Is there a restriction in IdentityServer that scopes can only belong to a single ApiResource?
It seems to me that IdentityServer builds a list of audiences using the list of allowed scopes to look up the ApiResources they belong to, and that each scope only belongs to a single ApiResource.
We have defined the following set of ApiResources and their scopes:
ApiResource Scopes
------------------------------
api/Orders api/Orders
api/Products api/Producs
Which produeces a nice set of aud(ience) and scope values in our JWT:
aud:
api/Orders
api/Products
scope:
api/Orders
api/Products
However, when we made the mistake of messing up the configuration by reusing the same scope for both ApiResources, things got a bit weird:
ApiResource Scopes
------------------------------
api/Orders api/Products
api/Products api/Products
We ended up with this:
aud:
api/Orders
scope:
api/Products
It seems that the way the list of audiences is built up is by calling IResourceStore.GetAllResources() (which we have implemented to retrieve the full catalog of ApiResources and their associated scopes), and then grabs the first ApiResource that matches a given allowed scope, which should work just fine as long as no other ApiResources also have the same scope. :)
-S
Scope names must be unique.
If you want to use the same scope names in several APIs - prefix them e.g. "api1.read", "api2.read" or similar.