Clarification on Identityserver 4 protecting API scopes with ApiResources
I don't really understand the protecting API using APIResource and APIScopes
I have an angular client application which is calling a .Net APIs lets say API1, Api2 , How can I define the values in APIResource.
I am going through the Identity server4 (version 4.0.0) database table after migration. I found the tables as below
ApiResources
ApiResourceScopes
ApiResourceClaims
ApiResourceProperties
ApiResourceSecrets
ApiScopes
ApiScopeClaims
ApiScopeProperties
My understanding was either we can use 1-5 tables for API setups or we can use 6-8 tables. I tried with tables 1-5. Added values in ApiResources ,ApiResourceScopes & ApiResourceClaims but getting below error
[18:03:53 Debug] IdentityServer4.EntityFramework.Stores.ResourceStore
Found ["TestAPI.Read"] scopes in database
Values in Tables
what is the use of ApiResourceClaims table? is this returning user claims with access token?
How do I access this scope from the client?
Is there any other tables, do I need to add data?
First I recommend that you read my answer here
- what is the use of ApiResourceClaims table? is this returning user claims with access token?
It contains a list of user claims that will be included in the access token. Meaning, the names of the claims that it will then take from the user database.
- How do I access this scope from the client?
You need to tie an ApiScope. You ask for a ApiScope that then will include one or more ApiResources.
ApiResources represents the individual API's in your system. So, you have one ApiResource per API. You use the ApiResource name and secret to let individual API authenticate against IdentityServer and login to for example get details about the access token (Token introspection)
I think this picture I have below shows the relations between the various parts:
The client asks for an ApiScope, which will then create an access token that will give access to one or multiple ApiResources. Each ApiResource might use the user claims to ask for additional user information that you want to have included in the Access token, perhaps for the authorization step in the API to determine if the user is really allowed in or not.
To complement this answer, I write a blog post that goes into more detail about this topic: IdentityServer – IdentityResource vs. ApiResource vs. ApiScope
- Is there a way to connect/disconnect external OpenId providers IdentityServer 4 "on the fly"
- Clarification on Identityserver 4 protecting API scopes with ApiResources
- Exchanging azure AD token with Identity server token
- IdentityServer4 and SSO
- Invalid_client using OpenIdConnect in client application
- "Key vault reference error" in azure web app configuration setting
- why offline_access scope is needed to request refresh token in IdentityServer (OAuth2)?
- Identity Server 4 ASP.NET Quickstart 'refused connection'
- Bearer token not set as expected
- Setting up JWT authentication using the Identity Server and get access token
- ApiResource vs ApiScope vs IdentityResource
- C# .Net Core API Authorized route with Identity Server 4
- User.Identity.Name is null after local login
- Error with Identity Server and Client App
- Token Request Failing and Returning error invalid grant
- Is "scope" a standard claim?
- Adding External OAuth Authentication via AddOauth
- Understanding the IdentityServer and API communication
- Can't get access token from Identity Server 4 when using IHttpClientFactory and Intercept HttpClient GetAsync
- How can run the IdentityServer for Macos?
- Share authentication cookie between IdentityServer4 clients
- Use of external authentication provider for user credentials, private IdentityServer for token generation
- Migration To NET6
- Identity Server 4: Why i receive unauthorized_client?
- identityserver4 Correlation failed
- Authentication using both Session cookies and/or JWT Bearer Token in .Net Framework Legacy Appliction
- ASP.NET Core JWT authentication changes Claims (sub)
- Set cookie not over HTTPS in ASP.NET Core
- Duende Identity Server Internal API Authorization
- Authorize callback endpoint keeps redirecting to the user interaction login page IdentityServer