Open Id Connect Doubts - Identity Server 4 // How to grant specific users to concrete scopes?

Question

I have some doubts after reading the Open Id docs. Any help will be much appreciated.

Following any of the oidc flows you end by having an id_token and a ac

Answer 1

a)When you send the access_token to a protected api, why or when (example) it would need to retrieve some claims about the user who owns it? Maybe if the protected api wants to use some data about the authenticated user?

For example, if your users can be subdivided into organisations or departments and you want to add a policy within your api to only allow access to certain endpoints for when the user is in one of those subdivided groups - you can add a custom claim "organisationid" or "departmentid" and add that claim with its value to the tokens that are issued. Whether this is applicable or not, it will depend based on the context of your problem and there is a fine line when the concern of authorization can mistakenly be attempted to be solved within authentication.

b) For obtaining the claims the protected api will need to communicate with the UserEdnpoint endpoint? It sends the access_token? And which claims are contained in the returned id_token?/ What happens if it asks for more claims that the user has consent access?

You don't necessarlily need to use UserInfo endpoint. You can set the client property AlwaysIncludeUserClaimsInIdToken to true and all the claims will be included in the id_token by default therefore removing the need of the round trip to UserInfo endpoint. If you do end up taking the round trip, you were correct in saying that you need to send access_token representing the user, however, what is returned is not an id_token, but rather user info. Example from IdentityServer4 docs:

Request: GET /connect/userinfo Authorization: Bearer {access_token}

Response: HTTP/1.1 200 OK Content-Type: application/json { "sub": "248289761001", "name": "Bob Smith", "given_name": "Bob", "family_name": "Smith", "role": [ "user", "admin" ] }

Lastly

How do yo you specify which users can access to specific resources?

This should most likely be solved through Authorization which is not the concern of OAuth2 protocol or IdentityServer4. Authorization is normally handled differently within each application based on problem domain needs. I would recommend to take a look at Policy Server by the creators of Identity Server. They have an excellent video where they delve deeper into this topic and they also have a product to address this problem.