Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are User Claims in IdentityServer4 API Resources vs. API Scopes

Tags:

People also ask

What is API scope in identityserver4?

This value is used for authentication with introspection and will be added to the audience of the outgoing access token. DisplayName. This value can be used e.g. on the consent screen. Description.

What is API resource in IdentityServer?

The two fundamental resource types in IdentityServer are: identity resources: represent claims about a user like user ID, display name, email address etc… API resources: represent functionality a client wants to access.

What are API scopes?

Scopes enable you to group a set of REST resources, methods, or both, and SOAP operations for an API. A scope consists of a name, description, and zero or more resources, methods, or operations. An API can have zero or more scopes. You can define a set of policies and configure its properties for each individual scope.

What is API resource in Identity server 4?

The API Resource is your resource server as a whole. The Client (the one getting the access_token), requests the scope it needs, and the user grants the rights to the Client.


I've configured an instance of IdentityServer4 and have successfully configured it as a client for an OIDC provider. I'm now trying to set it up as the OIDC provider for my application. I've followed through the quickstarts and read the documentation, but I'm struggling to find an answer to my specific question.

User claims can be specified in a couple of different places: on the API resource and on the API scopes. What is the difference between specifying a user claim on an API resource vs. on an API scope for that resource?

My understanding of the terminology is that:

  • An API resource represents the API that clients will access, e.g. a "the GitHub API", my "data import API"
  • An API scope represents a subset of resources within that API, to which clients can request access, e.g. repo => public and private repositories, import_job:control => start/stop/delete import jobs
  • A user claim is a piece of information about the user, e.g. email => email address

It must make sense to associate user claims with an API resource and/or scope, but I can't make the mental leap to identify why and how. Please provide illustrative examples of these claims and what they represent in the contexts given above: the GitHub API (hypothetically, if there are none actually defined), and a generic batch import API.