The authorize endpoint can be used to request tokens or authorization codes via the browser. This process typically involves authentication of the end-user and optionally consent.
IdentityServer supports a subset of the OpenID Connect and OAuth 2.0 authorize request parameters. For a full list, see here.
client_id
identifier of the client
scope
one or more registered scopes
redirect_uri
must exactly match one of the allowed redirect URIs for that client
response_type
specifies the response type
id_token
token
id_token token
code
code id_token
code id_token token
response_mode
specifies the response mode
query
fragment
form_post
state
echos back the state value on the token response, this is for round tripping state between client and provider, correlating request and response and CSRF/replay protection. (recommended)
nonce
echos back the nonce value in the identity token (for replay protection)
Required when identity tokens is transmitted via the browser channel
prompt
none
no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned
login
the login UI will be shown, even if the user is already signed-in and has a valid session
create
the user registration UI will be shown, if the UserInteraction.CreateAccountUrl option is set (the option is null by default, which disables support for this prompt value)
code_challenge
sends the code challenge for PKCE
code_challenge_method
plain
indicates that the challenge is using plain text (not recommended)
S256
indicates the challenge is hashed with SHA256
login_hint
can be used to pre-fill the username field on the login page
ui_locales
gives a hint about the desired display language of the login UI
max_age
if the user’s logon session exceeds the max age (in seconds), the login UI will be shown
acr_values
allows passing in additional authentication related information - IdentityServer special cases the following proprietary acr_values:
idp:name_of_idp
bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration)
tenant:name_of_tenant
can be used to pass a tenant name to the login UI
request
instead of providing all parameters as individual query string parameters, you can provide a subset or all of them as a JWT
request_uri
URL of a pre-packaged JWT containing request parameters
GET /connect/authorize?
client_id=client1&
scope=openid email api1&
response_type=id_token token&
redirect_uri=https://myapp/callback&
state=abc&
nonce=xyz
You can use the IdentityModel client library to programmatically create authorize request URLs from .NET code.
var ru = new RequestUrl("https://demo.duendesoftware.com/connect/authorize");
var url = ru.CreateAuthorizeUrl(
clientId: "client",
responseType: "code",
redirectUri: "https://app.com/callback",
scope: "openid");