Authorize Endpoint¶
The authorize endpoint can be used to request tokens or authorization codes via the browser. This process typically involves authentication of the end-user and optionally consent.
Note
IdentityServer supports a subset of the OpenID Connect and OAuth 2.0 authorize request parameters. For a full list, see here.
client_ididentifier of the client (required).
requestinstead of providing all parameters as individual query string parameters, you can provide a subset or all of them as a JWT
request_uriURL of a pre-packaged JWT containing request parameters
scopeone or more registered scopes (required)
redirect_urimust exactly match one of the allowed redirect URIs for that client (required)
response_typeid_tokenrequests an identity token (only identity scopes are allowed)tokenrequests an access token (only resource scopes are allowed)id_token tokenrequests an identity token and an access tokencoderequests an authorization codecode id_tokenrequests an authorization code and identity tokencode id_token tokenrequests an authorization code, identity token and access tokenresponse_modeform_postsends the token response as a form post instead of a fragment encoded redirect (optional)stateidentityserver will echo back the state value on the token response, this is for round tripping state between client and provider, correlating request and response and CSRF/replay protection. (recommended)
nonceidentityserver will echo back the nonce value in the identity token, this is for replay protection)
Required for identity tokens via implicit grant.
promptnoneno UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returnedloginthe login UI will be shown, even if the user is already signed-in and has a valid sessioncode_challengesends the code challenge for PKCE
code_challenge_methodplainindicates that the challenge is using plain text (not recommended)S256indicates the challenge is hashed with SHA256login_hintcan be used to pre-fill the username field on the login page
ui_localesgives a hint about the desired display language of the login UI
max_ageif the user’s logon session exceeds the max age (in seconds), the login UI will be shown
acr_valuesallows passing in additional authentication related information - identityserver special cases the following proprietary acr_values:
idp:name_of_idpbypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration)tenant:name_of_tenantcan be used to pass a tenant name to the login UI
Example
GET /connect/authorize?
client_id=client1&
scope=openid email api1&
response_type=id_token token&
redirect_uri=https://myapp/callback&
state=abc&
nonce=xyz
(URL encoding removed, and line breaks added for readability)
Note
You can use the IdentityModel client library to programmatically create authorize requests .NET code. For more information check the IdentityModel docs.