2

My understanding is that a Client is allowed to access ome or more ApiScope and an ApiScop is linked to many ApiResources the names of which become the values of the audience claims.

I.e., 1 client -> many API scopes and 1 API scope -> many API resources

However, people talk about ApiResources having ApiScopes (not scopes having resources) which does not seem to be how the model works.

How is it supposed to work? Is there any documentation?

Richard Barraclough
  • 2,625
  • 3
  • 36
  • 54

1 Answers1

3

When you define an ApiResource, you add what ApiScopes it belongs to.

Like in this code, where Scopes below is tied to two ApiScopes.

var invoiceApi = new ApiResource()
{
    Name = "invoiceapi",
    Description = "This is the invoice Api-resource description",
    Enabled = true,
    DisplayName = "Invoice API Service",
    Scopes = new List<string> { "invoice", "manager" },
};

Also, do see my answer here:

ApiResource vs ApiScope vs IdentityResource

To complement this answer, I write a blog post that goes into more detail about this topic: IdentityServer – IdentityResource vs. ApiResource vs. ApiScope

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40