原文 http://docs.identityserver.io/en/release/endpoints/authorize.html
Authorize Endpoint
授权终端 用于通过浏览器授权 请求令牌 或 授权码,该过程主要用于最终用户授权及可选同意。
The authorize endpoint can be used to request tokens or authorization codes via the browser. This process typically involves authentication of the end-user and optionally consent.
注意:Note
IdentityServer 支持OpenID Connect 和 OAuth 2.0授权参数的一个子集,完整例子,见这。
IdentityServer supports a subset of the OpenID Connect and OAuth 2.0 authorize request parameters. For a full list, see here.
client_ididentifier of the client (required).
客户端标示符(必需)
scopeone or more registered scopes (required)
一个或多个注册范围(必需)
redirect_urimust exactly match one of the allowed redirect URIs for that client (required)
必需完全匹配客户端允许重定向URIs(必需)
response_type
id_token requests an identity token (only identity scopes are allowed)
请求一个身份令牌(仅限允许的身份范围)
token requests an access token (only resource scopes are allowed)
请求一个访问令牌(仅限允许的资源范围)
id_token token requests an identity token and an access token
请求一个身份令牌和访问令牌
code requests an authorization code
请求一个授权码
code id_token requests an authorization code and identity token
请求一个授权码和一个身份令牌
code id_token token requests an authorization code, identity token and access token
请求一个授权码,身份令牌和访问令牌
response_mode
form_post sends the token response as a form post instead of a fragment encoded redirect (optional)
将发送令牌响应作为表单post请求代替片段编码重定向(可选)。
state
identityserver will echo back the state value on the token response, this is for round tripping state between client and provider, correlating request and response and CSRF/replay protection. (recommended)identityserver
将每个回传的令牌响应包含状态值,该值是客户端与服务提供程序间的一个往返状态值,关联请求和响应及CSRF/replay保护(推荐)。
nonce
identityserver will echo back the nonce value in the identity token, this is for replay protectionidentityserver
将要回传身份令牌中的nonce值,这是为了 回传答复 保护Required for identity tokens via implicit grant.隐式授权需要通过身份令牌prompt
none no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned
请求期间不返回UI,如果是不可能的(例如,用户必须登录或同意)则返回一个错误。
login the login UI will be shown, even if the user is already signed-in and has a valid session
将要显示登录UI,即使用户已经登录并有一个有效会话
code_challengesends the code challenge for PKCEcode_challenge_method
plain indicates that the challenge is using plain text (not recommended) S256 indicates the the challenge is hashed with SHA256
表示challenge 用于纯文本(不推荐),S256 表示challenge用于SHA256哈希值
login_hint
can be used to pre-fill the username field on the login page
用于预填充登录页上用户名字段
ui_locales
gives a hint about the desired display language of the login UI
登录UI界面给出一个提示期望的显示语言
max_age
if the user’s logon session exceeds the max age (in seconds), the login UI will be shown
如果登录用户会话时间超过最大时间(秒),将显示登录UI
acr_values
allows passing in additional authentication related information - identityserver special cases the following proprietary acr_values:
允许传递附加认证关系信息,以下identityserver 特殊情况专属的acr_values:
idp:name_of_idp
bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration)
绕过 login/home环节而直接将用户给身份提供商(如果每个客户端允许)
tenant:name_of_tenant
can be used to pass a tenant name to the login UI
允许传递一个租客名称到登录UI
Example
GET /connect/authorize? client_id=client1& scope=openid email api1& response_type=id_token token& redirect_uri=https://myapp/callback& state=abc& nonce=xyz
(URL encoding removed, and line breaks added for readability)
(移除了URL编码,为易读增加了换行符)
IdentityModel
You can programmatically create URLs for the authorize endpoint using the IdentityModel library:
你可以使用 IdentityModel库以编程方式为授权总结点建立URL
var request = new AuthorizeRequest(doc.AuthorizeEndpoint);var url = request.CreateAuthorizeUrl( clientId: "client", responseType: OidcConstants.ResponseTypes.CodeIdToken, responseMode: OidcConstants.ResponseModes.FormPost, redirectUri: "https://myapp.com/callback", state: CryptoRandom.CreateUniqueId(), nonce: CryptoRandom.CreateUniqueId());
..and parse the response:
和格式化的响应:
var response = new AuthorizeResponse(url);var accessToken = response.AccessToken;var idToken = response.IdentityToken;var state = response.State;