I have working prototype Visual Studio Solution using IdentityServer4 which has:
I have the login working and basic test of Web Client 1 working talking to API.
My question is best described using an example: Suppose I have a method in my API protected with the [Authorize] attribute for GetCourses (protected with authorize so its not accessible by anybody if they know the URL). This currently work because my test is logging in with a user on web client 1 (which would be used to edit courses eventually).
But on my Public facing website I want to be able to call GetCourses with ClientCredentials in IdentityServer so I can display a list of courses on the website. I expect I'm going about this the wrong way so if anyone can provide any pointers it would be much appreciated.
Thanks Richard
Assuming you use cookie authentication for Web Client 1:
// for Web Client 1 Scheme = Cookies
app.UseCookieAuthentication();
// for Web Client 2 Scheme = Bearer
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
...
});
You just need to use ActiveAuthenticationSchemes
like below:
[Authorize(ActiveAuthenticationSchemes = "Cookies, Bearer")]
public IActionResult GetCourses(){ ... }
For more info see https://docs.asp.net/en/latest/security/authorization/limitingidentitybyscheme.html