/>
+    <label asp-for="Input.ConsentType" class="col-sm-3 col-form-label"></label>
+    <select asp-for="Input.ConsentType" class="form-control col-sm-9" asp-items="Model.ConsentTypes.Select(x => new SelectListItem(x, x))"></select>
 </div>
 
 <div class="form-group row">
@@ -58,42 +58,6 @@
     <textarea asp-for="Input.AllowedGrantTypes" class="form-control col-sm-9"></textarea>
 </div>
 
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.RequireClientSecret" class="form-check-input"/>
-            <label asp-for="Input.RequireClientSecret" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.RequireConsent" class="form-check-input"/>
-            <label asp-for="Input.RequireConsent" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.AllowRememberConsent" class="form-check-input"/>
-            <label asp-for="Input.AllowRememberConsent" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.AlwaysIncludeUserClaimsInIdToken" class="form-check-input"/>
-            <label asp-for="Input.AlwaysIncludeUserClaimsInIdToken" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
 <div class="form-group row">
     <div class="col-sm-9 offset-sm-3">
         <div class="form-check">
@@ -112,20 +76,6 @@
     </div>
 </div>
 
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.RequireRequestObject" class="form-check-input"/>
-            <label asp-for="Input.RequireRequestObject" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.Description" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.Description" class="form-control col-sm-9"/>
-</div>
-
 <div class="form-group row">
     <label asp-for="Input.ClientUri" class="col-sm-3 col-form-label"></label>
     <input asp-for="Input.ClientUri" class="form-control col-sm-9"/>
@@ -136,43 +86,6 @@
     <input asp-for="Input.LogoUri" class="form-control col-sm-9"/>
 </div>
 
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.AllowAccessTokensViaBrowser" class="form-check-input"/>
-            <label asp-for="Input.AllowAccessTokensViaBrowser" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.FrontChannelLogoutUri" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.FrontChannelLogoutUri" class="form-control col-sm-9"/>
-</div>
-
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.FrontChannelLogoutSessionRequired" class="form-check-input"/>
-            <label asp-for="Input.FrontChannelLogoutSessionRequired" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.BackChannelLogoutUri" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.BackChannelLogoutUri" class="form-control col-sm-9"/>
-</div>
-
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.BackChannelLogoutSessionRequired" class="form-check-input"/>
-            <label asp-for="Input.BackChannelLogoutSessionRequired" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
 <div class="form-group row">
     <label asp-for="Input.PostLogoutRedirectUris" class="col-sm-3 col-form-label"></label>
     <textarea asp-for="Input.PostLogoutRedirectUris" class="form-control col-sm-9"></textarea>
@@ -187,135 +100,30 @@
     </div>
 </div>
 
-<div class="form-group row">
-    <label asp-for="Input.IdentityTokenLifetime" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.IdentityTokenLifetime" class="form-control col-sm-9"/>
-</div>
-
-
 <div class="form-group row">
     <label asp-for="Input.AllowedIdentityTokenSigningAlgorithms" class="col-sm-4 col-form-label"></label>
     <input asp-for="Input.AllowedIdentityTokenSigningAlgorithms" class="form-control col-sm-8"/>
 </div>
-
-
-<div class="form-group row">
-    <label asp-for="Input.AccessTokenLifetime" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.AccessTokenLifetime" class="form-control col-sm-9"/>
-</div>
-
-
-<div class="form-group row">
-    <label asp-for="Input.AuthorizationCodeLifetime" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.AuthorizationCodeLifetime" class="form-control col-sm-9"/>
+<div class="row">
+    <p class="col-sm-3 font-weight-bold">Lifetimes</p>
+    <p class="col-sm-9 text-muted">0 = default</p>
 </div>
-
-
 <div class="form-group row">
-    <label asp-for="Input.ConsentLifetime" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.ConsentLifetime" class="form-control col-sm-9"/>
-</div>
-
-
-<div class="form-group row">
-    <label asp-for="Input.AbsoluteRefreshTokenLifetime" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.AbsoluteRefreshTokenLifetime" class="form-control col-sm-9"/>
-</div>
-
-
-<div class="form-group row">
-    <label asp-for="Input.SlidingRefreshTokenLifetime" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.SlidingRefreshTokenLifetime" class="form-control col-sm-9"/>
-</div>
-
-
-<div class="form-group row">
-    <label asp-for="Input.RefreshTokenUsage" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.RefreshTokenUsage" class="form-control col-sm-9"/>
-</div>
-
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.UpdateAccessTokenClaimsOnRefresh" class="form-check-input"/>
-            <label asp-for="Input.UpdateAccessTokenClaimsOnRefresh" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.RefreshTokenExpiration" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.RefreshTokenExpiration" class="form-control col-sm-9"/>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.AccessTokenType" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.AccessTokenType" class="form-control col-sm-9"/>
-</div>
-
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.EnableLocalLogin" class="form-check-input"/>
-            <label asp-for="Input.EnableLocalLogin" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.IncludeJwtId" class="form-check-input"/>
-            <label asp-for="Input.IncludeJwtId" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <div class="col-sm-9 offset-sm-3">
-        <div class="form-check">
-            <input asp-for="Input.AlwaysSendClientClaims" class="form-check-input"/>
-            <label asp-for="Input.AlwaysSendClientClaims" class="form-check-label"></label>
-        </div>
-    </div>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.ClientClaimsPrefix" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.ClientClaimsPrefix" class="form-control col-sm-9"/>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.PairWiseSubjectSalt" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.PairWiseSubjectSalt" class="form-control col-sm-9"/>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.UserSsoLifetime" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.UserSsoLifetime" class="form-control col-sm-9"/>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.UserCodeType" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.UserCodeType" class="form-control col-sm-9"/>
-</div>
-
-<div class="form-group row">
-    <label asp-for="Input.DeviceCodeLifetime" class="col-sm-3 col-form-label"></label>
-    <input asp-for="Input.DeviceCodeLifetime" class="form-control col-sm-9"/>
+    <label asp-for="Input.IdentityTokenLifetime" class="col-sm-3 col-form-label"></label>
+    <input asp-for="Input.IdentityTokenLifetime" class="form-control col-sm-9"/>
 </div>
 
 <div class="form-group row">
-    <label asp-for="Input.AllowedCorsOrigins" class="col-sm-3 col-form-label"></label>
-    <textarea asp-for="Input.AllowedCorsOrigins" class="form-control col-sm-9"></textarea>
+    <label asp-for="Input.AccessTokenLifetime" class="col-sm-3 col-form-label"></label>
+    <input asp-for="Input.AccessTokenLifetime" class="form-control col-sm-9"/>
 </div>
 
 <div class="form-group row">
-    <label asp-for="Input.IdentityProviderRestrictions" class="col-sm-3 col-form-label"></label>
-    <textarea asp-for="Input.IdentityProviderRestrictions" class="form-control col-sm-9"></textarea>
+    <label asp-for="Input.RefreshTokenLifetime" class="col-sm-3 col-form-label"></label>
+    <input asp-for="Input.RefreshTokenLifetime" class="form-control col-sm-9"/>
 </div>
 
-@*<button id="save-button" type="submit" asp-page-handler="Save" asp-route-id="@Model.DbClient.Id" class="btn btn-primary btn-sm">Save</button>*@
+<button id="save-button" type="submit" asp-page-handler="Save" asp-route-id="@Model.App?.Id" class="btn btn-primary btn-sm">Save</button>
 </form>
 
 <h5 class="mt-5">Secrets</h5>
@@ -324,18 +132,18 @@
     <thead>
     <tr>
         <th>Description</th>
-        <th>Type</th>
+        <th>Is Legacy?</th>
         <th>Created</th>
         <th></th>
     </tr>
     </thead>
     <tbody>
-    @*@foreach (var secret in Model.Secrets)
+    @foreach (var secret in Model.Secrets)
     {
         <tr>
             <td>@secret.Description</td>
-            <td>@secret.Type</td>
-            <td>@secret.Created.ToUniversalTime() UTC</td>
+            <td>@secret.Legacy</td>
+            <td>@secret.CreatedOn.ToUniversalTime() UTC</td>
             <td>
                 <form method="post">
                     <button type="submit"
@@ -344,7 +152,7 @@
                 </form>
             </td>
         </tr>
-    }*@
+    }
     </tbody>
 </table>
 
@@ -354,13 +162,9 @@
         <input asp-for="CreateSecretInput.Description" class="form-control col-md-3" placeholder="Description">
         <label asp-for="CreateSecretInput.Value" class="col-form-label col-md-1"></label>
         <input asp-for="CreateSecretInput.Value" class="form-control col-md-3" placeholder="Value">
-        <label asp-for="CreateSecretInput.Type" class="col-form-label col-md-1"></label>
-        <input asp-for="CreateSecretInput.Type" class="form-control col-md-2">
-        @*<button type="submit" asp-route-id="@Model.DbClient.Id" asp-page-handler="CreateSecret" class="btn btn-primary col-md-1">Create</button>*@
+        <button type="submit" asp-route-id="@Model.App?.Id" asp-page-handler="CreateSecret" class="btn btn-primary col-md-1">Create</button>
     </div>
 </form>
 
 <h5 class="mt-5">Actions</h5>
-@*
-<a asp-page="./ConfirmDelete" asp-route-id="@Model.DbClient.Id" class="btn btn-danger">Delete</a>
-*@
+<a asp-page="./ConfirmDelete" asp-route-id="@Model.App?.Id" class="btn btn-danger">Delete</a>
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
index 25f79a5..e4ddd2b 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
@@ -1,7 +1,19 @@
-using System.ComponentModel.DataAnnotations;
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
+using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
+using SS14.Web.Models.Types;
+using SS14.Web.OpenId;
+using SS14.Web.OpenId.Extensions;
+using SS14.Web.OpenId.Services;
+using static OpenIddict.Abstractions.OpenIddictConstants.ConsentTypes;
 
 namespace SS14.Web.Areas.Admin.Pages.Clients;
 
@@ -9,11 +21,11 @@ namespace SS14.Web.Areas.Admin.Pages.Clients;
 
 public class Client : PageModel
 {
-    private readonly ApplicationDbContext _dbContext;
+    private readonly SpaceApplicationManager _appManager;
 
-    public Client(ApplicationDbContext dbContext)
+    public Client(SpaceApplicationManager appManager)
     {
-        _dbContext = dbContext;
+        _appManager = appManager;
     }
 
     [BindProperty] public InputModel Input { get; set; }
@@ -21,248 +33,159 @@ public Client(ApplicationDbContext dbContext)
 
     [TempData] public string StatusMessage { get; set; }
 
-    //public DbClient DbClient { get; set; }
+    public SpaceApplication? App { get; set; }
 
-    //public string Title => DbClient.ClientName ?? DbClient.ClientId;
-
-    //public IEnumerable<ClientSecret> Secrets { get; set; }
+    public string? Title => App?.DisplayName ?? App?.ClientId;
+    public IEnumerable<ClientSecretInfo> Secrets { get; set; }
 
     public sealed class CreateSecretModel
     {
         [Display(Name = "Desc")]
-        public string Description { get; set; }
-        public string Value { get; set; }
-        public string Type { get; set; } = "SharedSecret";
+        public string? Description { get; set; }
+
+        public string? Value { get; set; }
     }
 
+    public string[] ConsentTypes = [Implicit, Explicit, Systematic];
+
     // That's a lotta options.
     public sealed class InputModel
     {
         public bool Enabled { get; set; }
-        public string ClientId { get; set; }
-        public string ClientName { get; set; }
-        public string ProtocolType { get; set; }
-        public bool RequireClientSecret { get; set; }
-        public bool RequireConsent { get; set; }
-        public bool AllowRememberConsent { get; set; }
-        public bool AlwaysIncludeUserClaimsInIdToken { get; set; }
+        [Display(Name = "Client Id")]
+        public string? ClientId { get; set; }
+        [Display(Name = "Client Name")]
+        public string? ClientName { get; set; }
+
+        // Explicit remembers the consent and Systematic forces a consent check every time
+        [Required]
+        [Display(Name = "Consent Type")]
+        [AllowedValues(Explicit, Implicit, Systematic)]
+        public string ConsentType { get; set; } = null!;
+        [Display(Name = "Require Pkce")]
         public bool RequirePkce { get; set; }
         public bool AllowPlainTextPkce { get; set; }
-        public bool RequireRequestObject { get; set; }
-        public string Description { get; set; }
-        public string ClientUri { get; set; }
-        public string LogoUri { get; set; }
-        public bool AllowAccessTokensViaBrowser { get; set; }
-        public string FrontChannelLogoutUri { get; set; }
-        public bool FrontChannelLogoutSessionRequired { get; set; }
-        public string BackChannelLogoutUri { get; set; }
-        public bool BackChannelLogoutSessionRequired { get; set; }
+        [Display(Name = "Home Page")]
+        public string? ClientUri { get; set; }
+        [Display(Name = "Logo Uri")]
+        public string? LogoUri { get; set; }
+        [Display(Name = "Allow Offline Access")]
         public bool AllowOfflineAccess { get; set; }
+        [Display(Name = "Identity Token Lifetime")]
         public int IdentityTokenLifetime { get; set; }
-        public string AllowedIdentityTokenSigningAlgorithms { get; set; }
+        [Display(Name = "Allowed ID Token Signing Alg.")]
+        public string? AllowedIdentityTokenSigningAlgorithms { get; set; }
+        [Display(Name = "Access Token Lifetime")]
         public int AccessTokenLifetime { get; set; }
-        public int AuthorizationCodeLifetime { get; set; }
-        public int? ConsentLifetime { get; set; } = null;
-        public int AbsoluteRefreshTokenLifetime { get; set; }
-        public int SlidingRefreshTokenLifetime { get; set; }
-        public int RefreshTokenUsage { get; set; }
-        public bool UpdateAccessTokenClaimsOnRefresh { get; set; }
-        public int RefreshTokenExpiration { get; set; }
-        public int AccessTokenType { get; set; }
-        public bool EnableLocalLogin { get; set; }
-        public bool IncludeJwtId { get; set; }
-        public bool AlwaysSendClientClaims { get; set; }
-        public string ClientClaimsPrefix { get; set; }
-        public string PairWiseSubjectSalt { get; set; }
-        public int? UserSsoLifetime { get; set; }
-        public string UserCodeType { get; set; }
-        public int DeviceCodeLifetime { get; set; }
-
+        [Display(Name = "Refresh Token Lifetime")]
+        public int RefreshTokenLifetime { get; set; }
         [Display(Name = "Redirect URIs (one per line)")]
-        public string RedirectUris { get; set; }
+        public string? RedirectUris { get; set; }
 
         [Display(Name = "Allowed Scopes (one per line)")]
-        public string AllowedScopes { get; set; }
+        public string? AllowedScopes { get; set; }
 
         [Display(Name = "Allowed Grant Types (one per line)")]
-        public string AllowedGrantTypes { get; set; }
+        public string? AllowedGrantTypes { get; set; }
 
-        public string PostLogoutRedirectUris { get; set; }
-        public string IdentityProviderRestrictions { get; set; }
-        public string AllowedCorsOrigins { get; set; }
+        [Display(Name = "Post Logout Redirect Uris")]
+        public string? PostLogoutRedirectUris { get; set; }
     }
 
-    /*public async Task<IActionResult> OnGetAsync(int id)
+    public async Task<IActionResult> OnGetAsync(string id)
     {
-        DbClient = await _dbContext.Clients
-            .Include(c => c.RedirectUris)
-            .Include(c => c.AllowedScopes)
-            .Include(c => c.ClientSecrets)
-            .Include(c => c.IdentityProviderRestrictions)
-            .Include(c => c.PostLogoutRedirectUris)
-            .Include(c => c.AllowedCorsOrigins)
-            .Include(c => c.AllowedGrantTypes)
-            .SingleOrDefaultAsync(c => c.Id == id);
-
-        if (DbClient == null)
-        {
+        App = await _appManager.FindByIdAsync(id);
+        if (App == null)
             return NotFound("Client not found");
-        }
+
+        var requirements = await _appManager.GetRequirementsAsync(App);
+        var settings = await _appManager.GetSettingsAsync(App);
+        var permissions = await _appManager.GetPermissionsAsync(App);
+        var redirectUris = await _appManager.GetRedirectUrisAsync(App);
+
+        var grantTypes = permissions
+            .Where(x => x.StartsWith(OpenIddictConstants.Permissions.Prefixes.GrantType))
+            .Select(x => x[OpenIddictConstants.Permissions.Prefixes.GrantType.Length..]);
+
+        var scopes = permissions
+            .Where(x => x.StartsWith(OpenIddictConstants.Permissions.Prefixes.Scope))
+            .Select(x => x[OpenIddictConstants.Permissions.Prefixes.Scope.Length..]);
 
