5

I have created a ResourceApi in my IndetityServer4 something like this:

I have defined a ApiResource called API 1 and specify directly claims - name, sub for this api resource and I've extended this resource and specify two scopes named Api1.Read and Api1.Write and specify for every scope a specific claims which I need for the specific part of API but I don't understand what is different between Claims used in ApiResource and Scopes?

What does mean Claims directly connected in ApiResource and Claims which is used in Scope?

I have tried restrict UserClaims in ApiResource only for sub and name but if I want in Api1.Write claim role it's sent in access token but in definition of Api1 is specify only name and sub - why is UserClaims defined in ApiResource?

var apiResource = new ApiResource
            {
                Name = "Api1",
                UserClaims = new List<string> { "name", "sub" },

                Scopes = new List<Scope>
                {
                    new Scope
                    {
                        Name = "Api1.Read",
                        UserClaims = new List<string> {"sub", "name"}
                    },
                    new Scope
                    {
                        Name = "Api1.Write",
                        UserClaims = new List<string> {"sub", "name", "role"}
                    }
                }
            };
Jenan
  • 3,408
  • 13
  • 62
  • 105

1 Answers1

4

As per the documentation on ApiResource, the UserClaims in the ApiResource itself will always be included in the access token. If you divide that api in multiple Scope's, the UserClaims listed there will be added onto the UserClaims specified in the ApiResource.

Mim
  • 453
  • 4
  • 6