Version 5.x has been out of support since December 13, 2022, and this corresponding section of the documentation is no longer maintained. We strongly recommend you upgrade to the latest supported version of 7.x and read the latest version of this documentation.

Authorize Endpoint

The authorize endpoint can be used to request tokens or authorization codes via the browser. This process typically involves authentication of the end-user and optionally consent.

IdentityServer supports a subset of the OpenID Connect and OAuth 2.0 authorize request parameters. For a full list, see here.

Required parameters

  • client_id

    identifier of the client

  • scope

    one or more registered scopes

  • redirect_uri

    must exactly match one of the allowed redirect URIs for that client

  • response_type

    specifies the response type

    • id_token

    • token

    • id_token token

    • code

    • code id_token

    • code id_token token

Optional parameters

  • response_mode

    specifies the response mode

    • query

    • fragment

    • form_post

  • state

    echos back the state value on the token response, this is for round tripping state between client and provider, correlating request and response and CSRF/replay protection. (recommended)

  • nonce

    echos back the nonce value in the identity token (for replay protection)

    Required when identity tokens is transmitted via the browser channel

  • prompt

    • none

      no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned

    • login

      the login UI will be shown, even if the user is already signed-in and has a valid session

  • code_challenge

    sends the code challenge for PKCE

  • code_challenge_method

    • plain

      indicates that the challenge is using plain text (not recommended)

    • S256

      indicates the challenge is hashed with SHA256

  • login_hint

    can be used to pre-fill the username field on the login page

  • ui_locales

    gives a hint about the desired display language of the login UI

  • max_age

    if the user’s logon session exceeds the max age (in seconds), the login UI will be shown

  • acr_values

    allows passing in additional authentication related information - IdentityServer special cases the following proprietary acr_values:

    • idp:name_of_idp

      bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration)

    • tenant:name_of_tenant

      can be used to pass a tenant name to the login UI

  • request

    instead of providing all parameters as individual query string parameters, you can provide a subset or all of them as a JWT

  • request_uri

    URL of a pre-packaged JWT containing request parameters

GET /connect/authorize?
    client_id=client1&
    scope=openid email api1&
    response_type=id_token token&
    redirect_uri=https://myapp/callback&
    state=abc&
    nonce=xyz

.NET client library

You can use the IdentityModel client library to programmatically create authorize request URLs from .NET code.

var ru = new RequestUrl("https://demo.duendesoftware.com/connect/authorize");

var url = ru.CreateAuthorizeUrl(
    clientId: "client",
    responseType: "code",
    redirectUri: "https://app.com/callback",
    scope: "openid");