         Input = new InputModel
         {
-            Enabled = DbClient.Enabled,
-            ClientId = DbClient.ClientId,
-            ClientName = DbClient.ClientName,
-            ProtocolType = DbClient.ProtocolType,
-            RequireClientSecret = DbClient.RequireClientSecret,
-            RequireConsent = DbClient.RequireConsent,
-            AllowRememberConsent = DbClient.AllowRememberConsent,
-            AlwaysIncludeUserClaimsInIdToken = DbClient.AlwaysIncludeUserClaimsInIdToken,
-            RequirePkce = DbClient.RequirePkce,
-            AllowPlainTextPkce = DbClient.AllowPlainTextPkce,
-            RequireRequestObject = DbClient.RequireRequestObject,
-            Description = DbClient.Description,
-            ClientUri = DbClient.ClientUri,
-            LogoUri = DbClient.LogoUri,
-            AllowAccessTokensViaBrowser = DbClient.AllowAccessTokensViaBrowser,
-            FrontChannelLogoutUri = DbClient.FrontChannelLogoutUri,
-            FrontChannelLogoutSessionRequired = DbClient.FrontChannelLogoutSessionRequired,
-            BackChannelLogoutUri = DbClient.BackChannelLogoutUri,
-            BackChannelLogoutSessionRequired = DbClient.BackChannelLogoutSessionRequired,
-            AllowOfflineAccess = DbClient.AllowOfflineAccess,
-            IdentityTokenLifetime = DbClient.IdentityTokenLifetime,
-            AllowedIdentityTokenSigningAlgorithms = DbClient.AllowedIdentityTokenSigningAlgorithms,
-            AccessTokenLifetime = DbClient.AccessTokenLifetime,
-            AuthorizationCodeLifetime = DbClient.AuthorizationCodeLifetime,
-            ConsentLifetime = DbClient.ConsentLifetime,
-            AbsoluteRefreshTokenLifetime = DbClient.AbsoluteRefreshTokenLifetime,
-            SlidingRefreshTokenLifetime = DbClient.SlidingRefreshTokenLifetime,
-            RefreshTokenUsage = DbClient.RefreshTokenUsage,
-            UpdateAccessTokenClaimsOnRefresh = DbClient.UpdateAccessTokenClaimsOnRefresh,
-            RefreshTokenExpiration = DbClient.RefreshTokenExpiration,
-            AccessTokenType = DbClient.AccessTokenType,
-            EnableLocalLogin = DbClient.EnableLocalLogin,
-            IncludeJwtId = DbClient.IncludeJwtId,
-            AlwaysSendClientClaims = DbClient.AlwaysSendClientClaims,
-            ClientClaimsPrefix = DbClient.ClientClaimsPrefix,
-            PairWiseSubjectSalt = DbClient.PairWiseSubjectSalt,
-            UserSsoLifetime = DbClient.UserSsoLifetime,
-            UserCodeType = DbClient.UserCodeType,
-            DeviceCodeLifetime = DbClient.DeviceCodeLifetime,
-            RedirectUris = string.Join("\n", DbClient.RedirectUris.Select(c => c.RedirectUri)),
-            AllowedGrantTypes = string.Join("\n", DbClient.AllowedGrantTypes.Select(c => c.GrantType)),
-            AllowedScopes = string.Join("\n", DbClient.AllowedScopes.Select(c => c.Scope)),
-            IdentityProviderRestrictions =
-                string.Join("\n", DbClient.IdentityProviderRestrictions.Select(c => c.Provider)),
-            PostLogoutRedirectUris =
-                string.Join("\n", DbClient.PostLogoutRedirectUris.Select(c => c.PostLogoutRedirectUri)),
-            AllowedCorsOrigins = string.Join("\n", DbClient.AllowedCorsOrigins.Select(c => c.Origin)),
+            Enabled = !await  _appManager.IsDisabled(App),
+            ClientId = App.ClientId,
+            ClientName = App.DisplayName,
+            ConsentType = App.ConsentType ?? Explicit,
+            RequirePkce = requirements.Contains(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange),
+            AllowPlainTextPkce = await _appManager.GetAllowPlainPkceSetting(App),
+            ClientUri = App.WebsiteUrl,
+            LogoUri = App.LogoUri,
+            AllowOfflineAccess = permissions.Contains(OpenIddictConstants.Permissions.GrantTypes.RefreshToken),
+            AllowedIdentityTokenSigningAlgorithms = settings.GetValueOrDefault(OpenIdConstants.SigningAlgorithmSetting),
+            IdentityTokenLifetime = await _appManager.GetIdentityTokenLifetime(App),
+            AccessTokenLifetime = await _appManager.GetAccessTokenLifetime(App),
+            RefreshTokenLifetime = await _appManager.GetRefreshTokenLifetime(App),
+            RedirectUris = string.Join("\n", redirectUris),
+            AllowedGrantTypes = string.Join("\n", grantTypes),
+            AllowedScopes = string.Join("\n", scopes),
+            PostLogoutRedirectUris = App.PostLogoutRedirectUris,
         };
 
         CreateSecretInput = new CreateSecretModel();
 
-        Secrets = DbClient.ClientSecrets;
+        Secrets = _appManager.ListSecrets(App);
 
         return Page();
     }
 
-    public async Task<IActionResult> OnPostSaveAsync(int id)
+    public async Task<IActionResult> OnPostSaveAsync(string id)
     {
-        DbClient = await _dbContext.Clients
-            .Include(c => c.RedirectUris)
-            .Include(c => c.AllowedScopes)
-            .Include(c => c.IdentityProviderRestrictions)
-            .Include(c => c.PostLogoutRedirectUris)
-            .Include(c => c.AllowedCorsOrigins)
-            .Include(c => c.AllowedGrantTypes)
-            .SingleOrDefaultAsync(c => c.Id == id);
+        var app = await _appManager.FindByIdAsync(id);
+        if (app == null)
+            return NotFound("Client not found");
 
-        if (DbClient == null)
+        var descriptor = new OpenIddictApplicationDescriptor();
+        await _appManager.PopulateAsync(descriptor, app);
+
+        descriptor.ClientId = Input.ClientId;
+        descriptor.DisplayName = Input.ClientName;
+        descriptor.ConsentType = Input.ConsentType;
+        descriptor.Settings[OpenIdConstants.DisabledSetting] = Input.Enabled ? "false"  : "true";
+        descriptor.Settings[OpenIdConstants.AllowPlainPkce] = Input.AllowPlainTextPkce ? "true" : "false";
+        descriptor.Settings[OpenIdConstants.SigningAlgorithmSetting] = Input.AllowedIdentityTokenSigningAlgorithms ?? string.Empty;
+
+        descriptor.Permissions.RemoveWhere(x => x.StartsWith(OpenIddictConstants.Permissions.Prefixes.GrantType));
+
+        foreach (var grantType in Input.AllowedGrantTypes?.Split("\n", StringSplitOptions.RemoveEmptyEntries) ?? [])
         {
-            return NotFound("Client not found");
+            descriptor.Permissions.Add(OpenIddictConstants.Permissions.Prefixes.GrantType+grantType.Trim());
         }
 
-        DbClient.Enabled = Input.Enabled;
-        DbClient.ClientId = Input.ClientId;
-        DbClient.ClientName = Input.ClientName;
-        DbClient.ProtocolType = Input.ProtocolType;
-        DbClient.RequireClientSecret = Input.RequireClientSecret;
-        DbClient.RequireConsent = Input.RequireConsent;
-        DbClient.AllowRememberConsent = Input.AllowRememberConsent;
-        DbClient.AlwaysIncludeUserClaimsInIdToken = Input.AlwaysIncludeUserClaimsInIdToken;
-        DbClient.RequirePkce = Input.RequirePkce;
-        DbClient.AllowPlainTextPkce = Input.AllowPlainTextPkce;
-        DbClient.RequireRequestObject = Input.RequireRequestObject;
-        DbClient.Description = Input.Description;
-        DbClient.ClientUri = Input.ClientUri;
-        DbClient.LogoUri = Input.LogoUri;
-        DbClient.AllowAccessTokensViaBrowser = Input.AllowAccessTokensViaBrowser;
-        DbClient.FrontChannelLogoutUri = Input.FrontChannelLogoutUri;
-        DbClient.FrontChannelLogoutSessionRequired = Input.FrontChannelLogoutSessionRequired;
-        DbClient.BackChannelLogoutUri = Input.BackChannelLogoutUri;
-        DbClient.BackChannelLogoutSessionRequired = Input.BackChannelLogoutSessionRequired;
-        DbClient.AllowOfflineAccess = Input.AllowOfflineAccess;
-        DbClient.IdentityTokenLifetime = Input.IdentityTokenLifetime;
-        DbClient.AllowedIdentityTokenSigningAlgorithms = Input.AllowedIdentityTokenSigningAlgorithms;
-        DbClient.AccessTokenLifetime = Input.AccessTokenLifetime;
-        DbClient.AuthorizationCodeLifetime = Input.AuthorizationCodeLifetime;
-        DbClient.ConsentLifetime = Input.ConsentLifetime;
-        DbClient.AbsoluteRefreshTokenLifetime = Input.AbsoluteRefreshTokenLifetime;
-        DbClient.SlidingRefreshTokenLifetime = Input.SlidingRefreshTokenLifetime;
-        DbClient.RefreshTokenUsage = Input.RefreshTokenUsage;
-        DbClient.UpdateAccessTokenClaimsOnRefresh = Input.UpdateAccessTokenClaimsOnRefresh;
-        DbClient.RefreshTokenExpiration = Input.RefreshTokenExpiration;
-        DbClient.AccessTokenType = Input.AccessTokenType;
-        DbClient.EnableLocalLogin = Input.EnableLocalLogin;
-        DbClient.IncludeJwtId = Input.IncludeJwtId;
-        DbClient.AlwaysSendClientClaims = Input.AlwaysSendClientClaims;
-        DbClient.ClientClaimsPrefix = Input.ClientClaimsPrefix;
-        DbClient.PairWiseSubjectSalt = Input.PairWiseSubjectSalt;
-        DbClient.UserSsoLifetime = Input.UserSsoLifetime;
-        DbClient.UserCodeType = Input.UserCodeType;
-        DbClient.DeviceCodeLifetime = Input.DeviceCodeLifetime;
-        DbClient.RedirectUris = (Input.RedirectUris ?? "")
-            .Replace("\r", "")
-            .Split("\n", StringSplitOptions.RemoveEmptyEntries)
-            .Select(c => new ClientRedirectUri {RedirectUri = c})
-            .ToList();
-        DbClient.AllowedScopes = (Input.AllowedScopes ?? "")
-            .Replace("\r", "")
-            .Split("\n", StringSplitOptions.RemoveEmptyEntries)
-            .Select(c => new ClientScope {Scope = c})
-            .ToList();
-        DbClient.AllowedGrantTypes = (Input.AllowedGrantTypes ?? "")
-            .Replace("\r", "")
-            .Split("\n", StringSplitOptions.RemoveEmptyEntries)
-            .Select(c => new ClientGrantType {GrantType = c})
-            .ToList();
-        DbClient.IdentityProviderRestrictions = (Input.IdentityProviderRestrictions ?? "")
-            .Replace("\r", "")
-            .Split("\n", StringSplitOptions.RemoveEmptyEntries)
-            .Select(c => new ClientIdPRestriction {Provider = c})
-            .ToList();
-        DbClient.PostLogoutRedirectUris = (Input.PostLogoutRedirectUris ?? "")
-            .Replace("\r", "")
-            .Split("\n", StringSplitOptions.RemoveEmptyEntries)
-            .Select(c => new ClientPostLogoutRedirectUri {PostLogoutRedirectUri = c})
-            .ToList();
-        DbClient.AllowedCorsOrigins = (Input.AllowedCorsOrigins ?? "")
-            .Replace("\r", "")
-            .Split("\n", StringSplitOptions.RemoveEmptyEntries)
-            .Select(c => new ClientCorsOrigin {Origin = c})
-            .ToList();
+        descriptor.Permissions.RemoveWhere(x => x.StartsWith(OpenIddictConstants.Permissions.Prefixes.Scope));
 
-        await _dbContext.SaveChangesAsync();
+        foreach (var scope in Input.AllowedScopes?.Split("\n", StringSplitOptions.RemoveEmptyEntries) ?? [])
+        {
+            descriptor.Permissions.Add(OpenIddictConstants.Permissions.Prefixes.Scope+scope.Trim());
+        }
 
-        StatusMessage = "Changes saved";
+        if (Input.RequirePkce)
+            descriptor.Requirements.Add(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
+        else
+            descriptor.Requirements.Remove(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
 
+        if (Input.AllowOfflineAccess)
+            descriptor.Permissions.Add(OpenIddictConstants.Permissions.GrantTypes.RefreshToken);
+        else
+            descriptor.Permissions.Remove(OpenIddictConstants.Permissions.GrantTypes.RefreshToken);
+
+        await _appManager.UpdateAsync(app, descriptor);
         return RedirectToPage(new {id});
     }
 
     public async Task<IActionResult> OnPostCreateSecretAsync(int id)
     {
-        DbClient = await _dbContext.Clients
+        /*DbClient = await _dbContext.Clients
             .Include(c => c.RedirectUris)
             .SingleOrDefaultAsync(c => c.Id == id);
 
@@ -294,12 +217,13 @@ public async Task<IActionResult> OnPostCreateSecretAsync(int id)
 
         StatusMessage = $"Secret created. Value: {value}";
 
-        return RedirectToPage(new {id});
+        return RedirectToPage(new {id});*/
+        return NotFound();
     }
 
     public async Task<IActionResult> OnPostDeleteSecretAsync(int secret)
     {
-        var dbSecret = await _dbContext.ClientSecrets
+        /*var dbSecret = await _dbContext.ClientSecrets
             .SingleOrDefaultAsync(c => c.Id == secret);
 
         if (dbSecret == null)
@@ -313,6 +237,7 @@ public async Task<IActionResult> OnPostDeleteSecretAsync(int secret)
 
         StatusMessage = "Secret deleted.";
 
-        return RedirectToPage(new {id = dbSecret.ClientId});
-    }*/
+        return RedirectToPage(new {id = dbSecret.ClientId});*/
+        return NotFound();
+    }
 }
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
index 15633be..b19bd49 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/ConfirmDelete.cshtml.cs
@@ -18,7 +18,7 @@ public ConfirmDelete(SpaceApplicationManager applicationManager)
     }
 
     public SpaceApplication? App { get; set; }
-    public string Title => App?.DisplayName ?? App?.ClientId ?? string.Empty;
+    public string? Title => App?.DisplayName ?? App?.ClientId;
 
     public async Task<IActionResult> OnGetAsync(string id)
     {
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml
index 94e58d9..4467b1f 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml
@@ -2,7 +2,6 @@
 @model SS14.Web.Areas.Admin.Pages.Clients.Index
 
 @{
-    // TODO: Replace identityserver4 code in this file
     ViewData["Title"] = "OAuth Clients";
 }
 <nav aria-label="breadcrumb">
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
index 335474a..11ea645 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
@@ -1,15 +1,14 @@
 #nullable enable
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Security.Cryptography;
 using System.Threading.Tasks;
-using JetBrains.Annotations;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
 using SS14.Web.Extensions;
+using SS14.Web.OpenId;
 using SS14.Web.OpenId.Services;
 
 namespace SS14.Web.Areas.Admin.Pages.Clients;
@@ -43,6 +42,7 @@ public async Task<IActionResult> OnPostNewClientAsync()
             ConsentType = OpenIddictConstants.ConsentTypes.Explicit,
             DisplayName = "New Client",
             Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
+            Settings = {{OpenIdConstants.AllowPlainPkce, "true"}},
             Permissions =
             {
                 OpenIddictConstants.Permissions.Endpoints.Authorization,
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
index 8d03920..542046e 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
@@ -10,6 +10,7 @@
 using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
 using SS14.Web.Models;
+using SS14.Web.OpenId;
 using SS14.Web.OpenId.Services;
 
 namespace SS14.Web.Areas.Identity.Pages.Account.Manage.OAuthApps;
@@ -66,6 +67,7 @@ public async Task<IActionResult> OnPostAsync()
             DisplayName = Input.Name,
             RedirectUris = { new Uri(Input.CallbackUrl) },
             Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
+            Settings = {{OpenIdConstants.AllowPlainPkce, "true"}},
             Permissions =
             {
                 OpenIddictConstants.Permissions.Endpoints.Authorization,
diff --git a/SS14.Web/OpenId/EventHandlers/AuthorizationPkceVerificationHandler.cs b/SS14.Web/OpenId/EventHandlers/AuthorizationPkceVerificationHandler.cs
new file mode 100644
index 0000000..3f2f601
--- /dev/null
+++ b/SS14.Web/OpenId/EventHandlers/AuthorizationPkceVerificationHandler.cs
@@ -0,0 +1,38 @@
+#nullable enable
+using System.Threading.Tasks;
+using OpenIddict.Abstractions;
+using OpenIddict.Server;
+using SS14.Web.OpenId.Extensions;
+using SS14.Web.OpenId.Services;
+
+namespace SS14.Web.OpenId.EventHandlers;
+
+public sealed class AuthorizationPkceVerificationHandler : IOpenIddictServerHandler<OpenIddictServerEvents.ValidateAuthorizationRequestContext>
+{
+    private readonly SpaceApplicationManager _applicationManager;
+
+    public AuthorizationPkceVerificationHandler(SpaceApplicationManager applicationManager)
+    {
+        _applicationManager = applicationManager;
+    }
+
+    public static OpenIddictServerHandlerDescriptor Descriptor { get; } =
+        OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.ValidateAuthorizationRequestContext>()
+            .UseScopedHandler<AuthorizationPkceVerificationHandler>()
+            .SetOrder(int.MaxValue - 500)
+            .Build();
+
+    public async ValueTask HandleAsync(OpenIddictServerEvents.ValidateAuthorizationRequestContext context)
+    {
+        var app = await _applicationManager.FindByClientIdAsync(context.Request.ClientId!);
+        if (app is null)
+            return;
+
+        var method = context.Request.CodeChallengeMethod;
+        if (await _applicationManager.GetAllowPlainPkceSetting(app))
+            return;
+
+        if (method is OpenIddictConstants.CodeChallengeMethods.Plain)
+            context.Reject(error: OpenIddictConstants.Errors.InvalidRequest, description: "Plain PKCE not allowed.");
+    }
+}
diff --git a/SS14.Web/OpenId/EventHandlers/TokenSigningHandler.cs b/SS14.Web/OpenId/EventHandlers/TokenSigningHandler.cs
index 98fc3ff..9262b9d 100644
--- a/SS14.Web/OpenId/EventHandlers/TokenSigningHandler.cs
+++ b/SS14.Web/OpenId/EventHandlers/TokenSigningHandler.cs
@@ -46,6 +46,8 @@ public async ValueTask HandleAsync(GenerateTokenContext context)
             ? encryptionAlg
             : _config.DefaultEncryptionAlgorithm;
 
+        encryptionAlgorithm = string.IsNullOrEmpty(encryptionAlgorithm) ? _config.DefaultEncryptionAlgorithm : encryptionAlgorithm; ;
+
         if (encryptionAlgorithm is not null)
         {
             foreach (var credential in context.Options.EncryptionCredentials)
@@ -62,6 +64,8 @@ public async ValueTask HandleAsync(GenerateTokenContext context)
             ? signingAlg
             : _config.DefaultSigningAlgorithm;
 
+        signingAlgorithm = string.IsNullOrEmpty(signingAlgorithm) ? _config.DefaultSigningAlgorithm : signingAlgorithm;
+
         if (signingAlgorithm is not null)
         {
             foreach (var credential in context.Options.SigningCredentials)
diff --git a/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
index 1d9a313..79043c9 100644
--- a/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
+++ b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
@@ -32,10 +32,32 @@ public static async ValueTask<bool> GetRequiresPkce(
     public static async ValueTask<bool> GetPs256Setting(
         this OpenIddictApplicationManager<SpaceApplication> manager,
         SpaceApplication app)
+    {
+        return await manager.CheckSetting(app, OpenIdConstants.SigningAlgorithmSetting, OpenIddictConstants.Algorithms.RsaSsaPssSha256);
+    }
+
+    public static async ValueTask<bool> GetAllowPlainPkceSetting(
+        this OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app)
+    {
+        return await manager.CheckSetting(app, OpenIdConstants.AllowPlainPkce, "true");
+    }
+
+    public static async ValueTask<bool> IsDisabled(
+        this OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app)
+    {
+        return await manager.CheckSetting(app, OpenIdConstants.DisabledSetting, "true");
+    }
+
+    public static async ValueTask<bool> CheckSetting(this OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app,
+        string setting,
+        string comparand)
     {
         var settings = await manager.GetSettingsAsync(app);
-        return settings.TryGetValue(OpenIdConstants.SigningAlgorithmSetting, out var value)
-               && value.Equals(OpenIddictConstants.Algorithms.RsaSsaPssSha256);
+        return settings.TryGetValue(setting, out var value)
+               && value.Equals(comparand);
     }
 
     public static async ValueTask<List<SpaceApplication>> FindApplicationsByUserId(this OpenIddictApplicationManager<SpaceApplication> manager, Guid userId, CancellationToken cancel = default)
@@ -43,4 +65,33 @@ public static async ValueTask<List<SpaceApplication>> FindApplicationsByUserId(t
         return await manager.ListAsync(x => x.Where(a => a.SpaceUserId == userId)
             , cancel).ToListAsync(ct: cancel);
     }
+
+    public static async ValueTask<int> GetAccessTokenLifetime(
+        this OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app)
+    {
+        return await GetLifetime(manager, app, OpenIddictConstants.Settings.TokenLifetimes.AccessToken);
+    }
+
+    public static async ValueTask<int> GetIdentityTokenLifetime(
+        this OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app)
+    {
+        return await GetLifetime(manager, app, OpenIddictConstants.Settings.TokenLifetimes.IdentityToken);
+    }
+
+    public static async ValueTask<int> GetRefreshTokenLifetime(
+        this OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app)
+    {
+        return await GetLifetime(manager, app, OpenIddictConstants.Settings.TokenLifetimes.RefreshToken);
+    }
+
+    private static async ValueTask<int> GetLifetime(OpenIddictApplicationManager<SpaceApplication> manager,
+        SpaceApplication app,
+        string settingName)
+    {
+        var settings = await manager.GetSettingsAsync(app);
+        return int.Parse(settings.GetValueOrDefault(settingName, "0"));
+    }
 }
diff --git a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
index fb09f85..ba2dca1 100644
--- a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
@@ -49,6 +49,9 @@ public static void UseOpenIdConnect(this WebApplication app)
 
     private static void ConfigureCertificates(OpenIddictBuilder openId, WebApplicationBuilder builder)
     {
+        builder.Services.Add(AuthorizationPkceVerificationHandler.Descriptor.ServiceDescriptor);
+        openId.AddServer().AddEventHandler(AuthorizationPkceVerificationHandler.Descriptor);
+
         builder.Services.Add(TokenSigningHandler.Descriptor.ServiceDescriptor);
         openId.AddServer().AddEventHandler(TokenSigningHandler.Descriptor);
 
diff --git a/SS14.Web/OpenId/OpenIdConstants.cs b/SS14.Web/OpenId/OpenIdConstants.cs
index 235b6e0..d0f96bc 100644
--- a/SS14.Web/OpenId/OpenIdConstants.cs
+++ b/SS14.Web/OpenId/OpenIdConstants.cs
@@ -1,7 +1,12 @@
-namespace SS14.Web.OpenId;
+using System.Collections.Generic;
+using OpenIddict.Abstractions;
+
+namespace SS14.Web.OpenId;
 
 public static class OpenIdConstants
 {
     public const string EncryptionAlgorithmSetting = "space:EncryptionAlgorithm";
     public const string SigningAlgorithmSetting = "space:SigningAlgorithm";
+    public const string DisabledSetting = "space:Disabled";
+    public const string AllowPlainPkce = "space:AllowPlainPkce";
 }
diff --git a/SS14.Web/OpenId/TestDataSeeder.cs b/SS14.Web/OpenId/TestDataSeeder.cs
index 2de2fa0..bf04581 100644
--- a/SS14.Web/OpenId/TestDataSeeder.cs
+++ b/SS14.Web/OpenId/TestDataSeeder.cs
@@ -37,7 +37,11 @@ private async ValueTask PopulateInternalApps(IServiceScope scope, CancellationTo
             DisplayName = "Test Client",
             RedirectUris = { new Uri("https://localhost:5002/signin-oidc") },
             Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
-            Settings = {{OpenIdConstants.SigningAlgorithmSetting, "RS256"}},
+            Settings =
+            {
+                {OpenIdConstants.SigningAlgorithmSetting, "RS256"},
+                {OpenIdConstants.AllowPlainPkce, "true"},
+            },
             Permissions =
             {
                 OpenIddictConstants.Permissions.Endpoints.Authorization,

From 4710fd5dfc91df0260daa99c44b308265661ef6d Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sat, 30 Aug 2025 12:31:10 +0200
Subject: [PATCH 29/43] Re-Implement oauth client admin edit page

---
 .../Areas/Admin/Pages/Clients/Client.cshtml   |  5 +-
 .../Admin/Pages/Clients/Client.cshtml.cs      | 89 +++++++++----------
 .../Identity/Pages/Account/Register.cshtml.cs |  3 +-
 .../Services/SpaceApplicationManager.cs       | 24 ++---
 4 files changed, 54 insertions(+), 67 deletions(-)

diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml
index 3172c07..98ebcc9 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml
@@ -1,9 +1,6 @@
 @page
 @model SS14.Web.Areas.Admin.Pages.Clients.Client
-@* Oh god this file is going to be horrible to refactor for openiddict *@
 @{
-    // TODO: Replace identityserver4 code in this file
-
     ViewData["Title"] = $"OAuth Client: {Model.Title}";
 }
 
@@ -147,7 +144,7 @@
             <td>
                 <form method="post">
                     <button type="submit"
-                            asp-page-handler="DeleteSecret" asp-route-secret="@secret.Id"
+                            asp-page-handler="DeleteSecret" asp-route-id="@Model.App?.Id" asp-route-secret="@secret.Id"
                             class="btn btn-danger">Delete</button>
                 </form>
             </td>
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
index e4ddd2b..7397e1d 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
@@ -17,8 +17,6 @@
 
 namespace SS14.Web.Areas.Admin.Pages.Clients;
 
-// TODO: Replace identityserver4 code in this file
-
 public class Client : PageModel
 {
     private readonly SpaceApplicationManager _appManager;
@@ -102,6 +100,7 @@ public async Task<IActionResult> OnGetAsync(string id)
         var settings = await _appManager.GetSettingsAsync(App);
         var permissions = await _appManager.GetPermissionsAsync(App);
         var redirectUris = await _appManager.GetRedirectUrisAsync(App);
+        var postLogoutRedirectUris = await _appManager.GetPostLogoutRedirectUrisAsync(App);
 
         var grantTypes = permissions
             .Where(x => x.StartsWith(OpenIddictConstants.Permissions.Prefixes.GrantType))
@@ -129,7 +128,7 @@ public async Task<IActionResult> OnGetAsync(string id)
             RedirectUris = string.Join("\n", redirectUris),
             AllowedGrantTypes = string.Join("\n", grantTypes),
             AllowedScopes = string.Join("\n", scopes),
-            PostLogoutRedirectUris = App.PostLogoutRedirectUris,
+            PostLogoutRedirectUris = string.Join("\n", postLogoutRedirectUris),
         };
 
         CreateSecretInput = new CreateSecretModel();
@@ -155,6 +154,10 @@ public async Task<IActionResult> OnPostSaveAsync(string id)
         descriptor.Settings[OpenIdConstants.AllowPlainPkce] = Input.AllowPlainTextPkce ? "true" : "false";
         descriptor.Settings[OpenIdConstants.SigningAlgorithmSetting] = Input.AllowedIdentityTokenSigningAlgorithms ?? string.Empty;
 
+        descriptor.Settings[OpenIddictConstants.Settings.TokenLifetimes.AccessToken] = Input.AccessTokenLifetime.ToString();
+        descriptor.Settings[OpenIddictConstants.Settings.TokenLifetimes.IdentityToken] = Input.IdentityTokenLifetime.ToString();
+        descriptor.Settings[OpenIddictConstants.Settings.TokenLifetimes.RefreshToken] = Input.RefreshTokenLifetime.ToString();
+
         descriptor.Permissions.RemoveWhere(x => x.StartsWith(OpenIddictConstants.Permissions.Prefixes.GrantType));
 
         foreach (var grantType in Input.AllowedGrantTypes?.Split("\n", StringSplitOptions.RemoveEmptyEntries) ?? [])
@@ -169,6 +172,18 @@ public async Task<IActionResult> OnPostSaveAsync(string id)
             descriptor.Permissions.Add(OpenIddictConstants.Permissions.Prefixes.Scope+scope.Trim());
         }
 
+        descriptor.RedirectUris.Clear();
+        foreach (var redirectUri in Input.RedirectUris?.Split("\n", StringSplitOptions.RemoveEmptyEntries) ?? [])
+        {
+            descriptor.RedirectUris.Add(new Uri(redirectUri.Trim()));
+        }
+
+        descriptor.PostLogoutRedirectUris.Clear();
+        foreach (var redirectUri in Input.PostLogoutRedirectUris?.Split("\n", StringSplitOptions.RemoveEmptyEntries) ?? [])
+        {
+            descriptor.PostLogoutRedirectUris.Add(new Uri(redirectUri.Trim()));
+        }
+
         if (Input.RequirePkce)
             descriptor.Requirements.Add(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
         else
@@ -179,65 +194,41 @@ public async Task<IActionResult> OnPostSaveAsync(string id)
         else
             descriptor.Permissions.Remove(OpenIddictConstants.Permissions.GrantTypes.RefreshToken);
 
+        app.WebsiteUrl = Input.ClientUri;
+        app.LogoUri = Input.LogoUri;
+
         await _appManager.UpdateAsync(app, descriptor);
         return RedirectToPage(new {id});
     }
 
-    public async Task<IActionResult> OnPostCreateSecretAsync(int id)
+    public async Task<IActionResult> OnPostCreateSecretAsync(string id)
     {
-        /*DbClient = await _dbContext.Clients
-            .Include(c => c.RedirectUris)
-            .SingleOrDefaultAsync(c => c.Id == id);
-
-        if (DbClient == null)
-        {
+        var app = await _appManager.FindByIdAsync(id);
+        if (app == null)
             return NotFound("Client not found");
-        }
-
-        var value = CreateSecretInput.Value;
-        if (string.IsNullOrWhiteSpace(value))
-        {
-            var bytes = new byte[24];
-            var rng = RandomNumberGenerator.Create();
-            rng.GetBytes(bytes);
-            value = Convert.ToBase64String(bytes);
-        }
-
-        var secret = new ClientSecret
-        {
-            Description = CreateSecretInput.Description,
-            Type = CreateSecretInput.Type,
-            Value = value.Sha256()
-        };
 
-        DbClient.ClientSecrets ??= new List<ClientSecret>();
-        DbClient.ClientSecrets.Add(secret);
+        var secret = CreateSecretInput.Value;
+        if (string.IsNullOrWhiteSpace(secret))
+            secret = Convert.ToBase64String(RandomNumberGenerator.GetBytes(36));
 
-        await _dbContext.SaveChangesAsync();
+        // Ensure an empty description is null.
+        var description = CreateSecretInput.Description;
+        if (string.IsNullOrWhiteSpace(description))
+            description = null;
 
-        StatusMessage = $"Secret created. Value: {value}";
-
-        return RedirectToPage(new {id});*/
-        return NotFound();
+        await _appManager.AddSecret(app, secret, description);
+        StatusMessage = $"Secret created. Value: {secret}";
+        return RedirectToPage(new {id});
     }
 
-    public async Task<IActionResult> OnPostDeleteSecretAsync(int secret)
+    public async Task<IActionResult> OnPostDeleteSecretAsync(string id, int secret)
     {
-        /*var dbSecret = await _dbContext.ClientSecrets
-            .SingleOrDefaultAsync(c => c.Id == secret);
-
-        if (dbSecret == null)
-        {
-            return NotFound("Secret not found");
-        }
-
-        _dbContext.ClientSecrets.Remove(dbSecret);
-
-        await _dbContext.SaveChangesAsync();
+        var app = await _appManager.FindByIdAsync(id);
+        if (app == null)
+            return NotFound("Client not found");
 
+        await _appManager.RemoveSecret(app, secret);
         StatusMessage = "Secret deleted.";
-
-        return RedirectToPage(new {id = dbSecret.ClientId});*/
-        return NotFound();
+        return RedirectToPage(new {id});
     }
 }
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
index 800be51..bea965d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Register.cshtml.cs
@@ -46,9 +46,8 @@ public RegisterModel(
 
     [BindProperty] public InputModel Input { get; set; }
 
-    // TODO: Remove nullable when done developing
     [BindProperty(Name = "h-captcha-response")]
-    public string? HCaptchaResponse { get; set; }
+    public string HCaptchaResponse { get; set; }
 
     public string ReturnUrl { get; set; }
 
diff --git a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
index bdeed91..ebd8df6 100644
--- a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
+++ b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
@@ -44,10 +44,10 @@ public List<ClientSecretInfo> ListSecrets(SpaceApplication app, CancellationToke
         return result;
     }
 
-    public async ValueTask<ClientSecretInfo> AddSecret(SpaceApplication app, string secret, CancellationToken ct = default)
+    public async ValueTask<ClientSecretInfo> AddSecret(SpaceApplication app, string secret, string? desc = null, CancellationToken ct = default)
     {
         var key = await base.ObfuscateClientSecretAsync(secret, ct);
-        var (secretsString, info) = Functions.AddSecret(app.ClientSecret, key, secret[^6..]);
+        var (secretsString, info) = Functions.AddSecret(app.ClientSecret, key, desc ?? secret[^6..]);
         await Store.SetClientSecretAsync(app, secretsString, ct);
         await base.UpdateAsync(app, ct);
         return info;
@@ -106,22 +106,13 @@ protected override async ValueTask<bool> ValidateClientSecretAsync(string secret
             if (!legacy && await base.ValidateClientSecretAsync(value, comparand, ct))
                 return true;
 
-            if (legacy && ValidateLegacySecret(value, comparand))
+            if (legacy && Functions.ValidateLegacySecret(value, comparand))
                 return true;
         }
 
         return false;
     }
 
-    // TODO: Write a unit test for this.
-    private bool ValidateLegacySecret(string secret, string comparand)
-    {
-        var bytes = Encoding.UTF8.GetBytes(secret);
-        var hash = SHA256.HashData(bytes);
-        var comparandValue = Convert.FromBase64String(comparand.Remove(0, LegacySecretPrefix.Length));
-        return CryptographicOperations.FixedTimeEquals(hash, comparandValue);
-    }
-
     public static class Functions
     {
         // MoveNext() needs to have been called for parts once already. This is to allow checking the client secret id
@@ -225,5 +216,14 @@ public static (string, ClientSecretInfo) AddSecret(string? secrets, string obfus
 
             return secrets;
         }
+        
+        // TODO: Write a unit test for this.
+        public static bool ValidateLegacySecret(string secret, string comparand)
+        {
+            var bytes = Encoding.UTF8.GetBytes(secret);
+            var hash = SHA256.HashData(bytes);
+            var comparandValue = Convert.FromBase64String(comparand.Remove(0, LegacySecretPrefix.Length));
+            return CryptographicOperations.FixedTimeEquals(hash, comparandValue);
+        }
     }
 }

