ApiResource vs ApiScope vs IdentityResource

About

Asked 9/9, 2020 at 11:55 Answered 9/9, 2020 at 13:39

Solved c#identityserver4 scopes duende-identity-server

I've read the IdentityServer4 documentation but I can't understand what is the exact difference between these three concepts. (ApiResource vs ApiScope vs IdentityResource)

1- As it is said in the documentation, API Scope models an OAuth scope. and API Resource models an API resource. So what is the difference between the OAuth scope and API resource?

2- also, as I understand in this section of document , in AllowsScope of client definition in Identity server, we must add IdentityResources. So what is the exact usage of Identity resources?

3- If I add some IdentityResources to client AllowsScopes, How can I see these Resources In client?

I am the beginner in Identity Server, which means that my questions are maybe elementary. but please answer it, I've searched a lot, and nowhere explain these concepts completely. For example,here is the definition of Identity resource!

Dikmen answered 9/9, 2020 at 11:55 Comment(0)

Scopes listed under IdentityResources are the scopes that will be included in the ID token.

ApiScopes is what you ask for as a client and as a user, you give consent to. Optionally, one or more ApiResources can be associated with an ApiScope.

The ApiScope and ApiResources control what is included in the access token. ApiResources points out what the aud claim in the access token will contain.

To summarize, the scopes sent by the client are a list of IdentityResources and ApiScopes.

To complement this answer, I wrote a blog post that goes into more detail about this topic: IdentityServer – IdentityResource vs. ApiResource vs. ApiScope

Glyptic answered 9/9, 2020 at 13:39 Comment(19)

As I read the documents here, it is the opposite of what you said, ApiResource, can point out one or more ApiScope. Am I right? identityserver4.readthedocs.io/en/latest/topics/… – Dikmen 12/9, 2020 at 5:21

also I have another question, I add "email" to allowed scopes of client, and also add it in identity resources, then add it to client scope by add.scope("email). but when i decrypt the IDToken can't see email value in it. (also the users claims has "email") – Dikmen 12/9, 2020 at 7:2

Yes you are right! but (the arrows are in the wrong direction) but from a user point of view, you ask for ApiScopes and then they point out ApiResources to include. – Glyptic 12/9, 2020 at 7:26

Regarding email, did you also add email to the client allowedscopes list? – Glyptic 12/9, 2020 at 7:27

i clarified the text and image, logically , one ApiScopes includes zero or more ApiResources. But in code an ApiResource selects to which ApiScopes they belong to. – Glyptic 12/9, 2020 at 7:41

I can't understand what is the difference between logic and code. why one ApiScope includes zero or more ApiResource logically? could you please explain it more? does this image wrong? imgur.com/a/kjDUD02 – Dikmen 14/9, 2020 at 7:31

regarding email, yes I've add email to client allowedscope list.. – Dikmen 14/9, 2020 at 7:32

A user never asks access to a ApiResource directly (it was like like that in version 3.x), in V4 of IdentityServer, a user asks for ApiScopes when they ask for scopes. So, a user asks for access and give consent for a set of IdentiyResources and ApiScopes. Then to control what goes into the audience claim, is determined how many ApiResources is tied to the ApiScope. – Glyptic 14/9, 2020 at 11:42

so , one ApiResource contains one or more ApiScope? – Dikmen 15/9, 2020 at 5:36

does this image correct? imgur.com/a/kjDUD02 – Dikmen 15/9, 2020 at 5:37

image is correct, so each ApiResource points out what Scope they want to be associated with. Does that make this question accepable? – Glyptic 15/9, 2020 at 6:26

yes ! :D but I want to ask you to put this image or something like this in your answer for other developers. your exact answers does not say exact relation between these two concept. (The Identity resource is explained well) – Dikmen 15/9, 2020 at 7:30

I think my picture is pretty clear, its not that the ApiResorces owns the ApiScopes, the ApiScopes in the ApiResource is just the names of the scopes, not the apiObject scopes them self.... In my picture, the ApiResource Payment is tied to the ApiScope Payment. – Glyptic 15/9, 2020 at 11:17

An arrow between Resource and Scope is not a clear explanation. That's why I said put more shape.Your figure does not explain exactly what the arrow means – Dikmen 15/9, 2020 at 12:16

I fixed an arrow bug and also added scopes, happy? – Glyptic 15/9, 2020 at 12:37

it's confusing between scope and ApiScope. It looks like they're different things, why are they called the same name? – Tumulus 6/1, 2021 at 6:46

Scope is what you as a client ask for, then the scope mapped to the identityresources and the ApiScopes. In other words, the scope is a list of IdentityResources and ApiScopes. – Glyptic 6/1, 2021 at 9:7

Duende's "Api Resources" states "The ApiResource class allows for [..] grouping [..] of scopes" ApiResource can group several ApiScopes, and an ApiScope can be included in several ApiResources. Note that the grouping is on the data side, not in the token. The "Resources Isolation"-page states "OAuth itself only knows about scopes - the (API) resource concept does not exist [.. so] all the requested scope [..] get merged into a single access token". – Damiano 2/8 at 14:58

@YahooSerious As you see on docs.duendesoftware.com/identityserver/v6/fundamentals/… , one scope manage can be associated with both the Invoice and customer scopes. Ie, the client can ask for one manage scope, and then get access to multiple services, and you get one access token that works with both APIs. So, what is wrong in my answer? – Glyptic 3/8 at 14:25

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags