fix(openiddict): restore OAuth endpoints in dashboard and swagger

[antosubash]

Summary

OAuth was completely broken in the dashboard's TokenTester and in Swagger UI because /connect/authorize, /connect/token, /connect/userinfo, and /connect/endsession were never being mapped — they returned 404.

Root cause

The source generator (framework/SimpleModule.Generator/Emitters/EndpointExtensionsEmitter.cs:35) treats IModule.ConfigureEndpoints as an escape hatch and skips auto-registration of every IEndpoint in the module when it's present:

if (module.Endpoints.Length == 0 || module.HasConfigureEndpoints)
    continue;

OpenIddictModule.ConfigureEndpoints only mapped /oauth-callback, which silently disabled the four Endpoints/Connect/* registrations. Inspecting the generated EndpointExtensions.g.cs confirmed only the manual ConfigureEndpoints call survived for OpenIddict.

Fix

• Move /oauth-callback to a normal IEndpoint (OAuthCallbackEndpoint) decorated with [AllowAnonymous]. The module has no RoutePrefix, so the generator maps it (and the four connect endpoints) at the app root, exactly as before.
• Delete ConfigureEndpoints from OpenIddictModule so auto-discovery resumes.
• Add the roles scope to the Swagger OAuth security definition + requirement so it matches what OpenIddict registers and what the access token contains.
• Request roles from the dashboard TokenTester for parity.

Verification

Started the host on https://localhost:5001 and confirmed:

Endpoint	Before	After
/connect/authorize	404 (HTML fallback)	302 redirect to /Identity/Account/Login
/connect/token (password grant, valid creds)	404	200 with real access_token JWT
/oauth-callback	200	200
/swagger/v1/swagger.json scopes	openid, profile, email	openid, profile, email, roles

Generated EndpointExtensions.g.cs now contains the expected mappings:

new ...Endpoints.Connect.AuthorizationEndpoint().Map(app);
new ...Endpoints.Connect.LogoutEndpoint().Map(app);
{ var _eg = app.MapGroup(""); _eg.AllowAnonymous(); new ...OAuthCallbackEndpoint().Map(_eg); }
new ...Endpoints.Connect.TokenEndpoint().Map(app);
new ...Endpoints.Connect.UserinfoEndpoint().Map(app);

Test plan

• dotnet build succeeds with 0 warnings/errors
• Run the host, open https://localhost:5001/swagger, click Authorize, complete the flow, and confirm a token is acquired
• Run the host, open the dashboard, click Get Token in TokenTester, log in, and confirm the access token decodes with role claims included
• Verify /oauth-callback still renders the Inertia page after a successful authorization redirect

---

Generated by Claude Code

[cloudflare-workers-and-pages]

Deploying simplemodule-website with    Cloudflare Pages

Latest commit:	9db6de5
Status:	✅  Deploy successful!
Preview URL:	https://77e11489.simplemodule-website.pages.dev
Branch Preview URL:	https://claude-fix-oauth-integration.simplemodule-website.pages.dev

View logs