From cefe3990326b0e83ae77182934fd45aa224234d1 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sat, 30 Aug 2025 19:00:35 +0200
Subject: [PATCH 30/43] Add quartz for openiddict pruning Implement legacy
 token handling test

---
 SS14.Web.Tests/TestLegacySecretHandling.cs      | 17 +++++++++++++++++
 SS14.Web/OpenId/Extensions/OpenIdExtension.cs   |  1 +
 .../OpenId/Services/SpaceApplicationManager.cs  | 13 ++++++-------
 SS14.Web/Program.cs                             | 10 ++++++++++
 SS14.Web/SS14.Web.csproj                        |  2 ++
 5 files changed, 36 insertions(+), 7 deletions(-)
 create mode 100644 SS14.Web.Tests/TestLegacySecretHandling.cs

diff --git a/SS14.Web.Tests/TestLegacySecretHandling.cs b/SS14.Web.Tests/TestLegacySecretHandling.cs
new file mode 100644
index 0000000..8b67952
--- /dev/null
+++ b/SS14.Web.Tests/TestLegacySecretHandling.cs
@@ -0,0 +1,17 @@
+using NUnit.Framework;
+using SS14.Web.OpenId.Services;
+
+namespace SS14.Web.Tests;
+
+public class TestLegacySecretHandling
+{
+    // Test Hash generated using the old version of SS14.Web:
+    private const string DummyHash = "nodXBUVT5CFsKk+1JJivokaRZIOS1jDsN5QD2+iLkGc=";
+
+    [TestCase( "2tXYv/rXpB91juHz13w2ib8zODPPmHQfXhCr5kuCLi8pKuTF", ExpectedResult = true)]
+    [TestCase( "2tXYv/rXpB91juHz13w2ib8zODPPmHQfXhCr5kuCLi8pKuTE", ExpectedResult = false)]
+    public bool TestValidation(string secret)
+    {
+        return SpaceApplicationManager.Functions.ValidateLegacySecret(secret, DummyHash);
+    }
+}
diff --git a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
index ba2dca1..e201171 100644
--- a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
@@ -26,6 +26,7 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
                 .ReplaceDefaultEntities<SpaceApplication, DefaultAuthorization, DefaultScope, DefaultToken, string>();
 
             options.ReplaceApplicationManager<SpaceApplication, SpaceApplicationManager>();
+            options.UseQuartz();
         });
 
         openId.AddValidation().UseLocalServer();
diff --git a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
index ebd8df6..fba62f3 100644
--- a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
+++ b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
@@ -93,7 +93,7 @@ protected override async ValueTask<bool> ValidateClientSecretAsync(string secret
         string comparand,
         CancellationToken ct = new())
     {
-        var secrets = secret.Split(',');
+        var secrets = comparand.Split(',');
         foreach (var pair in secrets)
         {
             var value = pair.Split('.')[2];
@@ -101,12 +101,12 @@ protected override async ValueTask<bool> ValidateClientSecretAsync(string secret
 
             // ReSharper disable once ConvertIfStatementToSwitchStatement
             if (legacy)
-                value = value[5..];
+                value = value[LegacySecretPrefix.Length..];
 
-            if (!legacy && await base.ValidateClientSecretAsync(value, comparand, ct))
+            if (!legacy && await base.ValidateClientSecretAsync(value, secret, ct))
                 return true;
 
-            if (legacy && Functions.ValidateLegacySecret(value, comparand))
+            if (legacy && Functions.ValidateLegacySecret(value, secret))
                 return true;
         }
 
@@ -216,13 +216,12 @@ public static (string, ClientSecretInfo) AddSecret(string? secrets, string obfus
 
             return secrets;
         }
-        
-        // TODO: Write a unit test for this.
+
         public static bool ValidateLegacySecret(string secret, string comparand)
         {
             var bytes = Encoding.UTF8.GetBytes(secret);
             var hash = SHA256.HashData(bytes);
-            var comparandValue = Convert.FromBase64String(comparand.Remove(0, LegacySecretPrefix.Length));
+            var comparandValue = Convert.FromBase64String(comparand);
             return CryptographicOperations.FixedTimeEquals(hash, comparandValue);
         }
     }
diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index 0b8801a..cac1657 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -8,6 +8,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Prometheus;
+using Quartz;
 using Serilog;
 using SS14.Auth.Shared;
 using SS14.Auth.Shared.Data;
@@ -86,6 +87,15 @@
 builder.Services.AddScoped<PersonalDataCollector>();
 builder.AddShared();
 
+// Required for openiddict pruning jobs
+builder.Services.AddQuartz(o =>
+{
+    o.UseSimpleTypeLoader();
+    o.UseInMemoryStore();
+});
+
+builder.Services.AddQuartzHostedService(o => o.WaitForJobsToComplete = true);
+
 builder.Services.Configure<CookieAuthenticationOptions>(IdentityConstants.ApplicationScheme,
     options =>
     {
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index 1aa8c10..8229dba 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -15,8 +15,10 @@
         <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" Condition="'$(Configuration)' == 'Debug'" />
         <PackageReference Include="OpenIddict.AspNetCore" Version="7.0.0" />
         <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="7.0.0" />
+        <PackageReference Include="OpenIddict.Quartz" Version="7.0.0" />
         <PackageReference Include="prometheus-net" Version="8.2.1" />
         <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
+        <PackageReference Include="Quartz.Extensions.Hosting" Version="3.14.0" />
     </ItemGroup>
 
     <ItemGroup>

From 01309ddaf100503c737e205380bf9669bc5fb323 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sat, 30 Aug 2025 20:37:14 +0200
Subject: [PATCH 31/43] Work on IdentityServer4Migration

---
 .../20250812220730_SwitchToOpenIddict.cs      |   8 +-
 ...2_IdentityServer4DataMigration.Designer.cs | 921 ++++++++++++++++++
 ...0830182402_IdentityServer4DataMigration.cs |  22 +
 SS14.Web/OpenId/Extensions/OpenIdExtension.cs |   4 +-
 .../OpenId/Services/IdentityClaimsProvider.cs |   9 +-
 5 files changed, 952 insertions(+), 12 deletions(-)
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.Designer.cs
 create mode 100644 SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.cs

diff --git a/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.cs b/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.cs
index 2df86b6..b4131f6 100644
--- a/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.cs
+++ b/SS14.Auth.Shared/Data/Migrations/20250812220730_SwitchToOpenIddict.cs
@@ -12,7 +12,7 @@ public partial class SwitchToOpenIddict : Migration
         /// <inheritdoc />
         protected override void Up(MigrationBuilder migrationBuilder)
         {
-            migrationBuilder.DropForeignKey(
+            /*migrationBuilder.DropForeignKey(
                 name: "FK_UserOAuthClients_Clients_ClientId",
                 table: "UserOAuthClients");
 
@@ -106,7 +106,7 @@ protected override void Up(MigrationBuilder migrationBuilder)
 
             migrationBuilder.DropTable(
                 name: "IdentityResources",
-                schema: "IS4");
+                schema: "IS4");*/
 
             migrationBuilder.CreateTable(
                 name: "OpenIddictApplications",
@@ -271,7 +271,7 @@ protected override void Down(MigrationBuilder migrationBuilder)
             migrationBuilder.DropTable(
                 name: "OpenIddictApplications");
 
-            migrationBuilder.EnsureSchema(
+            /*migrationBuilder.EnsureSchema(
                 name: "IS4");
 
             migrationBuilder.CreateTable(
@@ -992,7 +992,7 @@ protected override void Down(MigrationBuilder migrationBuilder)
                 principalSchema: "IS4",
                 principalTable: "Clients",
                 principalColumn: "Id",
-                onDelete: ReferentialAction.Cascade);
+                onDelete: ReferentialAction.Cascade);*/
         }
     }
 }
diff --git a/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.Designer.cs b/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.Designer.cs
new file mode 100644
index 0000000..2aa501d
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.Designer.cs
@@ -0,0 +1,921 @@
+// <auto-generated />
+using System;
+using System.Net;
+using System.Text.Json;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using SS14.Auth.Shared.Data;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    [DbContext(typeof(ApplicationDbContext))]
+    [Migration("20250830182402_IdentityServer4DataMigration")]
+    partial class IdentityServer4DataMigration
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "9.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetRoleClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClaimType")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClaimValue")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserClaims", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ProviderDisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("LoginProvider", "ProviderKey");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AspNetUserLogins", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RoleId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("UserId", "RoleId");
+
+                    b.HasIndex("RoleId");
+
+                    b.ToTable("AspNetUserRoles", (string)null);
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("LoginProvider")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("UserId", "LoginProvider", "Name");
+
+                    b.ToTable("AspNetUserTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<Guid?>("Actor")
+                        .HasColumnType("uuid");
+
+                    b.Property<IPAddress>("ActorAddress")
+                        .HasColumnType("inet");
+
+                    b.Property<JsonDocument>("Data")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("AccountLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.Property<long>("AuthHashId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("AuthHashId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte[]>("Hash")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<long?>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("AuthHashId");
+
+                    b.HasIndex("HwidId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Hash", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("AuthHashes");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("BurnerEmails");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<byte[]>("ClientData")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<int>("TypeCode")
+                        .HasColumnType("integer");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientData")
+                        .IsUnique();
+
+                    b.ToTable("Hwids");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("FirstSeen")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long>("HwidId")
+                        .HasColumnType("bigint");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("HwidId", "SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("HwidUsers");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.Property<long>("LoginSessionId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
+
+                    b.Property<DateTimeOffset>("Expires")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte[]>("Token")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("LoginSessionId");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("ActiveSessions");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Scopes")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictAuthorizations", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultScope", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Descriptions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Resources")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Name")
+                        .IsUnique();
+
+                    b.ToTable("OpenIddictScopes", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("AuthorizationId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Payload")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RedemptionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ReferenceId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("Status")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Subject")
+                        .HasMaxLength(400)
+                        .HasColumnType("character varying(400)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("AuthorizationId");
+
+                    b.HasIndex("ReferenceId")
+                        .IsUnique();
+
+                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
+
+                    b.ToTable("OpenIddictTokens", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("ChangeTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PastName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("PastAccountNames");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Content")
+                        .HasColumnType("jsonb");
+
+                    b.Property<DateTimeOffset>("Time")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Trigger")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("PatreonWebhookLogs");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("CurrentTier")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PatreonId")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("PatreonId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId")
+                        .IsUnique();
+
+                    b.ToTable("Patrons");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Property<string>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApplicationType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ClientId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("ClientSecret")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ClientType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConcurrencyToken")
+                        .IsConcurrencyToken()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("ConsentType")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("DisplayName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DisplayNames")
+                        .HasColumnType("text");
+
+                    b.Property<string>("JsonWebKeySet")
+                        .HasColumnType("text");
+
+                    b.Property<string>("LogoUri")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PostLogoutRedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Properties")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RedirectUris")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Requirements")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("SpaceUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("WebsiteUrl")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ClientId")
+                        .IsUnique();
+
+                    b.HasIndex("SpaceUserId");
+
+                    b.ToTable("OpenIddictApplications", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceRole", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedName")
+                        .IsUnique()
+                        .HasDatabaseName("RoleNameIndex");
+
+                    b.ToTable("AspNetRoles", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AdminLocked")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("AdminNotes")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ConcurrencyStamp")
+                        .IsConcurrencyToken()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("CreatedTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("EmailConfirmed")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("LastUsernameChange")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("NormalizedEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NormalizedUserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("PasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<string>("SecurityStamp")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("TwoFactorEnabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("UserName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NormalizedEmail")
+                        .HasDatabaseName("EmailIndex");
+
+                    b.HasIndex("NormalizedUserName")
+                        .IsUnique()
+                        .HasDatabaseName("UserNameIndex");
+
+                    b.ToTable("AspNetUsers", (string)null);
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.WhitelistEmail", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("Domain")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Domain")
+                        .IsUnique();
+
+                    b.ToTable("WhitelistEmails");
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
+                        .WithMany()
+                        .HasForeignKey("RoleId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AccountLogs")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany()
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("AuthHashes")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
+                        .WithMany("Users")
+                        .HasForeignKey("HwidId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Hwid");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("LoginSessions")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Authorizations")
+                        .HasForeignKey("ApplicationId");
+
+                    b.Navigation("Application");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
+                        .WithMany("Tokens")
+                        .HasForeignKey("ApplicationId");
+
+                    b.HasOne("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", "Authorization")
+                        .WithMany("Tokens")
+                        .HasForeignKey("AuthorizationId");
+
+                    b.Navigation("Application");
+
+                    b.Navigation("Authorization");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany("PastAccountNames")
+                        .HasForeignKey("SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithOne("Patron")
+                        .HasForeignKey("SS14.Auth.Shared.Data.Patron", "SpaceUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
+                        .WithMany()
+                        .HasForeignKey("SpaceUserId");
+
+                    b.Navigation("SpaceUser");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
+                {
+                    b.Navigation("Users");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
+                {
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
+                {
+                    b.Navigation("Authorizations");
+
+                    b.Navigation("Tokens");
+                });
+
+            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
+                {
+                    b.Navigation("AccountLogs");
+
+                    b.Navigation("AuthHashes");
+
+                    b.Navigation("LoginSessions");
+
+                    b.Navigation("PastAccountNames");
+
+                    b.Navigation("Patron");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.cs b/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.cs
new file mode 100644
index 0000000..a3350a0
--- /dev/null
+++ b/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.cs
@@ -0,0 +1,22 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace SS14.Auth.Shared.Data.Migrations
+{
+    /// <inheritdoc />
+    public partial class IdentityServer4DataMigration : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+
+        }
+    }
+}
diff --git a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
index e201171..de959ce 100644
--- a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
@@ -6,15 +6,13 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using SS14.Auth.Shared.Data;
-using SS14.Web.Data;
 using SS14.Web.OpenId.Configuration;
 using SS14.Web.OpenId.EventHandlers;
 using SS14.Web.OpenId.Services;
-using static OpenIddict.Abstractions.OpenIddictConstants;
 using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
 namespace SS14.Web.OpenId.Extensions;
-// TODO: Add integration with quartz
+
 public static class OpenIdExtension
 {
     public static void AddOpenIdConnect(this WebApplicationBuilder builder)
diff --git a/SS14.Web/OpenId/Services/IdentityClaimsProvider.cs b/SS14.Web/OpenId/Services/IdentityClaimsProvider.cs
index 21b5914..fb64e66 100644
--- a/SS14.Web/OpenId/Services/IdentityClaimsProvider.cs
+++ b/SS14.Web/OpenId/Services/IdentityClaimsProvider.cs
@@ -51,12 +51,11 @@ public async Task ProvideClaimsAsync(string userId, ImmutableArray<string> scope
     }
 
     /// <summary>
-    /// TODO: Document
-    ///
+    /// Returns whether the claim gets supplied in the ID token, the Access token or just via the introspection endpoint
     /// </summary>
-    /// <param name="claim"></param>
-    /// <returns></returns>
-    public IEnumerable<string> GetDestinations(Claim claim)  => claim.Type switch
+    /// <param name="claim">The claim to return the destinations for</param>
+    /// <returns>A list of destinations for the claim</returns>
+    public IEnumerable<string> GetDestinations(Claim claim) => claim.Type switch
     {
         Claims.Name or Claims.PreferredUsername => DestinationHelper.Destination(claim, OpenIddictConstants.Scopes.Profile),
         Claims.Email => DestinationHelper.Destination(claim, OpenIddictConstants.Scopes.Email),

From 2e7440deda0d61d44f1f6780b2f625ab99964c0c Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 1 Sep 2025 20:29:09 +0200
Subject: [PATCH 32/43] Improve certificate configuration Fix token lifetime
 settings

---
 .gitignore                                    |  3 +-
 .../Admin/Pages/Clients/Client.cshtml.cs      | 18 ++++++--
 .../Account/Manage/OAuthApps/Manage.cshtml    |  2 +-
 .../Configuration/CertificateOptions.cs       |  7 +++-
 SS14.Web/OpenId/Extensions/OpenIdExtension.cs | 41 +++++++++++++++----
 .../Services/SpaceApplicationManager.cs       |  4 +-
 SS14.Web/OpenId/TestDataSeeder.cs             |  1 +
 SS14.Web/Program.cs                           |  2 -
 Tools/GenerateCerts.csx                       | 35 ++++++++++++++++
 9 files changed, 95 insertions(+), 18 deletions(-)
 create mode 100644 Tools/GenerateCerts.csx

diff --git a/.gitignore b/.gitignore
index c2a3f28..a5271cb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,4 +7,5 @@ riderModule.iml
 /*.sln.DotSettings.user
 
 */appsettings.Secret.yml
-*/tempkey.jwk
\ No newline at end of file
+*/tempkey.jwk
+cert
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
index 7397e1d..70709c9 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Client.cshtml.cs
@@ -14,6 +14,7 @@
 using SS14.Web.OpenId.Extensions;
 using SS14.Web.OpenId.Services;
 using static OpenIddict.Abstractions.OpenIddictConstants.ConsentTypes;
+using static OpenIddict.Abstractions.OpenIddictConstants.Settings.TokenLifetimes;
 
 namespace SS14.Web.Areas.Admin.Pages.Clients;
 
@@ -154,9 +155,9 @@ public async Task<IActionResult> OnPostSaveAsync(string id)
         descriptor.Settings[OpenIdConstants.AllowPlainPkce] = Input.AllowPlainTextPkce ? "true" : "false";
         descriptor.Settings[OpenIdConstants.SigningAlgorithmSetting] = Input.AllowedIdentityTokenSigningAlgorithms ?? string.Empty;
 
