From b0f656da63818b997c5984f73f8835bfd7d66bef Mon Sep 17 00:00:00 2001
From: Sam <315859133@qq.com>
Date: Fri, 6 Feb 2026 15:50:16 +0800
Subject: [PATCH] fix: remove 'roles' from default scope to prevent 403 error

- Remove 'roles' from default oauthConfig scope
- Roles scope is not registered in OpenIddict
- This was causing 403 Forbidden when requesting access token
---
 apps/web-ele/src/config/oauth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web-ele/src/config/oauth.ts b/apps/web-ele/src/config/oauth.ts
index 6618875..c508d14 100644
--- a/apps/web-ele/src/config/oauth.ts
+++ b/apps/web-ele/src/config/oauth.ts
@@ -2,7 +2,7 @@ export const oauthConfig = {
   clientId: import.meta.env.VITE_OAUTH_CLIENT_ID || 'fengling-console',
   redirectUri: import.meta.env.VITE_OAUTH_REDIRECT_URI || `${window.location.origin}/auth/callback`,
   authUrl: import.meta.env.VITE_AUTH_SERVICE_URL || 'http://localhost:5000',
-  scope: import.meta.env.VITE_OAUTH_SCOPE || 'api offline_access openid profile email roles',
+  scope: import.meta.env.VITE_OAUTH_SCOPE || 'api offline_access openid profile email',
 
   endpoints: {
     authorize: '/connect/authorize',