ApiResource returns "invalid_scope" identityserver

Question

I am implementing Identity Server in a razor page application.

When requesting the speech ApiResource, identityserver returns "invalid_scope". My understanding is that the resource is a group of scopes. So, I was expecting the identityserver to return the scopes defined in the speech resource. Note: Which I add speech as ApiScope it works fine but then it does not add the speech.synthesize and payment.subscription scopes.

Here's how I have defined the ApiScopes:

public static IEnumerable<ApiScope> ApiScopes =>
        new List<ApiScope>
        {
            new ApiScope("speech.synthesize", "Speech synthesis",new []{"api.create" }),
            new ApiScope("payment.subscription", "Subscription service"),
            new ApiScope("payment.manage", "Manage Payment"),
        };

And here's how I have defined the ApiResource:

public static IEnumerable<ApiResource> ApiResources =>
        new List<ApiResource>
        {
            new ApiResource("speech", "Speech API")
            {
                Scopes = { "speech.synthesize", "payment.subscription" }
            }
        };

And here's the client configuration:

public static IEnumerable<Client> Clients =>
        new List<Client>
        {
            new Client
            {
                ClientId = "client",

                // no interactive user, use the clientid/secret for authentication
                AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,

                // secret for authentication
                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },
                AlwaysSendClientClaims = true,
                // scopes that client has access to
                AllowedScopes = {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Email,
                    "speech"
                }
            }
        };

What is wrong here? Can anybody help me understand the problem.

What is the role of the Api Resource if not grouping the scopes.

score 0 · Accepted Answer · answered Apr 21 '21 at 12:29

0

You as a client asks for ApiScopes, not ApiResources. One more more ApiResource can point to an ApiScope.

An ApiResource represents an API instance, not a Scope. ApiResources are like clients, but for Apis.

See my answer here for more details about the difference between IdentityResource, ApiResource and ApiScope

answered Apr 21 '21 at 12:29

Tore Nestenius

16,431
5
30
40

So, Api Resource controls the list of scopes that can be sent to an actual API resource. After reading your answer I remembered that the ApiResource is used in the Resource Server as "Audience". – Kishan Vaishnav Apr 21 '21 at 13:03
Your client asks for a set of scopes (Either IdentityResources or ApiScopes). ApiScopes can then give access to one or multiple Apis (ApiResources). and the aud claim in the access-token will contain the list of ApiRsources associated with the ApiScopes selected. – Tore Nestenius Apr 21 '21 at 14:08
As per the https://stackoverflow.com/a/63058736/9522887 the audience claim is no longer sent and not configured in the Resource Owner. Does that mean ApiResource is no longer suggested? – Kishan Vaishnav Apr 22 '21 at 06:37
In version 4, they introduced the ApiScope and rearchitected how these things work with ApiResources. You do want this and you want the audience claim as the AddJwtBearer API's ues that to verify that the token they receive is intended for them. – Tore Nestenius Apr 22 '21 at 06:41
But as you can see in the https://stackoverflow.com/a/63058736/9522887 answer there is no Audience. And it is using AddJwtBearer(). Is it incorrect config? – Kishan Vaishnav Apr 22 '21 at 06:44
You get a proper audience if you define ApiScope and ApiResoures, otherwise you will get an generic static audience claim instead. See this page https://docs.duendesoftware.com/identityserver/v5/fundamentals/resources/api_scopes/ Unless you disable it, I think it will do an audience check even if its not in the code. But you should use Audience to make a secure API, its a best practice. – Tore Nestenius Apr 22 '21 at 06:58

ApiResource returns "invalid_scope" identityserver

1 Answers1