Question About Scaling Potential

[wapplegate]

Hey there, this is a great project. I have a similarly set up project and I have a question. I am running an identity server and a web API in the same project using the resource owner password grant. After taking a look at the README this caught my eye: "If more than one client app requires the Web API, use an interactive flow: IdentityServer4 or the other libraries allow you to scale your application"

When I was working on my application scaling was something I was unsure of. Because identity server and the api are in the same application, if I were to set up multiple servers hosting the api, there would also be multiple instances of the identity server application. Do you see any issues with this scenario? This might be a very open-ended question, but this repo is the best example I've come across so far and you seem very knowledgeable about the subject.

[robisim74]

Thank you, but I can not claim to be an expert.

You can add more client applications that require services even with this configuration without other servers. Let's say that it is not a best practice, for security reasons (and in fact this project highlights the fact that the ROPC should be used only for a Single Page Application).

If multiple client applications require the same services or require different services on multiple servers, you should use an implicit flow that uses only a server for authentication without multiplying the identity instances.

Here you can find an example: https://damienbod.com/2015/11/08/oauth2-implicit-flow-with-angular-and-asp-net-5-identity-server/

Greetings

[wapplegate]

Hmm OK. So, to explain a little bit further, my API and Identity Server are hosted in the same .NET Core project. My only client application at the moment is a single page react application. So my question really is this. Let's say I have the API and Identity server hosted on a single server, if one server eventually becomes overloaded and I introduce another instance of the API + Identity Server do you foresee an issue with that. Because essentially I would then have two instances of identity server and 2 instances of the API running.

[robisim74]

@Singularity222 Tell me if I understood:

If the scenario is this, i think there should be no problems (except for addressing the client). If the server is only one, I don't think it will work. @damienbod Have you ever had experience of this?

[wapplegate]

Yep that diagram is pretty much what I'm expecting to set up. The two api/identity servers would be behind some sort of load balancer and be responsible for the one single page app client.

When I first set the project up I assumed this design could also service another client as well. Say an iPhone app. I could authenticate the iPhone app by passing the username and password to the api/identity server and then add the token to every api request from the iPhone.

[robisim74]

I'm closing this issue. For this kind of questions, please use StackOverflow. Greetings