-        descriptor.Settings[OpenIddictConstants.Settings.TokenLifetimes.AccessToken] = Input.AccessTokenLifetime.ToString();
-        descriptor.Settings[OpenIddictConstants.Settings.TokenLifetimes.IdentityToken] = Input.IdentityTokenLifetime.ToString();
-        descriptor.Settings[OpenIddictConstants.Settings.TokenLifetimes.RefreshToken] = Input.RefreshTokenLifetime.ToString();
+        SetTokenLifetime(descriptor, AccessToken, Input.AccessTokenLifetime);
+        SetTokenLifetime(descriptor, IdentityToken, Input.IdentityTokenLifetime);
+        SetTokenLifetime(descriptor, RefreshToken, Input.RefreshTokenLifetime);
 
         descriptor.Permissions.RemoveWhere(x => x.StartsWith(OpenIddictConstants.Permissions.Prefixes.GrantType));
 
@@ -201,6 +202,17 @@ public async Task<IActionResult> OnPostSaveAsync(string id)
         return RedirectToPage(new {id});
     }
 
+    private void SetTokenLifetime(OpenIddictApplicationDescriptor descriptor, string setting, int lifetime)
+    {
+        if (lifetime <= 0)
+        {
+            descriptor.Settings.Remove(setting);
+            return;
+        }
+
+        descriptor.Settings[setting] = lifetime.ToString();
+    }
+
     public async Task<IActionResult> OnPostCreateSecretAsync(string id)
     {
         var app = await _appManager.FindByIdAsync(id);
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
index 1cf31b3..790585f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
@@ -96,7 +96,7 @@
             <a asp-page="./ConfirmDelete" class="btn btn-danger" asp-route-client="@Model.App.Id">Delete</a>
             @if (User.IsInRole(AuthConstants.RoleSysAdmin))
             {
-                <a asp-area="Admin" asp-page="/Clients/Client" class="btn btn-primary" asp-route-id="@Model.App.ClientId">Hub Admin</a>
+                <a asp-area="Admin" asp-page="/Clients/Client" class="btn btn-primary" asp-route-id="@Model.App.Id">Hub Admin</a>
             }
         </div>
     </div>
diff --git a/SS14.Web/OpenId/Configuration/CertificateOptions.cs b/SS14.Web/OpenId/Configuration/CertificateOptions.cs
index 983119b..90ed474 100644
--- a/SS14.Web/OpenId/Configuration/CertificateOptions.cs
+++ b/SS14.Web/OpenId/Configuration/CertificateOptions.cs
@@ -1,4 +1,9 @@
 #nullable enable
 namespace SS14.Web.OpenId.Configuration;
 
-public sealed record CertificateOptions(string Path, string? Password);
+public sealed class CertificateOptions
+{
+    public string Path { get; set; } = null!;
+    public string? Password { get; set; }
+    public string? Algorithm { get; set; }
+}
diff --git a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
index de959ce..459243e 100644
--- a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
@@ -1,10 +1,13 @@
 #nullable enable
 using System;
 using System.IO;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.IdentityModel.Tokens;
+using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
 using SS14.Web.OpenId.Configuration;
 using SS14.Web.OpenId.EventHandlers;
@@ -41,11 +44,6 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
         builder.Services.AddScoped<OpenIdActionService>();
     }
 
-    public static void UseOpenIdConnect(this WebApplication app)
-    {
-
-    }
-
     private static void ConfigureCertificates(OpenIddictBuilder openId, WebApplicationBuilder builder)
     {
         builder.Services.Add(AuthorizationPkceVerificationHandler.Descriptor.ServiceDescriptor);
@@ -73,10 +71,37 @@ private static void ConfigureCertificates(OpenIddictBuilder openId, WebApplicati
             openId.AddServer().AddEncryptionCertificate(encryptionCert, encryptionCertificate.Password);
         }
 
-        foreach (var signingCertificate in config.EncryptionCertificates)
+        foreach (var signingCertificate in config.SigningCertificates)
         {
-            using var signingCert = File.OpenRead(signingCertificate.Path);;
-            openId.AddServer().AddSigningCertificate(signingCert, signingCertificate.Password);
+            using var signingCert = File.OpenRead(signingCertificate.Path);
+
+            if (signingCertificate.Algorithm == null)
+            {
+                openId.AddServer().AddSigningCertificate(signingCert, signingCertificate.Password);
+            }
+            else
+            {
+                using var buffer = new MemoryStream();
+                signingCert.CopyTo(buffer);
+                var cert = X509CertificateLoader.LoadPkcs12(
+                    buffer.ToArray(),
+                    signingCertificate.Password,
+                    X509KeyStorageFlags.EphemeralKeySet);
+
+                var key = new X509SecurityKey(cert);
+                var credentials = new SigningCredentials(key, signingCertificate.Algorithm);
+                openId.AddServer().AddSigningCredentials(credentials);
+            }
         }
     }
+
+    private static void AddCertificate(OpenIddictBuilder openId, FileStream cert, string password)
+    {
+
+    }
+
+    private static void AddCertificate(OpenIddictBuilder openId, FileStream cert, string password, string algorithm)
+    {
+
+    }
 }
diff --git a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
index fba62f3..8d3d6dc 100644
--- a/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
+++ b/SS14.Web/OpenId/Services/SpaceApplicationManager.cs
@@ -103,10 +103,10 @@ protected override async ValueTask<bool> ValidateClientSecretAsync(string secret
             if (legacy)
                 value = value[LegacySecretPrefix.Length..];
 
-            if (!legacy && await base.ValidateClientSecretAsync(value, secret, ct))
+            if (!legacy && await base.ValidateClientSecretAsync(secret, value, ct))
                 return true;
 
-            if (legacy && Functions.ValidateLegacySecret(value, secret))
+            if (legacy && Functions.ValidateLegacySecret(secret, value))
                 return true;
         }
 
diff --git a/SS14.Web/OpenId/TestDataSeeder.cs b/SS14.Web/OpenId/TestDataSeeder.cs
index bf04581..5546824 100644
--- a/SS14.Web/OpenId/TestDataSeeder.cs
+++ b/SS14.Web/OpenId/TestDataSeeder.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index cac1657..a0126c2 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -147,6 +147,4 @@
 app.MapRazorPages();
 app.MapMetrics();
 
-app.UseOpenIdConnect();
-
 app.Run();
diff --git a/Tools/GenerateCerts.csx b/Tools/GenerateCerts.csx
new file mode 100644
index 0000000..9db4d4a
--- /dev/null
+++ b/Tools/GenerateCerts.csx
@@ -0,0 +1,35 @@
+#!/usr/bin/dotnet run
+#:sdk Microsoft.NET.Sdk.Web
+
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+using var rsaAlgorithm = RSA.Create(keySizeInBits: 2048);
+
+var subject = new X500DistinguishedName("CN=SpaceWizards");
+
+// RSA Encryption Certificate
+var request = new CertificateRequest(subject, rsaAlgorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
+
+var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(10));
+
+File.WriteAllBytes("server-encryption-certificate.pfx", certificate.Export(X509ContentType.Pfx, string.Empty));
+
+// RSA Signing Certificate
+request = new CertificateRequest(subject, rsaAlgorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
+
+certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(10));
+
+File.WriteAllBytes("server-signing-certificate-rsa.pfx", certificate.Export(X509ContentType.Pfx, string.Empty));
+
+// RSA-PSS Signing Certificate
+request = new CertificateRequest(subject, rsaAlgorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);
+request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
+
+certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(10));
+
+File.WriteAllBytes("server-signing-certificate-rsa-pss.pfx", certificate.Export(X509ContentType.Pfx, string.Empty));

From 9fd9eec76c80ed3aaa8a51352b14deaa88d57d13 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 1 Sep 2025 20:58:34 +0200
Subject: [PATCH 33/43] Remove test data seeder

---
 SS14.Web/OpenId/TestDataSeeder.cs | 102 ------------------------------
 1 file changed, 102 deletions(-)
 delete mode 100644 SS14.Web/OpenId/TestDataSeeder.cs

diff --git a/SS14.Web/OpenId/TestDataSeeder.cs b/SS14.Web/OpenId/TestDataSeeder.cs
deleted file mode 100644
index 5546824..0000000
--- a/SS14.Web/OpenId/TestDataSeeder.cs
+++ /dev/null
@@ -1,102 +0,0 @@
-using System;
-using System.Security.Cryptography;
-using System.Threading;
-using System.Threading.Tasks;
-using Microsoft.AspNetCore.Identity;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Hosting;
-using OpenIddict.Abstractions;
-using SS14.Auth.Shared;
-using SS14.Auth.Shared.Data;
-
-namespace SS14.Web.OpenId;
-
-// TODO: Remove after development
-public sealed class TestDataSeeder(IServiceProvider serviceProvider) : IHostedService
-{
-    public async Task StartAsync(CancellationToken ct)
-    {
-        using var scope = serviceProvider.CreateScope();
-        await PopulateInternalApps(scope, ct);
-        await PopulateUsersAsync(scope);
-    }
-
-    public Task StopAsync(CancellationToken ct)
-    {
-        return Task.CompletedTask;
-    }
-
-    private async ValueTask PopulateInternalApps(IServiceScope scope, CancellationToken ct)
-    {
-        var appManager = scope.ServiceProvider.GetRequiredService<IOpenIddictApplicationManager>();
-
-        var appDescriptor = new OpenIddictApplicationDescriptor
-        {
-            ClientId = "test_client",
-            ClientSecret = "test_secret",
-            ClientType = OpenIddictConstants.ClientTypes.Confidential,
-            DisplayName = "Test Client",
-            RedirectUris = { new Uri("https://localhost:5002/signin-oidc") },
-            Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
-            Settings =
-            {
-                {OpenIdConstants.SigningAlgorithmSetting, "RS256"},
-                {OpenIdConstants.AllowPlainPkce, "true"},
-            },
-            Permissions =
-            {
-                OpenIddictConstants.Permissions.Endpoints.Authorization,
-                OpenIddictConstants.Permissions.Endpoints.Token,
-                OpenIddictConstants.Permissions.Endpoints.Introspection,
-                OpenIddictConstants.Permissions.Endpoints.EndSession,
-                OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
-                OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
-                OpenIddictConstants.Permissions.ResponseTypes.Code,
-                OpenIddictConstants.Permissions.Scopes.Email,
-                OpenIddictConstants.Permissions.Scopes.Profile,
-                OpenIddictConstants.Permissions.Scopes.Roles,
-            }
-        };
-
-        var client = await appManager.FindByClientIdAsync(appDescriptor.ClientId, ct);
-        if (client == null)
-        {
-            await appManager.CreateAsync(appDescriptor, ct);
-        }
-        else
-        {
-            await appManager.UpdateAsync(client, appDescriptor, ct);
-        }
-    }
-
-    private async ValueTask PopulateUsersAsync(IServiceScope scope)
-    {
-        var userManager = scope.ServiceProvider.GetRequiredService<UserManager<SpaceUser>>();
-        var roleManager = scope.ServiceProvider.GetRequiredService<RoleManager<SpaceRole>>();
-
-        var sysAdmin = new SpaceRole
-        {
-            Name = AuthConstants.RoleSysAdmin,
-        };
-
-        await roleManager.CreateAsync(sysAdmin);
-
-        var hubAdmin = new SpaceRole
-        {
-            Name = AuthConstants.RoleServerHubAdmin,
-        };
-
-        await roleManager.CreateAsync(hubAdmin);
-
-        var user = new SpaceUser
-        {
-            UserName = "TestUser",
-            Email = "test@example.test",
-            EmailConfirmed = true,
-        };
-
-        await userManager.CreateAsync(user, "Test123456$");
-        await userManager.AddToRoleAsync(user, AuthConstants.RoleSysAdmin);
-        await userManager.AddToRoleAsync(user, AuthConstants.RoleServerHubAdmin);
-    }
-}

From 191384c208ee734606565f62793adc3ff5fd0e77 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 1 Sep 2025 21:02:21 +0200
Subject: [PATCH 34/43] Add data migration sql to tools

---
 ...2_IdentityServer4DataMigration.Designer.cs | 921 ------------------
 ...0830182402_IdentityServer4DataMigration.cs |  22 -
 ...tyserver4_to_openiddict_data_migration.sql |  26 +
 3 files changed, 26 insertions(+), 943 deletions(-)
 delete mode 100644 SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.Designer.cs
 delete mode 100644 SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.cs
 create mode 100644 Tools/identityserver4_to_openiddict_data_migration.sql

