Skip to content

API resources

The fundamental concept in any RESTful API is the resource. A resource is an object with a type, associated data, relationships to other resources, and a set of methods that operate on it. API resources are something you want to protect and required all access to be authenticated and probably authorized.

Every resource has a unique name - and clients use this name to specify to which resources they want to get access to. APIs resources represent functionality a client wants to invoke - typically modelled as Web APIs, but not necessarily.

API Resources are defined and provided by each application as part of the vanilla configuration.

Models

model

More technical information at https://docs.duendesoftware.com/identityserver/v6/fundamentals/resources/api_resources/.

ApiResource

This class model an API resource.

ApiClaims

List of associated user claim types that should be included in the access token.

ApiSecrets

The API secret is used for the introspection endpoint. The API can authenticate with introspection using the API name and secret. Internally in Sequel we are not using introspection, as we are using JWT validation.

ApiScope

In the simple case an API has exactly one scope. But there are cases where you might want to sub-divide the functionality of an API, and give different clients access to different parts.

ApiScopeClaim

List of associated user claim types that should be included in the access token. The claims specified here will be added to the list of claims specified for the API.

Sample

At sequel-security tool section we will cover how to export and import configurations, in this section we will cover the data exchange formats. Following this format, we represent an API resource in JSON format as:

  {
    "Enabled": true,
    "Name": "sec.api",
    "DisplayName": "Security API",
    "Description": "Security Rest API",
    "UserClaims": [],
    "ApiSecrets": [],
    "Scopes": [
      {
        "Name": "sec.api",
        "DisplayName": null,
        "Description": "sec.api",
        "Required": true,
        "Emphasize": true,
        "ShowInDiscoveryDocument": true,
        "UserClaims": []
      }
    ]
  }

The above sample represents a traditional API resource definition where the most important properties are:

  • Name: unique name of the API resource. Must follow the key naming convention, where all key starts with the application key followed by a dot and the code.
  • DisplayName: friendly short name used in consent screens. Currently this is not used in our implementations.
  • Description: text describing the API resource.
  • UserClaims: Usually empty, as we are not requiring it.
  • ApiSecrets: Usually empty, as we are not using the introspection endpoint.
  • Scopes: At least, one scope is required. The name must be a valid key.

How to manage API resources

API resources are part of each application configuration and just can be managed using the sequel-security console tool.