Updated auth for phishing domain endpoints to either require api, or licensing claims to support both web and browser clients, and selfhost api clients

src/Api/Controllers/PhishingDomainsController.cs

@@ -5,7 +5,7 @@ using Microsoft.AspNetCore.Mvc;
 namespace Bit.Api.Controllers;
 
 [Route("phishing-domains")]
-[Authorize("Application")]
+[Authorize("PhishingDomains")]
 public class PhishingDomainsController(IPhishingDomainRepository phishingDomainRepository) : Controller
 {
     [HttpGet]

src/Api/Startup.cs

@@ -143,6 +143,14 @@ public class Startup
                     (c.Value.Contains(ApiScopes.Api) || c.Value.Contains(ApiScopes.ApiSecrets))
                 ));
             });
+            config.AddPolicy("PhishingDomains", policy =>
+            {
+                policy.RequireAuthenticatedUser();
+                policy.RequireAssertion(ctx => 
+                    ctx.User.HasClaim(c => c.Type == JwtClaimTypes.Scope && 
+                        (c.Value == ApiScopes.ApiLicensing || c.Value == ApiScopes.Api))
+                );
+            });
         });
 
         services.AddScoped<AuthenticatorTokenProvider>();

src/Core/PhishingDomainFeatures/CloudPhishingDomainRelayQuery.cs

@@ -21,7 +21,7 @@ public class CloudPhishingDomainRelayQuery : BaseIdentityClientService, ICloudPh
             httpFactory,
             globalSettings.Installation.ApiUri,
             globalSettings.Installation.IdentityUri,
-            "api.installation",
+            "api.licensing",
             $"installation.{globalSettings.Installation.Id}",
             globalSettings.Installation.Key,
             logger)