Search code examples
c#asp.net-mvcidentityserver4

IdentityServer4 ClientCredentials basic question (I think)

This is probably a basic question about IdentityServer4

So Im working through the identityserver4 docs Ive done the

[Protecting an API using Client Credentials] https://docs.identityserver.io/en/latest/quickstarts/1_client_credentials.html#

I get that so I set up an APi Resource with an Api Scope (api1) and my "Client" uses Client Credentials and that scope

public static IEnumerable<Client> Clients =>
    new List<Client>
    {
        new Client
        {
            ClientId = "client",

            // no interactive user, use the clientid/secret for authentication
            AllowedGrantTypes = GrantTypes.ClientCredentials,

            // secret for authentication
            ClientSecrets =
            {
                new Secret("secret".Sha256())
            },

            // scopes that client has access to
            AllowedScopes = { "api1" }
        }
    };

ok so then I do the next section "Interactive Applications with ASP.NET Core" and I get that

So my Client will need to do both so happily there is the next section "ASP.NET Core and API access" - to bring them both together which says all I have to do is

new Client
{
    ClientId = "mvc",
    ClientSecrets = { new Secret("secret".Sha256()) },

    AllowedGrantTypes = GrantTypes.Code,

    // where to redirect to after login
    RedirectUris = { "https://localhost:5002/signin-oidc" },

    // where to redirect to after logout
    PostLogoutRedirectUris = { "https://localhost:5002/signout-callback-oidc" },

    AllowOfflineAccess = true,

    AllowedScopes = new List<string>
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        "api1"
    }
}

which does work

What I dont understand is - it is the IdentityServer4 client "client" that has the

AllowedGrantTypes = GrantTypes.ClientCredentials

so how does "mvc" Client only have to add "api1" to the allowed scope to get the Client Credentials?

I cant see an explanation in the docs

is a bearer token by convention "Client Credentials" (so I dont need the Client "client" anymore) ? or does IdentityServer4 somehow link the Clients based on the fact they both have the api1 scope?

Thanks

Solution

  • ClientCredentials, is for service-to-service communication. Perhaps you have a background job that needs to talk to an API. For for one API to talk to another API.

    The authorization code flow is typically for MVC application where you have a user logging in to the site and you get back an access token that you can then send to a given API, like API1 in this case.

    In your scenario you don't really need to use both. Only the authorization code flow is enough for the public facing server with api1 as the scope.

    You use bearer tokens (authorization header) in both flows when you talk to an API.