IdentityServer4 token issuer and consumer in the same project

Question

I have a project that hosts the IdentityServer4 and I am attempting to also host in the same project a Web API, which accepts the access-token.

My question is, is possible that a single project contains the IdentityServer and an Web API that consume the same IdentityServer?

EDIT: The API must be secured with the Authorize attribute

Answer 1

I have an identity server 4 project, in the same project there is an API for CIUD of the clients. (Lets call it developer console api).

I then have a side project with is an asp .net core project that contains the actual razor pages for the Developer console it access the API within the Identity server project.

The reason i did it this way is that only one project should be updateing the database. So to update the database owned by the identity server it was decided the the API for accessing it should also be within the same project.

Yes you can have a web api from within your Identity server 4 project.

Configure service

services.AddAuthentication(IdentityServerConstants.DefaultCookieAuthenticationScheme)
                .AddIdentityServerAuthentication(options =>
                {
                    // base-address of your identityserver
                    options.Authority = settingsSetup.Settings.Authority;
                    // name of the API resource
                    options.ApiName = "testapi";
                    options.RequireHttpsMetadata = false;
                });

Configure

I think it needs to have both of these.

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
app.UseAuthentication();
app.UseIdentityServer();

Endpoints

Because the requests are sent using the access token as a bearer token then the authorize for each of the API calls needs to include the authencationScheme. I havent exactly figured out why but without this it doesnt work.

[HttpGet("Client/List")]
[Authorize(AuthenticationSchemes = "Bearer")]
public ActionResult ClientList()
  {

  }

Answer 2

While @DaImTo's answer is correct and working and it's developed by IdentityServer team, it uses Introspection Endpoint which means for every request AddIdentityServerAuthentication will create a http request and send it to your server, which is the same app.

I developed a library called IdentityServer4.Contrib.LocalAccessTokenValidation which do the exact same thing but without using Introspection Endpoint. It will authenticate the token directly from TokenStore which is configured in Services. You can use it if you are interested.

nuget link : https://www.nuget.org/packages/IdentityServer4.Contrib.LocalAccessTokenValidation

github link : https://github.com/Kahbazi/IdentityServer4.Contrib.LocalAccessTokenValidation