2.2.2 Common URI Parameters

The following table summarizes the set of common query parameters defined by this specification.

URI parameter

Description

resource

OPTIONAL. This query parameter is used by the OAuth 2.0 client to specify the resource secured by the AD FS server for which it requires an authorization grant.

This parameter is REQUIRED when the AD FS server's ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_1, and OPTIONAL when the AD FS server's ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

resource_params

OPTIONAL. This query parameter is used to specify a set of parameters corresponding to the resource secured by the AD FS server for which the OAuth 2.0 client requests authorization. The value is base64 URL encoded ([RFC4648] section 5). Padding is not required ([RFC4648] section 3.2).

client-request-id

OPTIONAL. This query parameter is used to specify a request ID that is used when logging errors or failures that occur while processing the request.

login_hint OR username

OPTIONAL. This query parameter is used to provide a hint to the AD FS server about the login identifier the end user might use to log in.

domain_hint

OPTIONAL. This query parameter is used to provide a hint to the AD FS server about the backend authentication service the end user can log in to.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

nonce

OPTIONAL. This query parameter is used in the same way as the nonce parameter defined in [OIDCCore] section 3.1.2.1.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher. 

prompt

OPTIONAL. This query parameter is used in the same way as the prompt parameter defined in [OIDCCore] section 3.1.2.1, but the only accepted values for this parameter are "none" and "login".

This parameter and the accepted values specified in the preceding paragraph SHOULD<3> be supported for all values of ad_fs_behavior_level.

max_age

OPTIONAL. This query parameter is used in the same way as the max_age parameter defined in [OIDCCore] section 3.1.2.1.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

id_token_hint

OPTIONAL. This query parameter is used in the same way as the id_token_hint parameter defined in [OIDCCore] section 3.1.2.1.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

amr_values

OPTIONAL. This query parameter is used by the client to request that a particular authentication method be used to authenticate the user.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.<4>

mfa_max_age

OPTIONAL. This query parameter is used by the client to specify the allowable timespan, in seconds, within which the last multiple factor authentication must have been performed by the end user.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_3 or higher.<5>