IdenityServer: API resources and scopes

Question

My understanding is that a Client is allowed to access ome or more ApiScope and an ApiScop is linked to many ApiResources the names of which become the values of the audience claims.

I.e., 1 client -> many API scopes and 1 API scope -> many API resources

However, people talk about ApiResources having ApiScopes (not scopes having resources) which does not seem to be how the model works.

How is it supposed to work? Is there any documentation?

Tore Nestenius · Answer 1 · 2023-02-06T12:00:33.063

3

When you define an ApiResource, you add what ApiScopes it belongs to.

Like in this code, where Scopes below is tied to two ApiScopes.

var invoiceApi = new ApiResource()
{
    Name = "invoiceapi",
    Description = "This is the invoice Api-resource description",
    Enabled = true,
    DisplayName = "Invoice API Service",
    Scopes = new List<string> { "invoice", "manager" },
};

Also, do see my answer here:

ApiResource vs ApiScope vs IdentityResource

To complement this answer, I write a blog post that goes into more detail about this topic: IdentityServer – IdentityResource vs. ApiResource vs. ApiScope

edited Feb 06 '23 at 12:00

answered May 07 '21 at 17:06

Tore Nestenius

16,431
5
30
40

So scopes have resources. – Richard Barraclough Jul 30 '21 at 09:00
Yes, Scopes points out resources in IdentityServer – Tore Nestenius Jul 30 '21 at 13:20
So why do people talk about resources having scopes (rather than scopes having resources)? – Richard Barraclough Aug 02 '21 at 10:25

IdenityServer: API resources and scopes

1 Answers1

Linked