I have an IdentityServer4 that I use for authentication/authorization and I am a little confused on how to achieve the following:
if I have let us say 2 clients, and they are trying to access 2 APIs (each client can access one of them), however I have users with different permissions (user1 can access first API, user2 can access second API, user3 can access both)
When user3 which should have access to both APIs login using first client (only api1 scope is requested by client), how will I provide him a token that grants him access to both APIs (scopes), so he should not login again when using the second client?
I have read a lot of discussions about user claims and client scopes, but still I do not have clear answer on how to use them in authenticating the above case.
The client needs to request both scopes, or you need a scope that gives access to both apis.
Scopes are granted to the clients there is no way for your Ids to know that user3 should have access to both unless the client requests both scopes.