I am implementing Identity Server in a razor page application.
When requesting the speech ApiResource, identityserver returns "invalid_scope". My understanding is that the resource is a group of scopes. So, I was expecting the identityserver to return the scopes defined in the speech resource.
Note: Which I add speech as ApiScope it works fine but then it does not add the speech.synthesize and payment.subscription scopes.
Here's how I have defined the ApiScopes:
public static IEnumerable<ApiScope> ApiScopes =>
new List<ApiScope>
{
new ApiScope("speech.synthesize", "Speech synthesis",new []{"api.create" }),
new ApiScope("payment.subscription", "Subscription service"),
new ApiScope("payment.manage", "Manage Payment"),
};
And here's how I have defined the ApiResource:
public static IEnumerable<ApiResource> ApiResources =>
new List<ApiResource>
{
new ApiResource("speech", "Speech API")
{
Scopes = { "speech.synthesize", "payment.subscription" }
}
};
And here's the client configuration:
public static IEnumerable<Client> Clients =>
new List<Client>
{
new Client
{
ClientId = "client",
// no interactive user, use the clientid/secret for authentication
AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,
// secret for authentication
ClientSecrets =
{
new Secret("secret".Sha256())
},
AlwaysSendClientClaims = true,
// scopes that client has access to
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"speech"
}
}
};
What is wrong here? Can anybody help me understand the problem.
What is the role of the Api Resource if not grouping the scopes.
You as a client asks for ApiScopes, not ApiResources. One more more ApiResource can point to an ApiScope.
An ApiResource represents an API instance, not a Scope. ApiResources are like clients, but for Apis.
See my answer here for more details about the difference between IdentityResource, ApiResource and ApiScope