I'm evaluating Identity Server 4 as a possible solution for my ASP.NET Core API app. We're also in the process of building mobile apps that will call the API.
If we do decide to use Identity Server 4 (IS4), it will be set up as a separate app i.e. it won't be added to our existing Web/API app.
Is it possible to define clients in IS4 so that requests to IS4 must provide the ClientId as well so that requests coming from unauthorized clients won't be processed.
The problem I'm trying to solve is that I don't want anyone to create their own web/mobile app and start calling our API. If someone wants to create an app that will consume our API, it must register with us and get an AppId and SecretKey, just like accessing Facebook or Google authentication.
Does IS4 support this?
The short answer is - yes it does.
Now some explanation - to call an API, that is protected by Identity Server, you should act as an Identity Server Client (no matter what kind of app it is). This client, first authenticates against IDS and then (if allowed) calls the API. So if it is not a registered IDS client, it cannot authenticate. The IDS clients are registered during the start of the IDS app - check here.
Actually you can check all their documentation. I think that the first part is very similar to your case.