使用身份服务器 3 和身份服务器 4 创建的令牌保护 API

Question

I am using Identity Server 4 for validating the clients and generating the token. The website is created in Angular with.Net core but the API which was already developed is still in .NET framework 4.7.1 which is not supporting Identity Server 4.

So to protect the API i have configured the API with Identity Server 3 which supports .NET framework 4.7.1 but the issue is it is not validating the token generated by Identity Server 4.

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
            {
                Authority = "http://localhost:5000",
                AuthenticationType = "Bearer",
                RequiredScopes = new[] { "api_to_be_protected" }
            });

is there any way we can validate the token and protect the API from unknown clients which is not authorized and also validates the token created by Identity Server 4

Answer 1

On your identity server, you should set the EmitLegacyResourceAudienceClaim option to true

var identityServerBuilder = services.AddIdentityServer(opt =>
            {
                opt.EmitLegacyResourceAudienceClaim = true;
            });

More information about this property can be found over here: https://identityserver4.readthedocs.io/en/latest/reference/options.html

I also found the nuget package IdentityServer3.Contrib.AccessTokenValidation has a recent update to support IDSrv 4, i would recommend that you use that instead of IdentityServer3.AccessTokenValidation