leastprivilege
commented
4 years ago The handler does not check scopes.
That being said - I will deprecate this repo in favour of:
https://leastprivilege.com/2020/07/06/flexible-access-token-validation-in-asp-net-core/
The docs showing an example of protecting an API with client credentials explains how we need to create our own policy for validating api scopes, in order to make sure that the token coming in has access to use our API.
This doesn't seem to be the case when using IdentityServer4.AccessTokenValidation.
It seems it automatically checks for the scope against
IdentitySererAuthenticationOptions.ApiName.Is this correct? I couldn't find the code where it does that.