identityserver-api-protection

What problem does it solve?

Protecting APIs with IdentityServer involves validating access tokens, supporting both JWTs and reference tokens, enforcing scopes, and applying PoP to guard against token theft across multi-audience deployments.

Core Features & Use Cases

• JWT Bearer Authentication: Validate JWT access tokens with issuer authority and proper type filtering (at+jwt) to prevent token confusion.
• Reference Token Introspection: Use OAuth2 introspection for opaque tokens and ensure ApiSecrets are configured for secure introspection.
• Handling Both JWT and Reference Tokens: Unified API token handling by forwarding reference tokens to an introspection endpoint while validating JWTs locally.
• Scope-Based Authorization: Implement policies based on token scopes to enforce fine-grained access control across resources.
• Proof-of-Possession (PoP): Validate PoP tokens via mTLS cnf and DPoP proof to bind tokens to clients and requests.
• Local API Authentication: Support co-hosted IdentityServer APIs with local API authentication for reduced latency.
• Multi-Audience APIs: Support multiple API resources by validating multiple audiences.

Quick Start

Configure your API to validate JWTs, enable reference token introspection when using opaque tokens, and implement PoP (mTLS/DPoP) as described.