From 2c5e0095846a4a4afdf147809d92e3365aa981d0 Mon Sep 17 00:00:00 2001
From: Gehongyan <gehongyan1996@126.com>
Date: Tue, 16 Dec 2025 11:27:56 +0800
Subject: [PATCH] Add public scope for client credentials only when no scope is
 explicitly specified

Signed-off-by: Gehongyan <gehongyan1996@126.com>
---
 .../OpenIddictClientWebIntegrationHandlers.cs             | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
index 43dbffd6..c5cbf6db 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@@ -647,13 +647,13 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                 throw new ArgumentNullException(nameof(context));
             }
 
-            // osu! requires that the scope must be "public" for client credentials
-            // grant, as other scopes have no meaningful effect.
+            // osu! requires at least one scope to be set for client credentials grant, as tokens without
+            // scopes are not valid. If no scope is explicitly specified, use the default value `public`.
             if (context.GrantType is GrantTypes.ClientCredentials &&
-                context.Registration.ProviderType is ProviderTypes.Osu)
+                context.Registration.ProviderType is ProviderTypes.Osu &&
+                context.Scopes.Count is 0)
             {
                 context.Scopes.Add("public");
-                // TODO: how does user code add custom scopes here?
             }
 
             return ValueTask.CompletedTask;