IdentityServer4 - ApiResource and Client, how are they tied together

Question

I am trying to determine how ApiResource and Client are tied together.

How do I go about ensuring that someone requesting a token from a Client is requesting it for a particular ApiResource has access to that ApiResource?

Are tried tied together by Scopes?

Here is some slightly modified code from a QuickStart:

public static IEnumerable<ApiResource> GetApiResources()
{
    return new List<ApiResource>
    {
        new ApiResource("api1Resource", "My API")
        {
            Scopes = 
            {
                new Scope("api1"),
                new Scope("api1.ro"),
                new Scope("offline_access")
            },
            UserClaims = { "role", "user" }
        }
    };
}

// client want to access resources (aka scopes)
public static IEnumerable<Client> GetClients()
{
    // client credentials client, for APIs
    return new List<Client>
    {
        new Client
        {
            ClientId = "apiClient",
            AllowedGrantTypes = GrantTypes.ClientCredentials,

            ClientSecrets =
            {
                // Secret that can be created and given to ITSM_API
                new Secret("secret".Sha512(), "ITSM_API Secret")
            },
            AllowedScopes = { "api1", "api1.ro", "offline_access" }
        },

        // resource owner password grant client, for interactive users
        new Client
        {
            ClientId = "userClient",
            AllowedGrantTypes = GrantTypes.List
            (
                GrantType.ResourceOwnerPassword,
                "offline_access"
            ),
            ClientSecrets = 
            {
                new Secret("secret".Sha512(), "userClient Secret")
            },
            UpdateAccessTokenClaimsOnRefresh = true,
            AllowedScopes = { "api1", "api1.ro", "offline_access" },
            AbsoluteRefreshTokenLifetime = 86400,
            AllowOfflineAccess = true,
            RefreshTokenUsage = TokenUsage.ReUse
        }
    };
}

Answer 1

Having a read of this article might help ... https://leastprivilege.com/2016/12/01/new-in-identityserver4-resource-based-configuration/ . Prior to this there were no resources, just scopes. The abstract nature of scopes meant things weren't always obvious, so resources were invented.

So where you are currently specifying your Client > AllowedScopes you could just refer to your resource rather than repeating the scopes you've defined within your resource. https://identityserver4.readthedocs.io/en/release/reference/api_resource.html

Answer 2

The Scopes are resources you provide with your resource server. For example if you had a Calendar Resource server your Scopes would be calendarentry , read.calendarentry , create.calendarentry . So basically things your users can do on your server.

The API Resource is your resource server as a whole. The Client (the one getting the access_token), requests the scope it needs, and the user grants the rights to the Client.

The Scopes get put into the access_token, and when your resource server receives the access_token, you need to check if the user (which is identified by the access_token) is allowed to access the scope requested. (This can be done beforehand on the IdentityServer). You can for example check with your user database on login if the user has access to the API Resources you defined. The IdentityServer is very configurable to suit almost every setup.