How to pass custom values to identityserver4 with oauth?

Question

Our application is tenant based and we want to pass an id to the ProfileService of IdentityServer4. How is it possible to pass a custom value to profileservice coming from the first request?

https://localhost:44390/connect/authorize?redirect_uri=http://localhost:8100/auth/callback&client_id=client.id&response_type=code&state=Ou3ZXnwaKM&scope=openid email offline_access&userId=08d9e62e-c6ab-4555-8820-3ba9b3e80752&code_challenge=rF2DzrNUpzAdVi-XQV1DIq84mTaAnjZLpaWwcULt8zk&code_challenge_method=S256

The userId is not accessible in the profileservice.

Answer 1

Authorization request has predefined structure. IdentityServer is a certified OpenId Connect protocol implementation, so you can't introduce any custom parameter you want.

According to the spec the only two "free" parameters are the state which is used by clients and should be sent back with response as it is, and acr_values which is specially aimed for sending additional parameters to the server.

So you just add &acr_values=userId:08d9e62e-c6ab-4555-8820-3ba9b3e80752 to your authorization request and the value is accessible at IdentityServer. Moreover you mentioned tenant and IdentityServer has advanced support for the tenant acr_value. Just provide &acr_values=tenant:DevPlayground and the value will be accessible as

IIdentityServerInteractionService.GetAuthorizationContextAsync(returnUrl).Tenant;

In general you can pass as many acr_values as you want separating them with spaces: &acr_values=userId:08d9e62e-c6ab-4555-8820-3ba9b3e80752 tenant:DevPlayground