Securing a client in IdentityServer4
I have the following scenario:
I am confused as to how to set up API 2 in IdentityServer4, as it looks to me like it's both a Client (since it's consuming the resources provided by API 1) and an ApiResource (since I'm wanting to secure it so that only logged-in users can access it).
I have considered setting up API 2 as a Client and securing it with cookie authentication. I think this is similar to what they do in the MvcClient in their sample. However, I don't like it because all of the information about the user is stored server-side, so my JavaScript app has no way of knowing the user's name, email, etc.
What is the best way to handle this scenario?
Basically, you need to protect both of your API's with your Identity Server. Something like:
API 1 Startup.cs:
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "https://localhost:5000";
options.SupportedTokens = SupportedTokens.Both;
options.RequireHttpsMetadata = false;
options.ApiName = "api1";
});
Same thing for API 2, but the options.ApiName should be different. Then, your javascript client, when being constructed on the Identity Server side, should be allowed to access these 2 api's (allowed scopes):
new Client
{
ClientId = "your.js.client.id",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = { "http://localhost:5003/callback.html" },
PostLogoutRedirectUris = { "http://localhost:5003/index.html" },
AllowedCorsOrigins = { "http://localhost:5003" },
AllowedScopes =
{
"api2",
"api1"
}
}
This code was from the official documentation.
And then in API 2, when you want to call API 1's controller, you need something like:
var client = new HttpClient();
client.SetBearerToken(accessToken);
client.GetStringAsync("https://localhost/api1/test");
Where you get the access_token:
[Authorize]
public async Task<IActionResult> ControllerMethodInApi2()
{
var accessToken = await context.HttpContext.GetTokenAsync("access_token");
return View();
}
This should work for you.
- "The breakpoint will not currently be hit. A copy of file was found in dll file, but the current source code is different"
- Why the name of the entry point in top level statements is "<Main>$" and not "Main"?
- Merging two arrays in .NET
- How to use the source generators from CommunityToolkit.Mvvm for a .NET Framework 4.7.2 WPF Application
- How to fix `Your project does not reference ".NETFramework,Version=v4.6.1" framework...`
- WPF ImageSource binding with Custom converter
- How to disable VS compile warning "class or css class is not defined"
- How fast is SQLite compared to Microsoft Access MDB?
- How to suppress c# compiler warning in a razor file?
- How to reduce the margin between two buttons in below WPF code
- Validation with data annotations does not work
- How can I force csc / mcs to use a specific version of an assembly reference?
- Targeting ARM architecture with .NET compiler
- Can a ThreadAbortException be thrown outside of a catch block?
- Is it possible to work with a .NET 4.8 Library from .NET 6/7 or 8?
- Last Boot Time in .NET Standard 2.0
- Implementing Navigation in Avalonia with MVVM Community Toolkit
- Calculation of Cramer's V matrix using MathNet.Numerics
- What is the error of this Blazor EditForm?
- String Interpolation in Visual Studio 2015 and IFormatProvider (CA1305)
- ASP.NET MVC: Delete and Update Methods Not Working (HTTP ERROR 404)
- Azure DevOps Pipelines XCode 16.0 unable to find utility "actool"
- Double multiplied with int has become less accurate in .NET Core
- How to pass js function argument to inline c# in cshtml?
- How and when does ngen.exe work?
- Linq how to select only a small subset of a large result set?
- GraphQL client in .Net with subscription
- Finding RDBMS table relationships using SqlConnection schemas
- AutoMapper DTO Not Serializing Correctly for Derived Class Insertion
- How can I disable certificate validation with StackExchange.Redis?