Authorize Endpoint

The authorize endpoint can be used to request tokens or authorization codes via the browser. This process typically involves authentication of the end-user and optionally consent.

Identity Engine supports a subset of the OpenID Connect and OAuth 2.0 authorize request parameters. For a full list, see here.

Required parameters

  • client_id : identifier of the client

  • scope: one or more registered scopes

  • redirect_uri: must exactly match one of the allowed redirect URIs for that client

  • response_type: specifies the response type

    • id_token

    • token

    • id_token token

    • code

    • code id_token

    • code id_token token

Optional parameters

  • response_mode: specifies the response mode

    • query

    • fragment

    • form_post

  • state: echos back the state value on the token response, this is for round-tripping state between client and provider, correlating request and response and CSRF/replay protection. (recommended)

  • nonce: echos back the nonce value in the identity token (for replay protection). Required when identity tokens is transmitted via the browser channel

  • prompt

    • none: no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned

    • login: the login UI will be shown, even if the user is already signed-in and has a valid session

  • code_challenge: sends the code challenge for PKCE

  • code_challenge_method

    • plain: indicates that the challenge is using plain text (not recommended)

    • S256: indicates the challenge is hashed with SHA256

  • login_hint: can be used to pre-fill the username field on the login page

  • ui_locales: gives a hint about the desired display language of the login UI

  • max_age: if the user’s logon session exceeds the max age (in seconds), the login UI will be shown

  • acr_values: allows passing in additional authentication related information - IdentityServer special cases the following proprietary acr_values:

    • idp:name_of_idp: bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration)

    • tenant:name_of_tenant: can be used to pass a tenant name to the login UI

  • request: instead of providing all parameters as individual query string parameters, you can provide a subset or all of them as a JWT

  • request_uri: URL of a pre-packaged JWT containing request parameters

GET /connect/authorize?
    client_id=client1&
    scope=openid email api1&
    response_type=id_token token&
    redirect_uri=https://myapp/callback&
    state=abc&
    nonce=xyz

.NET client library

You can use the IdentityModel client library to programmatically create authorize request URLs from .NET code.

var ru = new RequestUrl("https://transformidentity/connect/authorize");

var url = ru.CreateAuthorizeUrl(
    clientId: "client",
    responseType: "code",
    redirectUri: "https://app.com/callback",
    scope: "openid");