CODEWITHSUNDEEP
identityserver3identityserver4
gnaungayan
gnaungayan

Reputation: 522

Multiple Api Resource

Planning to setup one IdentityServer and have it configured for multiple resources like: 

internal static IEnumerable<ApiResource> GetApiResources()
{
        return new List<ApiResource>
        {
            new ApiResource()
            {
                Name = "API 1",
                DisplayName = "API 1",
                Description = "API 1 Access",
                Scopes = new List<Scope>()
                {
                    new Scope("public"), new Scope("write")
                }
            },
            new ApiResource
            {
                Name = "API 2",
                DisplayName = "API 2",
                Description = "API 2 Access",
                Scopes = new List<Scope>
                {
                    new Scope("public"), new Scope("write")
                }
            }
        };
}

then Client 1 will have an access to API 1 only and Client 2 will have an access to API 2 only. Both clients will have the public scope.

Would something like above will work or should I change the name of the scopes and make it unique for the each API resource?

Is using 1 Identity/Authorization Server for multiple API's is a bad idea?

Upvotes: 1

Views: 1179

Answers (1)

Lutando
Lutando

Reputation: 5010

The major problem with this design is that client 1 and client 2 will both have the same scope(s) in their bearer tokens. ie both clients will have access to either API resources. You could "namespace" your scopes by API doing something like this:

internal static IEnumerable<ApiResource> GetApiResources()
{
        return new List<ApiResource>
        {
            new ApiResource()
            {
                Name = "API 1",
                DisplayName = "API 1",
                Description = "API 1 Access",
                Scopes = new List<Scope>()
                {
                    new Scope("api1.public"), new Scope("api1.write")
                }
            },
            new ApiResource
            {
                Name = "API 2",
                DisplayName = "API 2",
                Description = "API 2 Access",
                Scopes = new List<Scope>
                {
                    new Scope("api2.public"), new Scope("api2.write")
                }
            }
        };
}

That being said, there is nothing wrong with using 1 authorization server for a multitude of APIs/Resources. Using 1 authorization server for a multitude of APIs is one of the strengths of separating out your authorization concerns out to the identity server.

Upvotes: 2

Related Questions