diff --git a/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.Designer.cs b/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.Designer.cs
deleted file mode 100644
index 2aa501d..0000000
--- a/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.Designer.cs
+++ /dev/null
@@ -1,921 +0,0 @@
-// <auto-generated />
-using System;
-using System.Net;
-using System.Text.Json;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.EntityFrameworkCore.Infrastructure;
-using Microsoft.EntityFrameworkCore.Migrations;
-using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
-using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
-using SS14.Auth.Shared.Data;
-
-#nullable disable
-
-namespace SS14.Auth.Shared.Data.Migrations
-{
-    [DbContext(typeof(ApplicationDbContext))]
-    [Migration("20250830182402_IdentityServer4DataMigration")]
-    partial class IdentityServer4DataMigration
-    {
-        /// <inheritdoc />
-        protected override void BuildTargetModel(ModelBuilder modelBuilder)
-        {
-#pragma warning disable 612, 618
-            modelBuilder
-                .HasAnnotation("ProductVersion", "9.0.8")
-                .HasAnnotation("Relational:MaxIdentifierLength", 63);
-
-            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
-
-            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("FriendlyName")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Xml")
-                        .HasColumnType("text");
-
-                    b.HasKey("Id");
-
-                    b.ToTable("DataProtectionKeys");
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("ClaimType")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ClaimValue")
-                        .HasColumnType("text");
-
-                    b.Property<Guid>("RoleId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("RoleId");
-
-                    b.ToTable("AspNetRoleClaims", (string)null);
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("ClaimType")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ClaimValue")
-                        .HasColumnType("text");
-
-                    b.Property<Guid>("UserId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("UserId");
-
-                    b.ToTable("AspNetUserClaims", (string)null);
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
-                {
-                    b.Property<string>("LoginProvider")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ProviderKey")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ProviderDisplayName")
-                        .HasColumnType("text");
-
-                    b.Property<Guid>("UserId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("LoginProvider", "ProviderKey");
-
-                    b.HasIndex("UserId");
-
-                    b.ToTable("AspNetUserLogins", (string)null);
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
-                {
-                    b.Property<Guid>("UserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<Guid>("RoleId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("UserId", "RoleId");
-
-                    b.HasIndex("RoleId");
-
-                    b.ToTable("AspNetUserRoles", (string)null);
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
-                {
-                    b.Property<Guid>("UserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("LoginProvider")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Name")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Value")
-                        .HasColumnType("text");
-
-                    b.HasKey("UserId", "LoginProvider", "Name");
-
-                    b.ToTable("AspNetUserTokens", (string)null);
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
-                {
-                    b.Property<long>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("bigint");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
-
-                    b.Property<Guid?>("Actor")
-                        .HasColumnType("uuid");
-
-                    b.Property<IPAddress>("ActorAddress")
-                        .HasColumnType("inet");
-
-                    b.Property<JsonDocument>("Data")
-                        .IsRequired()
-                        .HasColumnType("jsonb");
-
-                    b.Property<Guid>("SpaceUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTime>("Time")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<int>("Type")
-                        .HasColumnType("integer");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("SpaceUserId");
-
-                    b.ToTable("AccountLogs");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
-                {
-                    b.Property<long>("AuthHashId")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("bigint");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("AuthHashId"));
-
-                    b.Property<DateTimeOffset>("Expires")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<byte[]>("Hash")
-                        .IsRequired()
-                        .HasColumnType("bytea");
-
-                    b.Property<long?>("HwidId")
-                        .HasColumnType("bigint");
-
-                    b.Property<Guid>("SpaceUserId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("AuthHashId");
-
-                    b.HasIndex("HwidId");
-
-                    b.HasIndex("SpaceUserId");
-
-                    b.HasIndex("Hash", "SpaceUserId")
-                        .IsUnique();
-
-                    b.ToTable("AuthHashes");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.BurnerEmail", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("Domain")
-                        .HasColumnType("text");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("Domain")
-                        .IsUnique();
-
-                    b.ToTable("BurnerEmails");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
-                {
-                    b.Property<long>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("bigint");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
-
-                    b.Property<byte[]>("ClientData")
-                        .IsRequired()
-                        .HasColumnType("bytea");
-
-                    b.Property<int>("TypeCode")
-                        .HasColumnType("integer");
-
-                    b.Property<byte[]>("Value")
-                        .IsRequired()
-                        .HasColumnType("bytea");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientData")
-                        .IsUnique();
-
-                    b.ToTable("Hwids");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
-                {
-                    b.Property<long>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("bigint");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
-
-                    b.Property<DateTime>("FirstSeen")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<long>("HwidId")
-                        .HasColumnType("bigint");
-
-                    b.Property<Guid>("SpaceUserId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("SpaceUserId");
-
-                    b.HasIndex("HwidId", "SpaceUserId")
-                        .IsUnique();
-
-                    b.ToTable("HwidUsers");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
-                {
-                    b.Property<long>("LoginSessionId")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("bigint");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("LoginSessionId"));
-
-                    b.Property<DateTimeOffset>("Expires")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<Guid>("SpaceUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<byte[]>("Token")
-                        .IsRequired()
-                        .HasColumnType("bytea");
-
-                    b.HasKey("LoginSessionId");
-
-                    b.HasIndex("SpaceUserId");
-
-                    b.HasIndex("Token")
-                        .IsUnique();
-
-                    b.ToTable("ActiveSessions");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
-                {
-                    b.Property<string>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("text");
-
-                    b.Property<string>("ApplicationId")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ConcurrencyToken")
-                        .IsConcurrencyToken()
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.Property<DateTime?>("CreationDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Properties")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Scopes")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Status")
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.Property<string>("Subject")
-                        .HasMaxLength(400)
-                        .HasColumnType("character varying(400)");
-
-                    b.Property<string>("Type")
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
-
-                    b.ToTable("OpenIddictAuthorizations", (string)null);
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultScope", b =>
-                {
-                    b.Property<string>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("text");
-
-                    b.Property<string>("ConcurrencyToken")
-                        .IsConcurrencyToken()
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.Property<string>("Description")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Descriptions")
-                        .HasColumnType("text");
-
-                    b.Property<string>("DisplayName")
-                        .HasColumnType("text");
-
-                    b.Property<string>("DisplayNames")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Name")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
-                    b.Property<string>("Properties")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Resources")
-                        .HasColumnType("text");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("Name")
-                        .IsUnique();
-
-                    b.ToTable("OpenIddictScopes", (string)null);
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
-                {
-                    b.Property<string>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("text");
-
-                    b.Property<string>("ApplicationId")
-                        .HasColumnType("text");
-
-                    b.Property<string>("AuthorizationId")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ConcurrencyToken")
-                        .IsConcurrencyToken()
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.Property<DateTime?>("CreationDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<DateTime?>("ExpirationDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Payload")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Properties")
-                        .HasColumnType("text");
-
-                    b.Property<DateTime?>("RedemptionDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("ReferenceId")
-                        .HasMaxLength(100)
-                        .HasColumnType("character varying(100)");
-
-                    b.Property<string>("Status")
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.Property<string>("Subject")
-                        .HasMaxLength(400)
-                        .HasColumnType("character varying(400)");
-
-                    b.Property<string>("Type")
-                        .HasMaxLength(150)
-                        .HasColumnType("character varying(150)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("AuthorizationId");
-
-                    b.HasIndex("ReferenceId")
-                        .IsUnique();
-
-                    b.HasIndex("ApplicationId", "Status", "Subject", "Type");
-
-                    b.ToTable("OpenIddictTokens", (string)null);
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<DateTime>("ChangeTime")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("PastName")
-                        .IsRequired()
-                        .HasColumnType("text");
-
-                    b.Property<Guid>("SpaceUserId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("SpaceUserId");
-
-                    b.ToTable("PastAccountNames");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.PatreonWebhookLog", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("Content")
-                        .HasColumnType("jsonb");
-
-                    b.Property<DateTimeOffset>("Time")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Trigger")
-                        .HasColumnType("text");
-
-                    b.HasKey("Id");
-
-                    b.ToTable("PatreonWebhookLogs");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("CurrentTier")
-                        .HasColumnType("text");
-
-                    b.Property<string>("PatreonId")
-                        .IsRequired()
-                        .HasColumnType("text");
-
-                    b.Property<Guid>("SpaceUserId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("PatreonId")
-                        .IsUnique();
-
-                    b.HasIndex("SpaceUserId")
-                        .IsUnique();
-
-                    b.ToTable("Patrons");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
-                {
-                    b.Property<string>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("text");
-
-                    b.Property<string>("ApplicationType")
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.Property<string>("ClientId")
-                        .HasMaxLength(100)
-                        .HasColumnType("character varying(100)");
-
-                    b.Property<string>("ClientSecret")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ClientType")
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.Property<string>("ConcurrencyToken")
-                        .IsConcurrencyToken()
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.Property<string>("ConsentType")
-                        .HasMaxLength(50)
-                        .HasColumnType("character varying(50)");
-
-                    b.Property<string>("DisplayName")
-                        .HasColumnType("text");
-
-                    b.Property<string>("DisplayNames")
-                        .HasColumnType("text");
-
-                    b.Property<string>("JsonWebKeySet")
-                        .HasColumnType("text");
-
-                    b.Property<string>("LogoUri")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Permissions")
-                        .HasColumnType("text");
-
-                    b.Property<string>("PostLogoutRedirectUris")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Properties")
-                        .HasColumnType("text");
-
-                    b.Property<string>("RedirectUris")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Requirements")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Settings")
-                        .HasColumnType("text");
-
-                    b.Property<Guid?>("SpaceUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("WebsiteUrl")
-                        .HasColumnType("text");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId")
-                        .IsUnique();
-
-                    b.HasIndex("SpaceUserId");
-
-                    b.ToTable("OpenIddictApplications", (string)null);
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceRole", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("ConcurrencyStamp")
-                        .IsConcurrencyToken()
-                        .HasColumnType("text");
-
-                    b.Property<string>("Name")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("NormalizedName")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("NormalizedName")
-                        .IsUnique()
-                        .HasDatabaseName("RoleNameIndex");
-
-                    b.ToTable("AspNetRoles", (string)null);
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<bool>("AdminLocked")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("AdminNotes")
-                        .IsRequired()
-                        .HasColumnType("text");
-
-                    b.Property<string>("ConcurrencyStamp")
-                        .IsConcurrencyToken()
-                        .HasColumnType("text");
-
-                    b.Property<DateTimeOffset>("CreatedTime")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Email")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<bool>("EmailConfirmed")
-                        .HasColumnType("boolean");
-
-                    b.Property<DateTime?>("LastUsernameChange")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("NormalizedEmail")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("NormalizedUserName")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("PasswordHash")
-                        .HasColumnType("text");
-
-                    b.Property<string>("SecurityStamp")
-                        .HasColumnType("text");
-
-                    b.Property<bool>("TwoFactorEnabled")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("UserName")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("NormalizedEmail")
-                        .HasDatabaseName("EmailIndex");
-
-                    b.HasIndex("NormalizedUserName")
-                        .IsUnique()
-                        .HasDatabaseName("UserNameIndex");
-
-                    b.ToTable("AspNetUsers", (string)null);
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.WhitelistEmail", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("Domain")
-                        .HasColumnType("text");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("Domain")
-                        .IsUnique();
-
-                    b.ToTable("WhitelistEmails");
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
-                        .WithMany()
-                        .HasForeignKey("RoleId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
-                        .WithMany()
-                        .HasForeignKey("UserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
-                        .WithMany()
-                        .HasForeignKey("UserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceRole", null)
-                        .WithMany()
-                        .HasForeignKey("RoleId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
-                        .WithMany()
-                        .HasForeignKey("UserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", null)
-                        .WithMany()
-                        .HasForeignKey("UserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.AccountLog", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
-                        .WithMany("AccountLogs")
-                        .HasForeignKey("SpaceUserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("SpaceUser");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.AuthHash", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
-                        .WithMany()
-                        .HasForeignKey("HwidId")
-                        .OnDelete(DeleteBehavior.SetNull);
-
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
-                        .WithMany("AuthHashes")
-                        .HasForeignKey("SpaceUserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Hwid");
-
-                    b.Navigation("SpaceUser");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.HwidUser", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.Hwid", "Hwid")
-                        .WithMany("Users")
-                        .HasForeignKey("HwidId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
-                        .WithMany()
-                        .HasForeignKey("SpaceUserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("Hwid");
-
-                    b.Navigation("SpaceUser");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.LoginSession", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
-                        .WithMany("LoginSessions")
-                        .HasForeignKey("SpaceUserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("SpaceUser");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
-                        .WithMany("Authorizations")
-                        .HasForeignKey("ApplicationId");
-
-                    b.Navigation("Application");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultToken", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceApplication", "Application")
-                        .WithMany("Tokens")
-                        .HasForeignKey("ApplicationId");
-
-                    b.HasOne("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", "Authorization")
-                        .WithMany("Tokens")
-                        .HasForeignKey("AuthorizationId");
-
-                    b.Navigation("Application");
-
-                    b.Navigation("Authorization");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.PastAccountName", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
-                        .WithMany("PastAccountNames")
-                        .HasForeignKey("SpaceUserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("SpaceUser");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.Patron", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
-                        .WithOne("Patron")
-                        .HasForeignKey("SS14.Auth.Shared.Data.Patron", "SpaceUserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.Navigation("SpaceUser");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
-                {
-                    b.HasOne("SS14.Auth.Shared.Data.SpaceUser", "SpaceUser")
-                        .WithMany()
-                        .HasForeignKey("SpaceUserId");
-
-                    b.Navigation("SpaceUser");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.Hwid", b =>
-                {
-                    b.Navigation("Users");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.OpeniddictDefaultTypes+DefaultAuthorization", b =>
-                {
-                    b.Navigation("Tokens");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceApplication", b =>
-                {
-                    b.Navigation("Authorizations");
-
-                    b.Navigation("Tokens");
-                });
-
-            modelBuilder.Entity("SS14.Auth.Shared.Data.SpaceUser", b =>
-                {
-                    b.Navigation("AccountLogs");
-
-                    b.Navigation("AuthHashes");
-
-                    b.Navigation("LoginSessions");
-
-                    b.Navigation("PastAccountNames");
-
-                    b.Navigation("Patron");
-                });
-#pragma warning restore 612, 618
-        }
-    }
-}
diff --git a/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.cs b/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.cs
deleted file mode 100644
index a3350a0..0000000
--- a/SS14.Auth.Shared/Data/Migrations/20250830182402_IdentityServer4DataMigration.cs
+++ /dev/null
@@ -1,22 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace SS14.Auth.Shared.Data.Migrations
-{
-    /// <inheritdoc />
-    public partial class IdentityServer4DataMigration : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-
-        }
-    }
-}
diff --git a/Tools/identityserver4_to_openiddict_data_migration.sql b/Tools/identityserver4_to_openiddict_data_migration.sql
new file mode 100644
index 0000000..9da231b
--- /dev/null
+++ b/Tools/identityserver4_to_openiddict_data_migration.sql
@@ -0,0 +1,26 @@
+insert into public."OpenIddictApplications"
+select gen_random_uuid() as Id,
+       (select "SpaceUserId" from public."UserOAuthClients" uc where c."Id" = uc."ClientId"),
+       "LogoUri", null as ApplicationType, c."ClientId",
+       (select string_agg(array_to_string(array [
+                                              cs."Id"::text,
+                                          floor(extract(epoch from cs."Created"))::text,
+                                          '_OLD_' || cs."Value",
+                                          replace(cs."Description", '*', '')
+                                              ], '.'), ',') from "IS4"."ClientSecrets" cs where cs."ClientId" = c."Id") ClientSecret,
+       'confidential' as ClientType, gen_random_uuid() as ConcurrencyToken,
+       CASE when "RequireConsent" then 'Explicit' else 'Implicit' end as "ConsentType",
+       "ClientName" as DisplayName, null as DisplayNames, null as JsonWebKeySet,
+       '["ept:authorization","ept:token","ept:introspection","ept:end_session","gt:refresh_token","gt:authorization_code","rst:code","scp:email","scp:profile","scp:roles"]'
+           as Permissions,
+       null as PostLogoutRedirectUris,
+       null as Properties,
+       (select json_agg("RedirectUri") from "IS4"."ClientRedirectUris" cr where cr."ClientId" = c."Id")::text "RedirectUris",
+    case when "RequirePkce" then '["ft:pkce"]' end as "Requirements",
+       json_build_object(
+           'space:AllowPlainPkce', "AllowPlainTextPkce"::TEXT,
+           'space:SigningAlgorithm', "AllowedIdentityTokenSigningAlgorithms",
+           'space:Disabled', ("Enabled" = false)::TEXT
+       )::text as "Settings",
+    "ClientUri" as WebsiteUrl
+from "IS4"."Clients" c;

From cb12e03704344ff4aa513581ca19312e6cca1d9d Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 1 Sep 2025 21:10:35 +0200
Subject: [PATCH 35/43] Address leftover todos and comments

---
 SS14.Auth.Shared/Data/AccountLogManager.cs    |  3 +-
 SS14.ServerHub.Shared/Data/HubDbContext.cs    |  7 --
 .../Data/NpgsqlTypeMapping.cs                 | 68 -------------------
 3 files changed, 1 insertion(+), 77 deletions(-)
 delete mode 100644 SS14.ServerHub.Shared/Data/NpgsqlTypeMapping.cs

diff --git a/SS14.Auth.Shared/Data/AccountLogManager.cs b/SS14.Auth.Shared/Data/AccountLogManager.cs
index e5c1461..a410d2d 100644
--- a/SS14.Auth.Shared/Data/AccountLogManager.cs
+++ b/SS14.Auth.Shared/Data/AccountLogManager.cs
@@ -81,8 +81,7 @@ public AccountLogActor NoActor()
     private IPAddress? GetActorIP()
     {
         if (httpContextAccessor.HttpContext == null)
-            return null;
-            // TODO: Undo commenting this out throw new InvalidOperationException("Unable to get HttpContext!");
+            throw new InvalidOperationException("Unable to get HttpContext!");
 
         var address = httpContextAccessor.HttpContext.Connection.RemoteIpAddress;
         return address;
diff --git a/SS14.ServerHub.Shared/Data/HubDbContext.cs b/SS14.ServerHub.Shared/Data/HubDbContext.cs
index ec42551..b941660 100644
--- a/SS14.ServerHub.Shared/Data/HubDbContext.cs
+++ b/SS14.ServerHub.Shared/Data/HubDbContext.cs
@@ -9,13 +9,6 @@ public HubDbContext(DbContextOptions<HubDbContext> options) : base(options)
     {
     }
 
-    protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
-    {
-        base.OnConfiguring(optionsBuilder);
-
-        //optionsBuilder.ReplaceService<IRelationalTypeMappingSource, CustomNpgsqlTypeMappingSource>();
-    }
-
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
         base.OnModelCreating(modelBuilder);
diff --git a/SS14.ServerHub.Shared/Data/NpgsqlTypeMapping.cs b/SS14.ServerHub.Shared/Data/NpgsqlTypeMapping.cs
deleted file mode 100644
index 82012d9..0000000
--- a/SS14.ServerHub.Shared/Data/NpgsqlTypeMapping.cs
+++ /dev/null
@@ -1,68 +0,0 @@
-using System.Linq.Expressions;
-using System.Net;
-using System.Reflection;
-using Microsoft.EntityFrameworkCore.Storage;
-using Npgsql.EntityFrameworkCore.PostgreSQL.Infrastructure.Internal;
-using Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal;
-using Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.Mapping;
-
-namespace SS14.ServerHub.Shared.Data;
-
-#pragma warning disable EF1001
-/*
-// Taken from https://github.com/npgsql/efcore.pg/issues/1158
-// To support inet -> (IPAddress, int) mapping.
-public class CustomNpgsqlTypeMappingSource : NpgsqlTypeMappingSource
-{
-    public CustomNpgsqlTypeMappingSource(
-        TypeMappingSourceDependencies dependencies,
-        RelationalTypeMappingSourceDependencies relationalDependencies,
-        ISqlGenerationHelper sqlGenerationHelper,
-        INpgsqlSingletonOptions? npgsqlOptions = null)
-        : base(dependencies, relationalDependencies, sqlGenerationHelper, npgsqlOptions)
-    {
-        StoreTypeMappings["inet"] =
-            new RelationalTypeMapping[]
-            {
-                new NpgsqlInetWithMaskTypeMapping(),
-                new NpgsqlInetTypeMapping()
-            };
-    }
-}
-
-// Basically copied from NpgsqlCidrTypeMapping
-public class NpgsqlInetWithMaskTypeMapping : NpgsqlTypeMapping
-{
-    public NpgsqlInetWithMaskTypeMapping() : base("inet", typeof((IPAddress, int)), NpgsqlTypes.NpgsqlDbType.Inet)
-    {
-    }
-
-    protected NpgsqlInetWithMaskTypeMapping(RelationalTypeMappingParameters parameters)
-        : base(parameters, NpgsqlTypes.NpgsqlDbType.Inet)
-    {
-    }
-
-    protected override RelationalTypeMapping Clone(RelationalTypeMappingParameters parameters)
-        => new NpgsqlInetWithMaskTypeMapping(parameters);
-
-    protected override string GenerateNonNullSqlLiteral(object value)
-    {
-        var cidr = ((IPAddress Address, int Subnet))value;
-        return $"INET '{cidr.Address}/{cidr.Subnet}'";
-    }
-
-    public override Expression GenerateCodeLiteral(object value)
-    {
-        var cidr = ((IPAddress Address, int Subnet))value;
-        return Expression.New(
-            Constructor,
-            Expression.Call(ParseMethod, Expression.Constant(cidr.Address.ToString())),
-            Expression.Constant(cidr.Subnet));
-    }
-
-    static readonly MethodInfo ParseMethod = typeof(IPAddress).GetMethod("Parse", new[] { typeof(string) })!;
-
-    static readonly ConstructorInfo Constructor =
-        typeof((IPAddress, int)).GetConstructor(new[] { typeof(IPAddress), typeof(int) })!;
-}
-*/

From d327ff7ff66cdd1569fa8e74fe70ad2f70f7cfdc Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Sat, 17 Jan 2026 17:13:33 +0100
Subject: [PATCH 36/43] Revert "Remove test data seeder"

