Reputation: 5157
IdentityServer4 - ApiResource and Client, how are they tied together
I am trying to determine how ApiResource and Client are tied together.
How do I go about ensuring that someone requesting a token from a Client is requesting it for a particular ApiResource has access to that ApiResource?
Are tried tied together by Scopes?
Here is some slightly modified code from a QuickStart:
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("api1Resource", "My API")
{
Scopes =
{
new Scope("api1"),
new Scope("api1.ro"),
new Scope("offline_access")
},
UserClaims = { "role", "user" }
}
};
}
// client want to access resources (aka scopes)
public static IEnumerable<Client> GetClients()
{
// client credentials client, for APIs
return new List<Client>
{
new Client
{
ClientId = "apiClient",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets =
{
// Secret that can be created and given to ITSM_API
new Secret("secret".Sha512(), "ITSM_API Secret")
},
AllowedScopes = { "api1", "api1.ro", "offline_access" }
},
// resource owner password grant client, for interactive users
new Client
{
ClientId = "userClient",
AllowedGrantTypes = GrantTypes.List
(
GrantType.ResourceOwnerPassword,
"offline_access"
),
ClientSecrets =
{
new Secret("secret".Sha512(), "userClient Secret")
},
UpdateAccessTokenClaimsOnRefresh = true,
AllowedScopes = { "api1", "api1.ro", "offline_access" },
AbsoluteRefreshTokenLifetime = 86400,
AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
}
};
}
Upvotes: 18
Views: 9204
Answers (2)
Reputation: 6415
Having a read of this article might help ... https://leastprivilege.com/2016/12/01/new-in-identityserver4-resource-based-configuration/. Prior to this there were no resources, just scopes. The abstract nature of scopes meant things weren't always obvious, so resources were invented.
So where you are currently specifying your Client > AllowedScopes you could just refer to your resource rather than repeating the scopes you've defined within your resource. https://identityserver4.readthedocs.io/en/release/reference/api_resource.html
Upvotes: 3
Reputation: 4396
The Scopes are resources you provide with your resource server. For example if you had a Calendar Resource server your Scopes would be calendarentry, read.calendarentry, create.calendarentry. So basically things your users can do on your server.
The API Resource is your resource server as a whole. The Client (the one getting the access_token), requests the scope it needs, and the user grants the rights to the Client.
The Scopes get put into the access_token, and when your resource server receives the access_token, you need to check if the user (which is identified by the access_token) is allowed to access the scope requested. (This can be done beforehand on the IdentityServer). You can for example check with your user database on login if the user has access to the API Resources you defined. The IdentityServer is very configurable to suit almost every setup.
Upvotes: 0
Related Questions
- Understanding the IdentityServer and API communication
- IdentityServer4 as Web API
- Identityserver4 and API in single project
- Confused about ASP.NET Core Identity and IdentityServer 4 in case of implementing an API for external access
- How do you properly grant access to an ApiResource for a given client in Identity Server 4.0.3?
- asp.net core Identity server auth client to api to api question
- Identity server 4 and api application
- Identityserver4 and Api Resource in same Asp.net Application
- MVC Client and Api working together in IdentityServer4
- IdentityServer 4 confused on how it all works