Menu
I am trying to determine how ApiResource and Client are tied together.
How do I go about ensuring that someone requesting a token from a Client is requesting it for a particular ApiResource has access to that ApiResource?
Are tried tied together by Scopes?
Here is some slightly modified code from a QuickStart:
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("api1Resource", "My API")
{
Scopes =
{
new Scope("api1"),
new Scope("api1.ro"),
new Scope("offline_access")
},
UserClaims = { "role", "user" }
}
};
}
// client want to access resources (aka scopes)
public static IEnumerable<Client> GetClients()
{
// client credentials client, for APIs
return new List<Client>
{
new Client
{
ClientId = "apiClient",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets =
{
// Secret that can be created and given to ITSM_API
new Secret("secret".Sha512(), "ITSM_API Secret")
},
AllowedScopes = { "api1", "api1.ro", "offline_access" }
},
// resource owner password grant client, for interactive users
new Client
{
ClientId = "userClient",
AllowedGrantTypes = GrantTypes.List
(
GrantType.ResourceOwnerPassword,
"offline_access"
),
ClientSecrets =
{
new Secret("secret".Sha512(), "userClient Secret")
},
UpdateAccessTokenClaimsOnRefresh = true,
AllowedScopes = { "api1", "api1.ro", "offline_access" },
AbsoluteRefreshTokenLifetime = 86400,
AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
}
};
}
809
The two fundamental resource types in IdentityServer are: identity resources: represent claims about a user like user ID, display name, email address etc… API resources: represent functionality a client wants to access.
Identity resources are data like user ID, name, or email address of a user. An identity resource has a unique name, and you can assign arbitrary claim types to it. These claims will then be included in the identity token for the user. The client will use the scope parameter to request access to an identity resource.
Identity Server 4 is the tool of choice for getting bearer JSON web tokens (JWT) in . NET. The tool comes in a NuGet package that can fit in any ASP.NET project. Identity Server 4 is an implementation of the OAuth 2.0 spec and supports standard flows.
API Gateway 10.5 | Using API Gateway | APIs | API Scopes | Creating an API Scope. Creating an API Scope. Scopes enable you to group a set of REST resources, methods, or both, and SOAP operations for an API. A scope consists of a name, description, and zero or more resources, methods, or operations.
Having a read of this article might help ... https://leastprivilege.com/2016/12/01/new-in-identityserver4-resource-based-configuration/. Prior to this there were no resources, just scopes. The abstract nature of scopes meant things weren't always obvious, so resources were invented.
So where you are currently specifying your Client > AllowedScopes you could just refer to your resource rather than repeating the scopes you've defined within your resource. https://identityserver4.readthedocs.io/en/release/reference/api_resource.html
77
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
