I am working on a Javascript client that utilizes OIDC for authentication with the authorization code flow. Below is a snippet of the code:
var config = {
authority: "http://localhost:5000",
client_id: "js",
redirect_uri: "http://localhost:5003/callback.html",
response_type: "code",
scope:"openid profile web_api",
post_logout_redirect_uri: "http://localhost:5003/index.html"
};
var mgr = new Oidc.UserManager(config);
I want to incorporate additional parameters in the config object above, which should be present in the query string of the URL accessible in the Login method of my Authorization Server (http://localhost:5000/Account/Login):
(C# code):
// <summary>
/// Entry point into the login workflow
/// </summary>
[HttpGet]
public async Task<IActionResult> Login(string returnUrl)
{
...
}
(The URL query string can be accessed in the aforementioned code through both the returnUrl parameter and the HttpContext.Request.Query property)
However, adding new (non-standard) parameters in the config object on the Javascript client does not result in them being passed to the URL query string.
In this scenario, I require these extra parameters to authenticate the user as they are essential besides the username and password. The values of these parameters are set within the client's Javascript code (e.g., device ID like a cell phone's IMEI). Any alternate approach to accomplish this would be appreciated.
I have managed to achieve this using Postman, following a discussion on GitHub here:
With Postman, it is possible to modify the authorization endpoint URL to include parameters:
http://MyAuthorizationEndpoint?paramName=paramValue
E.g., http://localhost:5000/connect/authorize?device_id=XYZ
Unlike Postman, in the Javascript client, I don't explicitly specify the authorization endpoint, only the authority (as shown in the config object above).
Note: I do not plan to utilize any other form of authorization flow, such as an Extension Grant, due to security concerns and lack of recommendation.