Search code examples
identityserver4identityserver3

Securing multiple Apis using identityserver4

I want to protect all of my APIs using only one identityserver4 applcation.

My sirst resource api and client applications:

  • CustomerManagementApi
  • CustomerManagement.JavascriptApplication
  • CustomerManagement.iOSApp
  • CustomerManagement.AndroidApp

My Second resource api and applications:

  • HumanResourceApi
  • HumanResource.MVCApplication

My Other resource api and applicaitons:

  • DashboardApi
  • Dashboard.AngularApplication

I want to create only one IdentityServer4 and secure my reousrces (DashboardApi,HumanResourceApi,CustomerManagementApi) and I want save my client applications on same IdentityServer4 applicaitons.

Is this possible? Should I create different ApiResources and Scopes on identityserver? How can I do this?

Solution

  • Yes, it is possible because IdentityServer4 enables you to define Resource Apis, Client applications, Users, Scopes and you can configure these data using in memory data for initial tests or even other storage mechanism like Entity Framework for example.

    It is not simple to explain here, but in the official documentation there are some quickstarts that you can do to learn more.

    You can see above some examples of configurations for Resource Apis, Client applications, Users in memory (using a Config.cs class) just to give you an idea about how it can be simple to start:

    Resource Apis: the protected apis that Clients wants to access

       public static IEnumerable<ApiResource> GetApis()
   {
        return new List<ApiResource>
        {
            new ApiResource("CustomerManagementApi", "My CustomerManagementApi"),
            new ApiResource("DashboardApi", "My DashboardApi"),
            // others ...
        };
   }

    Clients: applications that wants to access the Resource Apis

    public static IEnumerable<Client> GetClients()
{
    return new List<Client>
    {
        new Client
        {
            ClientId = "client",

            // no interactive user, use the clientid/secret for authentication
            AllowedGrantTypes = GrantTypes.ClientCredentials,

            // secret for authentication
            ClientSecrets =
            {
                new Secret("secret".Sha256())
            },

            // scopes that client has access to
            AllowedScopes = { "CustomerManagementApi" }
        }
    };
}

    Users: end users that wants to access some resource

    public static List<TestUser> GetUsers()
{
    return new List<TestUser>
    {
        new TestUser
        {
            SubjectId = "1",
            Username = "alice",
            Password = "password"
        },
        new TestUser
        {
            SubjectId = "2",
            Username = "bob",
            Password = "password"
        }
    };
}