I'm using IdentityServer4 with ASP.NET Identity and Angular for the client. All is good and working as I expect when I have a user logged in. The question is regarding securing access to the Api to just my Angular app for anonymous users. For example I don't want just anyone accessing the endpoint to create users. Does the Angular app need to get a token to using the client credentials? This token would then be used for anonymous users.
New to OAUTH and trying to get my understanding straight.
You should not need to get a token to access endpoints such as create user, since it is normally an [AllowAnonymous]
action. If you really do wish to constrain access to this endpoint, then it can be achieved using different kind of measures, such as CORS for example.