- Two servers:
- Auth server
- acts as auth server
- runs IdentityServer4
- two APIs: auth and res1
- two Clients:
- client-app
- used by a typical client app
- grants: resource owner grant
- allowed scopes: auth, res1
- resource-server
- inter-service communication between resource server 1 and auth server
- grants: client credentials
- allowed scopes: auth
- client-app
- acts as resource server
- allowed scopes: auth
- audience: auth
- acts as auth server
- Resource server 1
- acts as resource server
- allowed scopes: res1
- audience: res1
- acts as resource server
- Auth server
- User authenticates once but needs to get subsequent authentications for subsystems without re-entering credentials
- Resource server 1 needs to check permissions of user when resources are requested
POST to http://localhost:60692/connect/token
Content-Type:application/x-www-form-urlencoded
- grant_type:password
- client_id:client-app
- scope:auth
- username:user1
- password:p@ss
POST /connect/token HTTP/1.1
Host: localhost:60692
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id=client-app&scope=auth&username=user1&password=p%40ss
Using access token for subsystem authentication (here: scope res1
for resource server 1)
POST to http://localhost:60692/connect/token
Content-Type:application/x-www-form-urlencoded
- grant_type:password
- client_id:client-app
- scope:res1
- username:SUBSYSTEMAUTH
- password:(access token from step 1)
POST /connect/token HTTP/1.1
Host: localhost:60692
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id=client-app&scope=res1&username=SUBSYSTEMAUTH&password=(access token)
GET to http://localhost:60692/api/v1/app-features (on auth server)
Authorization:Bearer (access token from step 1)
GET /api/v1/app-features HTTP/1.1
Host: localhost:60692
Authorization: Bearer (access token from step 1)
GET to http://localhost:60709/api/v1/items (on resource server)
Using access token from step 2 to access actual resource.
Authorization:Bearer (access token from step 2)
GET /api/v1/items HTTP/1.1
Host: localhost:60709
Authorization: Bearer (access token from step 2)