I'm integrating IdentityServer4 into an existing ASP.NET Core 2 Web API project. The goal is to provide security for the api that will be accessed by front end code plus calls from a known third party application.
To this end, i'm setting up two client applications with seperate grant types - implicit for the front end and a grant type that supports refresh tokens (probably hybrid).
I've gone through several of the quickstarts and have a fair an understanding of the basics, but am having trouble deciding how to structure the IdentityServer code in relation to the existing project.
Can IdentityServer4 just be added directly to the asp.net API project by adding the required security to the startup, or is it required to run as a separate project/service? All of the examples i have seen so far have had this as a separate project, which i can understand making sense for a larger security service, but feels like overkill for applicaitons with a smaller scope.
