identityserver4 Authorize 传参

原文 http://docs.identityserver.io/en/release/endpoints/authorize.html

Authorize Endpoint

授权终端 用于通过浏览器授权 请求令牌 或 授权码，该过程主要用于最终用户授权及可选同意。

The authorize endpoint can be used to request tokens or authorization codes via the browser. This process typically involves authentication of the end-user and optionally consent.

注意：Note

IdentityServer 支持OpenID Connect 和 OAuth 2.0授权参数的一个子集，完整例子，见这。

IdentityServer supports a subset of the OpenID Connect and OAuth 2.0 authorize request parameters. For a full list, see here.

• client_id

• identifier of the client (required).
• 客户端标示符（必需）

• scope

• one or more registered scopes (required)
• 一个或多个注册范围（必需）

• redirect_uri

• must exactly match one of the allowed redirect URIs for that client (required)
• 必需完全匹配客户端允许重定向URIs（必需）

• response_type

id_token

  requests an identity token (only identity scopes are allowed)

        请求一个身份令牌（仅限允许的身份范围）

token

 requests an access token (only resource scopes are allowed)

        请求一个访问令牌（仅限允许的资源范围）

id_token token

 requests an identity token and an access token

         请求一个身份令牌和访问令牌

code

 requests an authorization code

         请求一个授权码

code id_token

 requests an authorization code and identity token

         请求一个授权码和一个身份令牌

code id_token token

 requests an authorization code, identity token and access token

         请求一个授权码，身份令牌和访问令牌

response_mode

form_post

 sends the token response as a form post instead of a fragment encoded     redirect (optional)

        将发送令牌响应作为表单post请求代替片段编码重定向（可选）。

state

identityserver will echo back the state value on the token response, this is for round tripping state between client and provider, correlating request and response and CSRF/replay protection. (recommended)identityserver 

将每个回传的令牌响应包含状态值，该值是客户端与服务提供程序间的一个往返状态值，关联请求和响应及CSRF/replay保护（推荐）。

nonce

identityserver will echo back the nonce value in the identity token, this is for replay protectionidentityserver 

将要回传身份令牌中的nonce值，这是为了 回传答复 保护Required for identity tokens via implicit grant.隐式授权需要通过身份令牌prompt

none

 no UI will be shown during the request. If this is not possible (e.g. because the user     has to sign in or consent) an error is returned

        请求期间不返回UI，如果是不可能的（例如，用户必须登录或同意）则返回一个错误。

login

 the login UI will be shown, even if the user is already signed-in and has a valid     session

        将要显示登录UI，即使用户已经登录并有一个有效会话

code_challengesends the code challenge for PKCEcode_challenge_method

plain

 indicates that the challenge is using plain text (not recommended) 

S256

 indicates     the the challenge is hashed with SHA256

        表示challenge 用于纯文本（不推荐），

S256

 表示challenge用于SHA256哈希值

login_hint

can be used to pre-fill the username field on the login page

用于预填充登录页上用户名字段

ui_locales

gives a hint about the desired display language of the login UI

登录UI界面给出一个提示期望的显示语言

max_age

if the user’s logon session exceeds the max age (in seconds), the login UI will be shown

如果登录用户会话时间超过最大时间（秒），将显示登录UI

acr_values

allows passing in additional authentication related information - identityserver special cases the following proprietary acr_values:

允许传递附加认证关系信息，以下identityserver 特殊情况专属的acr_values：

idp:name_of_idp

 bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration)

绕过 login/home环节而直接将用户给身份提供商（如果每个客户端允许）

tenant:name_of_tenant

can be used to pass a tenant name to the login UI

允许传递一个租客名称到登录UI

Example

GET /connect/authorize?
    client_id=client1&
    scope=openid email api1&
    response_type=id_token token&
    redirect_uri=https://myapp/callback&
    state=abc&
    nonce=xyz      

(URL encoding removed, and line breaks added for readability)

(移除了URL编码，为易读增加了换行符)

IdentityModel

You can programmatically create URLs for the authorize endpoint using the IdentityModel library:

你可以使用 IdentityModel库以编程方式为授权总结点建立URL

var request = new AuthorizeRequest(doc.AuthorizeEndpoint);var url = request.CreateAuthorizeUrl(
    clientId:     "client",
    responseType: OidcConstants.ResponseTypes.CodeIdToken,
    responseMode: OidcConstants.ResponseModes.FormPost,
    redirectUri: "https://myapp.com/callback",
    state:       CryptoRandom.CreateUniqueId(),
    nonce:       CryptoRandom.CreateUniqueId());      

var response = new AuthorizeResponse(url);var accessToken = response.AccessToken;var idToken = response.IdentityToken;var state = response.State;