I have created an Identity Server 4 based application using .NET Core 3.0, and deployed it to an Azure App Service running on a Windows hosting environment.
I also created an Azure API Management service and am trying to expose Identity Server endpoints through API Management only.
Is this a good design or a bad design? Should I expose Identity Server 4 endpoints directly?
Behind API Management, I have a few other API that should only be accessed by valid end users.
Is this a good design or a bad design? Should I expose Identity Server 4 endpoints directly?
In fact,there is no standard answer for such question,however i tried to provide some references and suggestions here.
In my opinion, it depends on what features you involves. As i know,Identity Server 4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core.In other words to say, it's generally a middleware for authentication.
Authenticate feature could be supported by APIM as well. Additional,APIM supports more features.Such as Groups ans Subscriptions to control the roles and users in your API accesses.Or you could define many strategies in the Policy definition.The monitor logs could be easily captured into azure storage or azure event hub for analysis.
Anyway,for supporting more features, i would suggest you using APIM directly.
