I have an API protected by IdentityServer with an associated allowed scope.
I have two Identity Server clients with permission to access that allowed scope - one accepts client_credentials (for machine-machine operations), and the other accepts authorization_code (for user-machine operations).
Within the API itself, how can I determine whether a given client has been authorised by client_credentials or by authorization_code?
I can find a few references to the "gty" claim but this is not included in tokens generated by identity server. Is there a way to force IdentityServer to include this claim, or is there some other convention for how to identify whether a request originated from a machine client, or from a user?
you can have different clientID and client definitions for the different use cases (Authorization code flow cs. client credentials flow).
Then in the client definition for each one, you can add Client Claims, that will be included in the access token and will be included for any user.
See https://docs.duendesoftware.com/identityserver/v6/reference/models/client/#token
There settings there are related to this:
Allows settings claims for the client (will be included in the access token).
If set, the client claims will be sent for every flow. If not, only for client credentials flow (default is false)
When requesting both an id token and access token, should the user claims always be added to the id token instead of requiring the client to use the userinfo endpoint. Default is false.
If set, the prefix client claim types will be prefixed with. Defaults to client_. The intent is to make sure they don’t accidentally collide with user claims.