I have created a ResourceApi
in my IndetityServer4
something like this:
I have defined a ApiResource called API 1
and specify directly claims - name, sub
for this api resource and I've extended this resource and specify two scopes named Api1.Read
and Api1.Write
and specify for every scope a specific claims which I need for the specific part of API but I don't understand what is different between Claims used in ApiResource and Scopes?
What does mean Claims
directly connected in ApiResource
and Claims which is used in Scope
?
I have tried restrict UserClaims in ApiResource only for sub and name
but if I want in Api1.Write
claim role
it's sent in access token but in definition of Api1
is specify only name and sub
- why is UserClaims defined in ApiResource?
var apiResource = new ApiResource
{
Name = "Api1",
UserClaims = new List<string> { "name", "sub" },
Scopes = new List<Scope>
{
new Scope
{
Name = "Api1.Read",
UserClaims = new List<string> {"sub", "name"}
},
new Scope
{
Name = "Api1.Write",
UserClaims = new List<string> {"sub", "name", "role"}
}
}
};
As per the documentation on ApiResource, the UserClaims
in the ApiResource
itself will always be included in the access token. If you divide that api in multiple Scope
's, the UserClaims
listed there will be added onto the UserClaims
specified in the ApiResource
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With