This reverts commit 9fd9eec76c80ed3aaa8a51352b14deaa88d57d13.
---
 SS14.Web/OpenId/TestDataSeeder.cs | 102 ++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 SS14.Web/OpenId/TestDataSeeder.cs

diff --git a/SS14.Web/OpenId/TestDataSeeder.cs b/SS14.Web/OpenId/TestDataSeeder.cs
new file mode 100644
index 0000000..5546824
--- /dev/null
+++ b/SS14.Web/OpenId/TestDataSeeder.cs
@@ -0,0 +1,102 @@
+using System;
+using System.Security.Cryptography;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using OpenIddict.Abstractions;
+using SS14.Auth.Shared;
+using SS14.Auth.Shared.Data;
+
+namespace SS14.Web.OpenId;
+
+// TODO: Remove after development
+public sealed class TestDataSeeder(IServiceProvider serviceProvider) : IHostedService
+{
+    public async Task StartAsync(CancellationToken ct)
+    {
+        using var scope = serviceProvider.CreateScope();
+        await PopulateInternalApps(scope, ct);
+        await PopulateUsersAsync(scope);
+    }
+
+    public Task StopAsync(CancellationToken ct)
+    {
+        return Task.CompletedTask;
+    }
+
+    private async ValueTask PopulateInternalApps(IServiceScope scope, CancellationToken ct)
+    {
+        var appManager = scope.ServiceProvider.GetRequiredService<IOpenIddictApplicationManager>();
+
+        var appDescriptor = new OpenIddictApplicationDescriptor
+        {
+            ClientId = "test_client",
+            ClientSecret = "test_secret",
+            ClientType = OpenIddictConstants.ClientTypes.Confidential,
+            DisplayName = "Test Client",
+            RedirectUris = { new Uri("https://localhost:5002/signin-oidc") },
+            Requirements = { OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange },
+            Settings =
+            {
+                {OpenIdConstants.SigningAlgorithmSetting, "RS256"},
+                {OpenIdConstants.AllowPlainPkce, "true"},
+            },
+            Permissions =
+            {
+                OpenIddictConstants.Permissions.Endpoints.Authorization,
+                OpenIddictConstants.Permissions.Endpoints.Token,
+                OpenIddictConstants.Permissions.Endpoints.Introspection,
+                OpenIddictConstants.Permissions.Endpoints.EndSession,
+                OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
+                OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
+                OpenIddictConstants.Permissions.ResponseTypes.Code,
+                OpenIddictConstants.Permissions.Scopes.Email,
+                OpenIddictConstants.Permissions.Scopes.Profile,
+                OpenIddictConstants.Permissions.Scopes.Roles,
+            }
+        };
+
+        var client = await appManager.FindByClientIdAsync(appDescriptor.ClientId, ct);
+        if (client == null)
+        {
+            await appManager.CreateAsync(appDescriptor, ct);
+        }
+        else
+        {
+            await appManager.UpdateAsync(client, appDescriptor, ct);
+        }
+    }
+
+    private async ValueTask PopulateUsersAsync(IServiceScope scope)
+    {
+        var userManager = scope.ServiceProvider.GetRequiredService<UserManager<SpaceUser>>();
+        var roleManager = scope.ServiceProvider.GetRequiredService<RoleManager<SpaceRole>>();
+
+        var sysAdmin = new SpaceRole
+        {
+            Name = AuthConstants.RoleSysAdmin,
+        };
+
+        await roleManager.CreateAsync(sysAdmin);
+
+        var hubAdmin = new SpaceRole
+        {
+            Name = AuthConstants.RoleServerHubAdmin,
+        };
+
+        await roleManager.CreateAsync(hubAdmin);
+
+        var user = new SpaceUser
+        {
+            UserName = "TestUser",
+            Email = "test@example.test",
+            EmailConfirmed = true,
+        };
+
+        await userManager.CreateAsync(user, "Test123456$");
+        await userManager.AddToRoleAsync(user, AuthConstants.RoleSysAdmin);
+        await userManager.AddToRoleAsync(user, AuthConstants.RoleServerHubAdmin);
+    }
+}

From 2f3b2b8fc1d5cce60b0309be4857fb41b70c48ee Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 2 Mar 2026 20:38:36 +0100
Subject: [PATCH 37/43] Update to .net10

---
 OAuthTest/OAuthTest.csproj                    |  2 +-
 SS14.Auth.Shared/Data/SpaceUserManager.cs     |  3 ++-
 SS14.Auth.Shared/SS14.Auth.Shared.csproj      |  2 +-
 SS14.Auth/SS14.Auth.csproj                    |  2 +-
 .../SS14.ServerHub.Shared.csproj              |  2 +-
 SS14.ServerHub/SS14.ServerHub.csproj          |  2 +-
 SS14.Web.Tests/SS14.Web.Tests.csproj          |  2 +-
 .../Areas/Admin/Pages/Clients/Index.cshtml.cs |  2 +-
 .../Extensions/AsyncEnumerableExtension.cs    | 21 -------------------
 .../ApplicationManagerExtensions.cs           |  3 +--
 .../OpenId/Services/OpenIdActionService.cs    |  1 -
 SS14.Web/OpenId/TestDataSeeder.cs             | 11 +++++++++-
 SS14.Web/PersonalDataCollector.cs             |  4 ++--
 SS14.Web/SS14.Web.csproj                      |  2 +-
 .../SS14.WebEverythingShared.csproj           |  2 +-
 ...tyserver4_to_openiddict_data_migration.sql |  2 +-
 16 files changed, 25 insertions(+), 38 deletions(-)
 delete mode 100644 SS14.Web/Extensions/AsyncEnumerableExtension.cs

diff --git a/OAuthTest/OAuthTest.csproj b/OAuthTest/OAuthTest.csproj
index afc0775..ef43e05 100644
--- a/OAuthTest/OAuthTest.csproj
+++ b/OAuthTest/OAuthTest.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net9.0</TargetFramework>
+        <TargetFramework>net10.0</TargetFramework>
     </PropertyGroup>
 
     <ItemGroup>
diff --git a/SS14.Auth.Shared/Data/SpaceUserManager.cs b/SS14.Auth.Shared/Data/SpaceUserManager.cs
index 66c6d75..6a02c86 100644
--- a/SS14.Auth.Shared/Data/SpaceUserManager.cs
+++ b/SS14.Auth.Shared/Data/SpaceUserManager.cs
@@ -41,6 +41,7 @@ public override async Task<IdentityResult> CreateAsync(SpaceUser user)
         // Whoopsie.
         var accountLogManager = _services.GetRequiredService<AccountLogManager>();
         await accountLogManager.LogAndSave(user, new AccountLogCreated(), accountLogManager.NoActor());
+
         return result;
     }
 
@@ -54,4 +55,4 @@ public async Task<SpaceUser> FindByNameOrEmailAsync(string nameOrEmail)
 
         return await FindByEmailAsync(nameOrEmail);
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Auth.Shared/SS14.Auth.Shared.csproj b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
index 5e77028..477c6a5 100644
--- a/SS14.Auth.Shared/SS14.Auth.Shared.csproj
+++ b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net9.0</TargetFramework>
+        <TargetFramework>net10.0</TargetFramework>
         <OutputType>Library</OutputType>
         <LangVersion>12</LangVersion>
     </PropertyGroup>
diff --git a/SS14.Auth/SS14.Auth.csproj b/SS14.Auth/SS14.Auth.csproj
index bf0b50c..3f3c372 100644
--- a/SS14.Auth/SS14.Auth.csproj
+++ b/SS14.Auth/SS14.Auth.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net9.0</TargetFramework>
+        <TargetFramework>net10.0</TargetFramework>
         <Nullable>enable</Nullable>
     </PropertyGroup>
 
diff --git a/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj b/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj
index 02f4f5d..73fc0ad 100644
--- a/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj
+++ b/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net9.0</TargetFramework>
+        <TargetFramework>net10.0</TargetFramework>
         <ImplicitUsings>enable</ImplicitUsings>
         <Nullable>enable</Nullable>
         <OutputType>Library</OutputType>
diff --git a/SS14.ServerHub/SS14.ServerHub.csproj b/SS14.ServerHub/SS14.ServerHub.csproj
index e09f77a..6883bf6 100644
--- a/SS14.ServerHub/SS14.ServerHub.csproj
+++ b/SS14.ServerHub/SS14.ServerHub.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net9.0</TargetFramework>
+        <TargetFramework>net10.0</TargetFramework>
         <Nullable>enable</Nullable>
     </PropertyGroup>
 
diff --git a/SS14.Web.Tests/SS14.Web.Tests.csproj b/SS14.Web.Tests/SS14.Web.Tests.csproj
index 97b7389..4e09f63 100644
--- a/SS14.Web.Tests/SS14.Web.Tests.csproj
+++ b/SS14.Web.Tests/SS14.Web.Tests.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
     <PropertyGroup>
-        <TargetFramework>net9.0</TargetFramework>
+        <TargetFramework>net10.0</TargetFramework>
 
         <IsPackable>false</IsPackable>
     </PropertyGroup>
diff --git a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
index 11ea645..4ac1b71 100644
--- a/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
+++ b/SS14.Web/Areas/Admin/Pages/Clients/Index.cshtml.cs
@@ -1,13 +1,13 @@
 #nullable enable
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using System.Security.Cryptography;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using OpenIddict.Abstractions;
 using SS14.Auth.Shared.Data;
-using SS14.Web.Extensions;
 using SS14.Web.OpenId;
 using SS14.Web.OpenId.Services;
 
diff --git a/SS14.Web/Extensions/AsyncEnumerableExtension.cs b/SS14.Web/Extensions/AsyncEnumerableExtension.cs
deleted file mode 100644
index e2ac7e2..0000000
--- a/SS14.Web/Extensions/AsyncEnumerableExtension.cs
+++ /dev/null
@@ -1,21 +0,0 @@
-#nullable enable
-using System.Collections.Generic;
-using System.Threading;
-using System.Threading.Tasks;
-
-namespace SS14.Web.Extensions;
-
-public static class AsyncEnumerableExtension
-{
-    public static async ValueTask<List<T>> ToListAsync<T>(this IAsyncEnumerable<T> enumerable, CancellationToken ct = default)
-    {
-        var source = enumerable.WithCancellation(ct);
-        List<T> list = [];
-        await foreach (var item in source)
-        {
-            list.Add(item);
-        }
-
-        return list;
-    }
-}
diff --git a/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
index 79043c9..d219145 100644
--- a/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
+++ b/SS14.Web/OpenId/Extensions/ApplicationManagerExtensions.cs
@@ -7,7 +7,6 @@
 using OpenIddict.Abstractions;
 using OpenIddict.Core;
 using SS14.Auth.Shared.Data;
-using SS14.Web.Extensions;
 
 namespace SS14.Web.OpenId.Extensions;
 
@@ -63,7 +62,7 @@ public static async ValueTask<bool> CheckSetting(this OpenIddictApplicationManag
     public static async ValueTask<List<SpaceApplication>> FindApplicationsByUserId(this OpenIddictApplicationManager<SpaceApplication> manager, Guid userId, CancellationToken cancel = default)
     {
         return await manager.ListAsync(x => x.Where(a => a.SpaceUserId == userId)
-            , cancel).ToListAsync(ct: cancel);
+            , cancel).ToListAsync(cancellationToken: cancel);
     }
 
     public static async ValueTask<int> GetAccessTokenLifetime(
diff --git a/SS14.Web/OpenId/Services/OpenIdActionService.cs b/SS14.Web/OpenId/Services/OpenIdActionService.cs
index d7b24f6..080efe2 100644
--- a/SS14.Web/OpenId/Services/OpenIdActionService.cs
+++ b/SS14.Web/OpenId/Services/OpenIdActionService.cs
@@ -12,7 +12,6 @@
 using OpenIddict.Abstractions;
 using OpenIddict.Core;
 using SS14.Auth.Shared.Data;
-using SS14.Web.Extensions;
 using SS14.Web.Models.Types;
 using SS14.Web.OpenId.Types;
 using static OpenIddict.Abstractions.OpenIddictConstants;
diff --git a/SS14.Web/OpenId/TestDataSeeder.cs b/SS14.Web/OpenId/TestDataSeeder.cs
index 5546824..d3505a1 100644
--- a/SS14.Web/OpenId/TestDataSeeder.cs
+++ b/SS14.Web/OpenId/TestDataSeeder.cs
@@ -95,7 +95,16 @@ private async ValueTask PopulateUsersAsync(IServiceScope scope)
             EmailConfirmed = true,
         };
 
-        await userManager.CreateAsync(user, "Test123456$");
+
+        // Logging throws an invalid operation exception if an account gets created by something like an I Hosted service
+        // for seeding data. Throwing here doesn't prevent creating the account so it gets logged as an error instead
+        // TODO: Ask if I can make the GetActorIP method log an error instead of throwing instead
+        try
+        {
+            await userManager.CreateAsync(user, "Test123456$");
+        }
+        catch (InvalidOperationException e) { }
+
         await userManager.AddToRoleAsync(user, AuthConstants.RoleSysAdmin);
         await userManager.AddToRoleAsync(user, AuthConstants.RoleServerHubAdmin);
     }
diff --git a/SS14.Web/PersonalDataCollector.cs b/SS14.Web/PersonalDataCollector.cs
index a548588..ff3b9e2 100644
--- a/SS14.Web/PersonalDataCollector.cs
+++ b/SS14.Web/PersonalDataCollector.cs
@@ -162,7 +162,7 @@ private async Task CollectUserOAuthClients(ZipArchive zip, SpaceUser user, Cance
     private async Task CollectAuthorizations(ZipArchive zip, SpaceUser user, CancellationToken cancel)
     {
         var authorizations = await authorizationManager.FindBySubjectAsync(user.Id.ToString(), cancel)
-            .ToListAsync(ct: cancel);
+            .ToListAsync(cancellationToken: cancel);
 
         var data = authorizations.Select(x => new AuthorizationData(
             Id: x.Id,
@@ -181,7 +181,7 @@ private async Task CollectAuthorizations(ZipArchive zip, SpaceUser user, Cancell
     private async Task CollectTokens(ZipArchive zip, SpaceUser user, CancellationToken cancel)
     {
         var tokens = await tokenManager.FindBySubjectAsync(user.Id.ToString(), cancel)
-            .ToListAsync(ct: cancel);
+            .ToListAsync(cancellationToken: cancel);
 
         var data = tokens.Select(x => new TokenData(
             Id: x.Id,
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index 8229dba..d6628e1 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net9.0</TargetFramework>
+        <TargetFramework>net10.0</TargetFramework>
     </PropertyGroup>
 
     <ItemGroup>
diff --git a/SS14.WebEverythingShared/SS14.WebEverythingShared.csproj b/SS14.WebEverythingShared/SS14.WebEverythingShared.csproj
index 79c0aaf..81c54ca 100644
--- a/SS14.WebEverythingShared/SS14.WebEverythingShared.csproj
+++ b/SS14.WebEverythingShared/SS14.WebEverythingShared.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
     <PropertyGroup>
-        <TargetFramework>net9.0</TargetFramework>
+        <TargetFramework>net10.0</TargetFramework>
         <ImplicitUsings>enable</ImplicitUsings>
         <Nullable>enable</Nullable>
         <LangVersion>12</LangVersion>
diff --git a/Tools/identityserver4_to_openiddict_data_migration.sql b/Tools/identityserver4_to_openiddict_data_migration.sql
index 9da231b..6662844 100644
--- a/Tools/identityserver4_to_openiddict_data_migration.sql
+++ b/Tools/identityserver4_to_openiddict_data_migration.sql
@@ -9,7 +9,7 @@ select gen_random_uuid() as Id,
                                           replace(cs."Description", '*', '')
                                               ], '.'), ',') from "IS4"."ClientSecrets" cs where cs."ClientId" = c."Id") ClientSecret,
        'confidential' as ClientType, gen_random_uuid() as ConcurrencyToken,
-       CASE when "RequireConsent" then 'Explicit' else 'Implicit' end as "ConsentType",
+       case when "RequireConsent" then 'Explicit' else 'Implicit' end as "ConsentType",
        "ClientName" as DisplayName, null as DisplayNames, null as JsonWebKeySet,
        '["ept:authorization","ept:token","ept:introspection","ept:end_session","gt:refresh_token","gt:authorization_code","rst:code","scp:email","scp:profile","scp:roles"]'
            as Permissions,

From e5268050e91d7e6e9680fcb0d7c589b21cbd1cbe Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 2 Mar 2026 20:50:30 +0100
Subject: [PATCH 38/43] Update dependencies

