3

I don't really understand the protecting API using APIResource and APIScopes

I have an angular client application which is calling a .Net APIs lets say API1, Api2 , How can I define the values in APIResource.

I am going through the Identity server4 (version 4.0.0) database table after migration. I found the tables as below

  1. ApiResources

  2. ApiResourceScopes

  3. ApiResourceClaims

  4. ApiResourceProperties

  5. ApiResourceSecrets

  6. ApiScopes

  7. ApiScopeClaims

  8. ApiScopeProperties

My understanding was either we can use 1-5 tables for API setups or we can use 6-8 tables. I tried with tables 1-5. Added values in ApiResources ,ApiResourceScopes & ApiResourceClaims but getting below error

[18:03:53 Debug] IdentityServer4.EntityFramework.Stores.ResourceStore
Found ["TestAPI.Read"] scopes in database

Values in Tables

ApiResources

  1. what is the use of ApiResourceClaims table? is this returning user claims with access token?

  2. How do I access this scope from the client?

  3. Is there any other tables, do I need to add data?

leo
  • 451
  • 1
  • 3
  • 12

1 Answers1

3

First I recommend that you read my answer here

  • what is the use of ApiResourceClaims table? is this returning user claims with access token?

It contains a list of user claims that will be included in the access token. Meaning, the names of the claims that it will then take from the user database.

  • How do I access this scope from the client?

You need to tie an ApiScope. You ask for a ApiScope that then will include one or more ApiResources.

ApiResources represents the individual API's in your system. So, you have one ApiResource per API. You use the ApiResource name and secret to let individual API authenticate against IdentityServer and login to for example get details about the access token (Token introspection)

I think this picture I have below shows the relations between the various parts: enter image description here

The client asks for a ApiSCope and that will then create an access token that will give access to one or multiple ApiResources. Each ApiResource might using the userclaims ask for additional user information that you want to have present in the Access token. Perhaps for the authorization step in the API. To determine if the user is really allowed in or not.

To complement this answer, I write a blog post that goes into more detail about this topic: IdentityServer – IdentityResource vs. ApiResource vs. ApiScope

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Thanks Tore for the answer. I go though your answers and below is my understanding **1)** My understanding is [dbo].[ApiResources] is using to group the scopes under one API name. This is only for reference purpose other than that I did not find any use of these? **2)** if you have defined ApiResourceScopes but if the scope is not defined in ApiScopes then it will raise Invalid scope error? **3)** What is the use of [dbo].[ApiResourceClaims] and ApiResourceSecrets ? Any real-time example of using that? – leo Apr 15 '21 at 03:59
  • As I said in my answer, you ask as a client for ApiScopes and that will give you access to one or more ApiResources. I don't think just having ApiResources with ApiScopes makes any sense. You use ApiScopes to group one or more Apis (ApiResources). That will then affect the audience claim in the access token. – Tore Nestenius Apr 15 '21 at 06:27
  • Thanks again. Now I am clear about the ApiResourceClaims --> user claims are returned when a specific resource scope (ApiResourceScopes) is called.. can you explain me the use of ApiResourceSecrets and give a real time example of ApiResources & ApiScopes. Sorry for asking more details , this is to confirm my understanding is correct. Thanks in advance – leo Apr 15 '21 at 09:24
  • updated my answer, does that help? Feel free to mark my answer as accepted if you accept it . – Tore Nestenius Apr 15 '21 at 10:16