Dec 19, 2019 05:26 PM|ammd|LINK
I am new to token based auth in Identity Server at least. Normally I work with custom token providers etc and don't really deal with things like grants and scopes etc.
I understand the purpose of Identity Server is to protect applications like my API's with token auth. I am however a bit confused on the following.
1) Say I have mobile App which is set up in IdSrv as a client. The token provided is used to access the API and perform various operations. What do I check if I don't want that token to get any user data.
2) What do I check if I do want that token to allow request for user tokens.
Standard Mobile app set up as a client and can call Api to do certain things (I know I can do this by policies etc) but I don't want that app to allow access to any user data.
Another mobile app, this one can act on behalf of user and access certain user data.
All I am looking for here is the correct terms to read about so I get a better understanding about the above scenarios.
Any advice appreciated.