Authorize Endpoint

The authorize endpoint can be used to request tokens or authorization codes via the browser. This process typically involves authentication of the end-user and optionally consent.

client_id

identifier of the client (required).

scope

Openid, email, profile registered scopes (required)

redirect_uri

must exactly match one of the allowed redirect URIs for that client (required)

response_type

* id_token requests an identity token (only identity scopes are allowed)
* token requests an access token (only resource scopes are allowed)
* id_token token requests an identity token and an access token
* code requests an authorization code
* code id_token requests an authorization code and identity token
* code id_token token requests an authorization code, identity token and access token

response_mode

form_post sends the token response as a form post instead of a fragment encoded redirect (optional)

state

identityserver will echo back the state value on the token response, this is for round tripping state between client and provider, correlating request and response and CSRF/replay protection. (recommended)

nonce

* identityserver will echo back the nonce value in the identity token (this is for replay protection)
* Required for identity tokens via implicit grant.

prompt

* none no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned
* login the login UI will be shown, even if the user is already signed-in and has a valid session

code_challenge

sends the code challenge for PKCE

code_challenge_method

plain indicates that the challenge is using plain text (not recommended) S256 indicates the the challenge is hashed with SHA256

login_hint

can be used to pre-fill the username field on the login page

ui_locales

gives a hint about the desired display language of the login UI

max_age

if the user’s logon session exceeds the max age (in seconds), the login UI will be shown

acr_values

allows passing in additional authentication related information - identityserver special cases the following proprietary acr_values:
idp: name_of_idp bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration)
tenant:name_of_tenant can be used to pass a tenant name to the login UI
Example

GET /connect/authorize?
	client_id=client1&
	scope=openid email&
	response_type=id_token token&
	redirect_uri=https://myapp/callback&
	state=abc&
	nonce=xyz
				

Token Endpoint

The token endpoint can be used to programmatically request tokens. It supports the password, authorization_code, client_credentials, refresh_token and urn:ietf:params:oauth:grant-type:device_code grant types. Furthermore the token endpoint can be extended to support extension grant types.

client_id

client identifier (required)

client_secret

client secret either in the post body, or as a basic authentication header. Optional.

grant_type

authorization_code, client_credentials, password, refresh_token, urn:ietf:params:oauth:grant-type:device_code or custom

scope

one or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued.

redirect_uri

required for the authorization_code grant type

code

the authorization code (required for authorization_code grant type)

code_verifier

PKCE proof key

username

resource owner username (required for password grant type)

password

resource owner password (required for password grant type)

acr_values

allows passing in additional authentication related information for the password grant type - identityserver pecial cases the following proprietary acr_values:
idp:name_of_idp bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration)
tenant:name_of_tenant can be used to pass a tenant name to the token endpoint

refresh_token

the refresh token (required for refresh_token grant type)

device_code

the device code (required for urn:ietf:params:oauth:grant-type:device_code grant type)

Example

POST /connect/token
	client_id=client1&
	client_secret=secret&
	grant_type=authorization_code&
	code=hdh922&
	redirect_uri=https://myapp.com/callback
				

UserInfo Endpoint

The UserInfo endpoint can be used to retrieve identity information about a user The caller needs to send a valid access token representing the user. Depending on the granted scopes, the UserInfo endpoint will return the mapped claims (at least the openid scope is required).

Example

GET /connect/userinfo
Authorization: Bearer 
HTTP/1.1 200 OK
Content-Type: application/json

{
	"sub": "248289761001",
	"name": "Bob Smith",
	"given_name": "Bob",
	"family_name": "Smith",
	"role": [
		"user",
		"admin"
	]
}
				

Device Authorization Endpoint

The device authorization endpoint can be used to request device and user codes. This endpoint is used to start the device flow authorization process.

client_id

client identifier (required)

client_secret

client secret either in the post body, or as a basic authentication header. Optional.

scope

one or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued.

Example

POST /connect/deviceauthorization client_id=client1& client_secret=secret& scope=openid

End Session Endpoint

The end session endpoint can be used to trigger single sign-out To use the end session endpoint a client application will redirect the user’s browser to the end session URL. All applications that the user has logged into via the browser during the user’s session can participate in the sign-out.

Parameters
id_token_hint

When the user is redirected to the endpoint, they will be prompted if they really want to sign-out. This prompt can be bypassed by a client sending the original id_token received from authentication. This is passed as a query string parameter called id_token_hint.

post_logout_redirect_uri

If a valid id_token_hint is passed, then the client may also send a post_logout_redirect_uriparameter. This can be used to allow the user to redirect back to the client after sign-out. The value must match one of the client’s pre-configured PostLogoutRedirectUris

state

If a valid post_logout_redirect_uri is passed, then the client may also send a state parameter. This will be returned back to the client as a query string parameter after the user redirects back to the client. This is typically used by clients to round-trip state across the redirect.

Example

GET /connect/endsession?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOGFkZmMzMjU1OTEyNzI0ZDY4NWZmYmIwOThjNDEyIiwidHlwIjoiSldUIn0.eyJuYmYiOjE0OTE3NjUzMjEsImV4cCI6MTQ5MTc2NTYyMSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoianNfb2lkYyIsIm5vbmNlIjoiYTQwNGFjN2NjYWEwNGFmNzkzNmJjYTkyNTJkYTRhODUiLCJpYXQiOjE0OTE3NjUzMjEsInNpZCI6IjI2YTYzNWVmOTQ2ZjRiZGU3ZWUzMzQ2ZjFmMWY1NTZjIiwic3ViIjoiODg0MjExMTMiLCJhdXRoX3RpbWUiOjE0OTE3NjUzMTksImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.STzOWoeVYMtZdRAeRT95cMYEmClixWkmGwVH2Yyiks9BETotbSZiSfgE5kRh72kghN78N3-RgCTUmM2edB3bZx4H5ut3wWsBnZtQ2JLfhTwJAjaLE9Ykt68ovNJySbm8hjZhHzPWKh55jzshivQvTX0GdtlbcDoEA1oNONxHkpDIcr3pRoGi6YveEAFsGOeSQwzT76aId-rAALhFPkyKnVc-uB8IHtGNSyRWLFhwVqAdS3fRNO7iIs5hYRxeFSU7a5ZuUqZ6RRi-bcDhI-djKO5uAwiyhfpbpYcaY_TxXWoCmq8N8uAw9zqFsQUwcXymfOAi2UF3eFZt02hBu-shKA&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A7017%2Findex.html