---
 OAuthTest/OAuthTest.csproj                    |  2 +-
 SS14.Auth.Shared/SS14.Auth.Shared.csproj      | 30 +++++++++----------
 SS14.Auth/SS14.Auth.csproj                    |  8 ++---
 .../SS14.ServerHub.Shared.csproj              |  8 ++---
 SS14.ServerHub/SS14.ServerHub.csproj          |  8 ++---
 SS14.Web.Tests/SS14.Web.Tests.csproj          | 10 +++----
 SS14.Web/SS14.Web.csproj                      | 16 +++++-----
 7 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/OAuthTest/OAuthTest.csproj b/OAuthTest/OAuthTest.csproj
index ef43e05..96de6d6 100644
--- a/OAuthTest/OAuthTest.csproj
+++ b/OAuthTest/OAuthTest.csproj
@@ -5,6 +5,6 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.8" />
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="10.0.3" />
     </ItemGroup>
 </Project>
diff --git a/SS14.Auth.Shared/SS14.Auth.Shared.csproj b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
index 477c6a5..2ccb398 100644
--- a/SS14.Auth.Shared/SS14.Auth.Shared.csproj
+++ b/SS14.Auth.Shared/SS14.Auth.Shared.csproj
@@ -7,27 +7,27 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="JetBrains.Annotations" Version="2025.2.0" />
-        <PackageReference Include="MailKit" Version="4.13.0" />
-        <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="9.0.8" />
-        <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="9.0.8" />
-        <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="9.0.8" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.8">
+        <PackageReference Include="JetBrains.Annotations" Version="2025.2.4" />
+        <PackageReference Include="MailKit" Version="4.15.0" />
+        <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="10.0.3" />
+        <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="10.0.3" />
+        <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="10.0.3" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="10.0.3">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="MimeKit" Version="4.13.0" />
-        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
-        <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="7.0.0" />
-        <PackageReference Include="OpenIddict.EntityFrameworkCore.Models" Version="7.0.0" />
+        <PackageReference Include="MimeKit" Version="4.15.0" />
+        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
+        <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="7.2.0" />
+        <PackageReference Include="OpenIddict.EntityFrameworkCore.Models" Version="7.2.0" />
         <PackageReference Include="Robust.Shared.AuthLib" Version="0.1.2" />
-        <PackageReference Include="Serilog" Version="4.3.0" />
-        <PackageReference Include="Serilog.AspNetCore" Version="9.0.0" />
-        <PackageReference Include="Serilog.Settings.Configuration" Version="9.0.0" />
-        <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
+        <PackageReference Include="Serilog" Version="4.3.1" />
+        <PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />
+        <PackageReference Include="Serilog.Settings.Configuration" Version="10.0.0" />
+        <PackageReference Include="Serilog.Sinks.Console" Version="6.1.1" />
         <PackageReference Include="Serilog.Sinks.Loki" Version="3.0.1-beta1" />
         <PackageReference Include="Dapper" Version="2.1.66" />
-        <PackageReference Include="Microsoft.Data.Sqlite" Version="9.0.8" />
+        <PackageReference Include="Microsoft.Data.Sqlite" Version="10.0.3" />
     </ItemGroup>
 
     <ItemGroup>
diff --git a/SS14.Auth/SS14.Auth.csproj b/SS14.Auth/SS14.Auth.csproj
index 3f3c372..1f35664 100644
--- a/SS14.Auth/SS14.Auth.csproj
+++ b/SS14.Auth/SS14.Auth.csproj
@@ -10,13 +10,13 @@
     </ItemGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="9.0.8" />
+        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="10.0.3" />
         <PackageReference Include="NetEscapades.Configuration.Yaml" Version="3.1.0" />
         <PackageReference Include="prometheus-net" Version="8.2.1" />
         <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
-        <PackageReference Include="Quartz" Version="3.15.0" />
-        <PackageReference Include="Quartz.Extensions.DependencyInjection" Version="3.15.0" />
-        <PackageReference Include="Quartz.Extensions.Hosting" Version="3.15.0" />
+        <PackageReference Include="Quartz" Version="3.16.0" />
+        <PackageReference Include="Quartz.Extensions.DependencyInjection" Version="3.16.0" />
+        <PackageReference Include="Quartz.Extensions.Hosting" Version="3.16.0" />
     </ItemGroup>
 
 
diff --git a/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj b/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj
index 73fc0ad..f0b1ed9 100644
--- a/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj
+++ b/SS14.ServerHub.Shared/SS14.ServerHub.Shared.csproj
@@ -10,13 +10,13 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="JetBrains.Annotations" Version="2025.2.0" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="9.0.8" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.8">
+        <PackageReference Include="JetBrains.Annotations" Version="2025.2.4" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.3" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="10.0.3">
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
+        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
         <PackageReference Include="DnsClient" Version="1.8.0" />
     </ItemGroup>
 
diff --git a/SS14.ServerHub/SS14.ServerHub.csproj b/SS14.ServerHub/SS14.ServerHub.csproj
index 6883bf6..abe0270 100644
--- a/SS14.ServerHub/SS14.ServerHub.csproj
+++ b/SS14.ServerHub/SS14.ServerHub.csproj
@@ -6,13 +6,13 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="9.0.8" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.8">
+        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.3" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="10.0.3">
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="9.0.8" />
-        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
+        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="10.0.3" />
+        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
         <PackageReference Include="NetEscapades.Configuration.Yaml" Version="3.1.0" />
         <PackageReference Include="prometheus-net" Version="8.2.1" />
         <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
diff --git a/SS14.Web.Tests/SS14.Web.Tests.csproj b/SS14.Web.Tests/SS14.Web.Tests.csproj
index 4e09f63..28007e7 100644
--- a/SS14.Web.Tests/SS14.Web.Tests.csproj
+++ b/SS14.Web.Tests/SS14.Web.Tests.csproj
@@ -7,14 +7,14 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
-        <PackageReference Include="NUnit" Version="4.4.0" />
-        <PackageReference Include="NUnit3TestAdapter" Version="5.1.0" />
-        <PackageReference Include="coverlet.collector" Version="6.0.4">
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.3.0" />
+        <PackageReference Include="NUnit" Version="4.5.0" />
+        <PackageReference Include="NUnit3TestAdapter" Version="6.1.0" />
+        <PackageReference Include="coverlet.collector" Version="8.0.0">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="NUnit.Analyzers" Version="4.10.0">
+        <PackageReference Include="NUnit.Analyzers" Version="4.11.2">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
diff --git a/SS14.Web/SS14.Web.csproj b/SS14.Web/SS14.Web.csproj
index d6628e1..5530677 100644
--- a/SS14.Web/SS14.Web.csproj
+++ b/SS14.Web/SS14.Web.csproj
@@ -5,20 +5,20 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="AspNet.Security.OAuth.Patreon" Version="9.4.0" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="9.0.8">
+        <PackageReference Include="AspNet.Security.OAuth.Patreon" Version="10.0.0" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.3">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="9.0.8" />
+        <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="10.0.3" />
         <PackageReference Include="NetEscapades.Configuration.Yaml" Version="3.1.0" />
-        <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" Condition="'$(Configuration)' == 'Debug'" />
-        <PackageReference Include="OpenIddict.AspNetCore" Version="7.0.0" />
-        <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="7.0.0" />
-        <PackageReference Include="OpenIddict.Quartz" Version="7.0.0" />
+        <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="10.0.2" Condition="'$(Configuration)' == 'Debug'" />
+        <PackageReference Include="OpenIddict.AspNetCore" Version="7.2.0" />
+        <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="7.2.0" />
+        <PackageReference Include="OpenIddict.Quartz" Version="7.2.0" />
         <PackageReference Include="prometheus-net" Version="8.2.1" />
         <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
-        <PackageReference Include="Quartz.Extensions.Hosting" Version="3.14.0" />
+        <PackageReference Include="Quartz.Extensions.Hosting" Version="3.16.0" />
     </ItemGroup>
 
     <ItemGroup>

From b015ccccbddf1e227d7e716bab1ad13b49075902 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 2 Mar 2026 21:02:25 +0100
Subject: [PATCH 39/43] Set openiddict logging to warning outside of
 development

---
 SS14.Web/appsettings.Development.yml | 7 +++++++
 SS14.Web/appsettings.yml             | 1 +
 2 files changed, 8 insertions(+)

diff --git a/SS14.Web/appsettings.Development.yml b/SS14.Web/appsettings.Development.yml
index 872ffa2..23a0059 100644
--- a/SS14.Web/appsettings.Development.yml
+++ b/SS14.Web/appsettings.Development.yml
@@ -1,3 +1,10 @@
+Serilog:
+  Using: [ "Serilog.Sinks.Console", "Serilog.Sinks.Loki" ]
+  MinimumLevel:
+    Override:
+      OpenIddict: Information
+
+
 ConnectionStrings:
   DefaultConnection: "Server=127.0.0.1;Port=5432;Database=ss14-auth-test"
 
diff --git a/SS14.Web/appsettings.yml b/SS14.Web/appsettings.yml
index b5f575d..33da208 100644
--- a/SS14.Web/appsettings.yml
+++ b/SS14.Web/appsettings.yml
@@ -7,6 +7,7 @@ Serilog:
       Microsoft: "Warning"
       Microsoft.Hosting.Lifetime: "Information"
       Microsoft.AspNetCore: Warning
+      OpenIddict: Warning
 
   WriteTo:
     - Name: Console

From 0d4b82c170d8314efbc74baf156be835413c8648 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Mon, 2 Mar 2026 21:22:54 +0100
Subject: [PATCH 40/43] Add configuration setting for enabling test data
 seeding

---
 SS14.Web/OpenId/Extensions/OpenIdExtension.cs | 4 +++-
 SS14.Web/OpenId/TestDataSeeder.cs             | 2 --
 SS14.Web/appsettings.Development.yml          | 2 ++
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
index 459243e..6a40044 100644
--- a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
@@ -38,10 +38,12 @@ public static void AddOpenIdConnect(this WebApplicationBuilder builder)
         ConfigureCertificates(openId, builder);
 
         builder.Services.AddScoped<SpaceApplicationManager>();
-        builder.Services.AddHostedService<TestDataSeeder>();
         builder.Services.AddScoped<IdentityClaimsProvider>();
         builder.Services.AddScoped<SignedInIdentityService>();
         builder.Services.AddScoped<OpenIdActionService>();
+
+        if (builder.Configuration.GetValue("SeedTestData", false))
+            builder.Services.AddHostedService<TestDataSeeder>();
     }
 
     private static void ConfigureCertificates(OpenIddictBuilder openId, WebApplicationBuilder builder)
diff --git a/SS14.Web/OpenId/TestDataSeeder.cs b/SS14.Web/OpenId/TestDataSeeder.cs
index d3505a1..9efc318 100644
--- a/SS14.Web/OpenId/TestDataSeeder.cs
+++ b/SS14.Web/OpenId/TestDataSeeder.cs
@@ -11,7 +11,6 @@
 
 namespace SS14.Web.OpenId;
 
-// TODO: Remove after development
 public sealed class TestDataSeeder(IServiceProvider serviceProvider) : IHostedService
 {
     public async Task StartAsync(CancellationToken ct)
@@ -95,7 +94,6 @@ private async ValueTask PopulateUsersAsync(IServiceScope scope)
             EmailConfirmed = true,
         };
 
-
         // Logging throws an invalid operation exception if an account gets created by something like an I Hosted service
         // for seeding data. Throwing here doesn't prevent creating the account so it gets logged as an error instead
         // TODO: Ask if I can make the GetActorIP method log an error instead of throwing instead
diff --git a/SS14.Web/appsettings.Development.yml b/SS14.Web/appsettings.Development.yml
index 23a0059..2c7ed98 100644
--- a/SS14.Web/appsettings.Development.yml
+++ b/SS14.Web/appsettings.Development.yml
@@ -9,3 +9,5 @@ ConnectionStrings:
   DefaultConnection: "Server=127.0.0.1;Port=5432;Database=ss14-auth-test"
 
 urls: "https://localhost:5001"
+
+SeedTestData: true

From ca94bd03e4fe657f66dde53ac3e2b3462f885106 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Thu, 5 Mar 2026 00:48:02 +0100
Subject: [PATCH 41/43] Remove unimplemented and unused methods

---
 SS14.Web/OpenId/Extensions/OpenIdExtension.cs | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
index 6a40044..3423bdc 100644
--- a/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
+++ b/SS14.Web/OpenId/Extensions/OpenIdExtension.cs
@@ -96,14 +96,4 @@ private static void ConfigureCertificates(OpenIddictBuilder openId, WebApplicati
             }
         }
     }
-
-    private static void AddCertificate(OpenIddictBuilder openId, FileStream cert, string password)
-    {
-
-    }
-
-    private static void AddCertificate(OpenIddictBuilder openId, FileStream cert, string password, string algorithm)
-    {
-
-    }
 }

From 75dc50d9caa0c9be049f4152f797cfc99b4de9a2 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Thu, 5 Mar 2026 00:50:32 +0100
Subject: [PATCH 42/43] Add documentation comments for OpenIdActionService

---
 .../OpenId/Services/OpenIdActionService.cs    | 29 ++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/SS14.Web/OpenId/Services/OpenIdActionService.cs b/SS14.Web/OpenId/Services/OpenIdActionService.cs
index 080efe2..e02b7b0 100644
--- a/SS14.Web/OpenId/Services/OpenIdActionService.cs
+++ b/SS14.Web/OpenId/Services/OpenIdActionService.cs
@@ -19,10 +19,12 @@
 
 namespace SS14.Web.OpenId.Services;
 
+/**
+ * Handles all the OpenIddict action plumbing. Used inside the consent page.
+ */
 public class OpenIdActionService
 {
     public const string ApplicationNotFoundError = "application_not_found";
-    private const string IgnoreChallengeKey = "IgnoreAuthenticationChallenge";
 
     private readonly SignedInIdentityService _signedInIdentity;
     private readonly IdentityClaimsProvider _claimsProvider;
@@ -46,6 +48,18 @@ public OpenIdActionService(SignedInIdentityService signedInIdentity,
         _scopeManager = scopeManager;
     }
 
+    /// <summary>
+    /// Validates the current authentication state for an OpenID Connect request and determines whether
+    /// the request can continue, must fail silently, or requires an interactive authentication challenge.
+    /// </summary>
+    /// <param name="context">The current HTTP context.</param>
+    /// <param name="ignoreChallenge">Whether to ignore the challenge. Set when the user was redirected already to prevent redirection loops.</param>
+    /// <param name="auth">The authentication result for the current request.</param>
+    /// <param name="request">The OpenIddict request (e.g., prompt/max_age).</param>
+    /// <returns>
+    /// A successful result when authentication is enough. Otherwise, a failure describing either
+    /// a login requirement (e.g., <c>prompt=none</c>) or a challenge with redirect properties.
+    /// </returns>
     public Result<Void, AuthenticationValidationFailure> ValidateOpenIdAuthentication(
         HttpContext context,
         bool ignoreChallenge,
@@ -73,6 +87,13 @@ public Result<Void, AuthenticationValidationFailure> ValidateOpenIdAuthenticatio
         return Result<Void, AuthenticationValidationFailure>.Failure(AuthenticationValidationFailure.Challenge(properties));
     }
 
+    /// <summary>
+    /// Processes an authorization request and decides whether to sign in immediately, require user consent,
+    /// or deny the request based on the application's consent type, prompt values, and existing authorizations.
+    /// </summary>
+    /// <param name="request">The OpenIddict authorization request.</param>
+    /// <param name="scopes">The requested scopes.</param>
+    /// <returns>An <see cref="AuthorizationResult"/> representing SignIn/Consent/Forbidden/Error.</returns>
     public async Task<AuthorizationResult> AuthorizeActionAsync(OpenIddictRequest request, ImmutableArray<string> scopes)
     {
         var application = await _applicationManager.FindByClientIdAsync(request.ClientId!);
@@ -114,6 +135,12 @@ ConsentTypes.Explicit or ConsentTypes.Systematic when request.HasPromptValue(Pro
         };
     }
 
+    /// <summary>
+    /// Accepts the consent decision and returns a sign-in result containing an authorized principal for token issuance.
+    /// </summary>
+    /// <param name="request">The OpenIddict authorization request.</param>
+    /// <param name="scopes">The approved scopes.</param>
+    /// <returns>A <see cref="ConsentResult"/> representing SignIn/Forbid/Error.</returns>
     public async Task<ConsentResult> AcceptActionAsync(OpenIddictRequest request, ImmutableArray<string> scopes)
     {
         var application = await _applicationManager.FindByClientIdAsync(request.ClientId!);

From 318f746422ebd4defb80261d4947f005386a88b4 Mon Sep 17 00:00:00 2001
From: juliangiebel <juliangiebel@live.de>
Date: Thu, 5 Mar 2026 00:55:31 +0100
Subject: [PATCH 43/43] Add rewrite rule for connect/authorize

This is necessary to keep the endpoint path that's been used previously while having the authorize logic inside the consent page.
That avoids having to haul around the auth request data between redirects (which would be annoying to implement at this point)
---
 SS14.Web/Program.cs      | 8 ++++++--
 SS14.Web/appsettings.yml | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/SS14.Web/Program.cs b/SS14.Web/Program.cs
index a0126c2..dd930ad 100644
--- a/SS14.Web/Program.cs
+++ b/SS14.Web/Program.cs
@@ -3,6 +3,7 @@
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Rewrite;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -11,7 +12,6 @@
 using Quartz;
 using Serilog;
 using SS14.Auth.Shared;
-using SS14.Auth.Shared.Data;
 using SS14.ServerHub.Shared.Data;
 using SS14.Web;
 using SS14.Web.Data;
@@ -19,7 +19,6 @@
 using SS14.Web.HCaptcha;
 using SS14.Web.OpenId.Extensions;
 using SS14.WebEverythingShared;
-using static SS14.Auth.Shared.Data.OpeniddictDefaultTypes;
 
 var builder = WebApplication.CreateBuilder();
 
@@ -147,4 +146,9 @@
 app.MapRazorPages();
 app.MapMetrics();
 
+var options = new RewriteOptions()
+    .AddRewrite("^connect/authorize", "/Identity/Account/Consent", skipRemainingRules: true);
+
+app.UseRewriter(options);
+
 app.Run();
diff --git a/SS14.Web/appsettings.yml b/SS14.Web/appsettings.yml
index 33da208..6e18bc7 100644
--- a/SS14.Web/appsettings.yml
+++ b/SS14.Web/appsettings.yml
@@ -31,7 +31,7 @@ Account:
 
 OpenId:
   Server:
-    AuthorizationEndpointUris: [ Identity/Account/Consent ]
+    AuthorizationEndpointUris: [ connect/authorize, Identity/Account/Consent ]
     TokenEndpointUris: [ connect/token ]
     EndSessionEndpointUris: [ connect/endsession ]
     UserInfoEndpointUris: [ connect/userinfo ]