API protection with IdentityServer4

0
votes

I've studied the OAuth2 and OpenId Connect protocols to secure resources, but something doesn't feel right.

How do you allow simple and direct access to an API protected by IdentityServer4?

The use case: the user needs to consume my API directly (for example, via Postman).

As simple as that:

  1. The user sends a request with his username and password to the identity provider to generate an access token.

  2. He uses that access token (as bearer) and consumes the API.

But, there are some complications along the way, like providing client secrets and scope to the identity provider to generate the token (the user should be concerned only with his username and password, not notions about scopes and etc). Maybe OAuth2/OpenId Connect are not the right tool for the job?

c#asp.net-coreoauth-2.0asp.net-identityidentityserver4
Although you can achieve requesting tokens using Postman. You should never ask for a password in a client (e.g. Postman). You should redirect the user to the authorization server instead.Ron van der Heijden
I see, so how should a browser-less flow happen? It's all REST, plain API calls, no browser involved.MurariAlex