The Config class holds important details of the authorization server, such as Resources, Clients, and Users. These details are used while generating the token. Let's design it:
public class Config
{
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource
(
"FlixOneStore.ReadAccess",
"FlixOneStore API",
new List<string>
{
JwtClaimTypes.Id,
JwtClaimTypes.Email,
JwtClaimTypes.Name,
JwtClaimTypes.GivenName,
JwtClaimTypes.FamilyName
}
),
new ApiResource("FlixOneStore.FullAccess", "FlixOneStore API")
};
}
}
ApiResource is used to declare different scopes and claims for the API. For a simple case, an API might have one simple resource structure where it would give access to all clients. However, in a typical scenario, clients can be restricted to access different parts of the API. While declaring the clients, we will use these resources in order to configure their scope and access rights. ReadAccess and FullAccess are two different resource types that can be used with clients to give read and full access, respectively.
Basically, the methods that we are designing now will be called on Startup. Here, GetApiResources is actually creating two types of resource with different settings. The first one is what we will be dealing with for the moment. We have named it FlixOneStore.ReadAccess. You can see a list of strings with Id, Name, and so on, these are the details of the customer that will be generated with the token and passed to the client.
Let's add details for a client from where we will consume the authorization server:
public static IEnumerable<Client> GetClients()
{
return new[]
{
new Client
{
Enabled = true,
ClientName = "HTML Page Client",
ClientId = "htmlClient",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
ClientSecrets =
{
new Secret("secretpassword".Sha256())
},
AllowedScopes = { "FlixOneStore.ReadAccess" }
}
};
}
You can add a number of clients as per your needs. You can set client id, client secret, and grant types according to OAuth standards in this method. Notice the secret password is set as secretpassword. You can set any string here; it can be a Guid. Here, GrantType.ResourceOwnerPassword defines the way we will validate the incoming request to generate tokens.
It says to the Authorization Server, "Hey look for username and password inside the request body." There are other types of Grant available. You can explore more on the official documentation link.
You might have a question now! What are we going to do with username and password? Of course, we will validate them, but with what? The answer is the Email and Password fields from the Customers table. We have not done anything related to connecting Authorization Server with the Customers table. That is what we will do next. But before that, let's register these settings at Startup.