Search code examples
identityserver4scopesduende-identity-server

Clarification on Identityserver 4 protecting API scopes with ApiResources


I don't really understand the protecting API using APIResource and APIScopes

I have an angular client application which is calling a .Net APIs lets say API1, Api2 , How can I define the values in APIResource.

I am going through the Identity server4 (version 4.0.0) database table after migration. I found the tables as below

  1. ApiResources

  2. ApiResourceScopes

  3. ApiResourceClaims

  4. ApiResourceProperties

  5. ApiResourceSecrets

  6. ApiScopes

  7. ApiScopeClaims

  8. ApiScopeProperties

My understanding was either we can use 1-5 tables for API setups or we can use 6-8 tables. I tried with tables 1-5. Added values in ApiResources ,ApiResourceScopes & ApiResourceClaims but getting below error

[18:03:53 Debug] IdentityServer4.EntityFramework.Stores.ResourceStore
Found ["TestAPI.Read"] scopes in database

Values in Tables

ApiResources

  1. what is the use of ApiResourceClaims table? is this returning user claims with access token?

  2. How do I access this scope from the client?

  3. Is there any other tables, do I need to add data?


Solution

  • First I recommend that you read my answer here

    • what is the use of ApiResourceClaims table? is this returning user claims with access token?

    It contains a list of user claims that will be included in the access token. Meaning, the names of the claims that it will then take from the user database.

    • How do I access this scope from the client?

    You need to tie an ApiScope. You ask for a ApiScope that then will include one or more ApiResources.

    ApiResources represents the individual API's in your system. So, you have one ApiResource per API. You use the ApiResource name and secret to let individual API authenticate against IdentityServer and login to for example get details about the access token (Token introspection)

    I think this picture I have below shows the relations between the various parts: enter image description here

    The client asks for an ApiScope, which will then create an access token that will give access to one or multiple ApiResources. Each ApiResource might use the user claims to ask for additional user information that you want to have included in the Access token, perhaps for the authorization step in the API to determine if the user is really allowed in or not.

    To complement this answer, I write a blog post that goes into more detail about this topic: IdentityServer – IdentityResource vs. ApiResource vs. ApiScope