How to protect Web API called by IdentityServer4

I make multiple calls to a Web API during login operations in IdentityServer4. Same applies during password reset operations which is custom code I have added to the IdentityServer4 project.

So how should I protect my ASP.NET Core Web API when the user isn't yet authenticated via OIDC which implies that there also isn't exist any access token at that stage. I would like to only allow IdentityServer4 to call these Web API methods instead of running unprotected Web API's.

Any suggestions?

Solution

You can use this

https://identityserver4.readthedocs.io/en/release/topics/tools.html

to generate your own tokens to call the APIs.

In Identity Server 4, I have a User's identity but 0 Claims
Is there a way to connect/disconnect external OpenId providers IdentityServer 4 "on the fly"
Clarification on Identityserver 4 protecting API scopes with ApiResources
Exchanging azure AD token with Identity server token
IdentityServer4 and SSO
Invalid_client using OpenIdConnect in client application
"Key vault reference error" in azure web app configuration setting
why offline_access scope is needed to request refresh token in IdentityServer (OAuth2)?
Identity Server 4 ASP.NET Quickstart 'refused connection'
Bearer token not set as expected
Setting up JWT authentication using the Identity Server and get access token
ApiResource vs ApiScope vs IdentityResource
C# .Net Core API Authorized route with Identity Server 4
User.Identity.Name is null after local login
Error with Identity Server and Client App
Token Request Failing and Returning error invalid grant
Is "scope" a standard claim?
Adding External OAuth Authentication via AddOauth
Understanding the IdentityServer and API communication
Can't get access token from Identity Server 4 when using IHttpClientFactory and Intercept HttpClient GetAsync
How can run the IdentityServer for Macos?
Share authentication cookie between IdentityServer4 clients
Use of external authentication provider for user credentials, private IdentityServer for token generation
Migration To NET6
Identity Server 4: Why i receive unauthorized_client?
identityserver4 Correlation failed
Authentication using both Session cookies and/or JWT Bearer Token in .Net Framework Legacy Appliction
ASP.NET Core JWT authentication changes Claims (sub)
Set cookie not over HTTPS in ASP.NET Core
Duende Identity Server Internal API Authorization