Use AdditionalAuthorizationParameters

- Ensure that overrides of `BuildChallengeUrl()` that do not call the base implementation add the values from the new `AdditionalAuthorizationParameters` property.
- Move all static challenge parameters into the `AdditionalAuthorizationParameters` property on the options.
- Remove `BuildChallengeUrl()` overrides, where possible, to just use `AdditionalAuthorizationParameters` instead.

Author: martincostello

src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationHandler.cs

@@ -210,10 +210,17 @@ protected override string BuildChallengeUrl([NotNull] AuthenticationProperties p
         {
             ["app_id"] = Options.ClientId, // Used instead of "client_id"
             ["scope"] = scope,
-            ["response_type"] = "code",
             ["redirect_uri"] = redirectUri,
         };
 
+        if (Options.AdditionalAuthorizationParameters?.Count > 0)
+        {
+            foreach (var parameter in Options.AdditionalAuthorizationParameters)
+            {
+                parameters[parameter.Key] = parameter.Value;
+            }
+        }
+
         if (Options.UsePkce)
         {
             var bytes = RandomNumberGenerator.GetBytes(256 / 8);

src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationOptions.cs

@@ -22,6 +22,8 @@ public AlipayAuthenticationOptions()
         TokenEndpoint = AlipayAuthenticationDefaults.TokenEndpoint;
         UserInformationEndpoint = AlipayAuthenticationDefaults.UserInformationEndpoint;
 
+        AdditionalAuthorizationParameters["response_type"] = "code";
+
         Scope.Add("auth_user");
 
         ClaimActions.MapJsonKey(Claims.Avatar, "avatar");

src/AspNet.Security.OAuth.Apple/AppleAuthenticationHandler.cs

@@ -9,7 +9,6 @@
 using System.Text;
 using System.Text.Encodings.Web;
 using System.Text.Json;
-using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
@@ -37,17 +36,6 @@ public partial class AppleAuthenticationHandler(
         set { base.Events = value; }
     }
 
-    /// <inheritdoc />
-    protected override string BuildChallengeUrl(
-        [NotNull] AuthenticationProperties properties,
-        [NotNull] string redirectUri)
-    {
-        var challengeUrl = base.BuildChallengeUrl(properties, redirectUri);
-
-        // Apple requires the response mode to be form_post when the email or name scopes are requested
-        return QueryHelpers.AddQueryString(challengeUrl, "response_mode", "form_post");
-    }
-
     /// <inheritdoc />
     protected override Task<object> CreateEventsAsync() => Task.FromResult<object>(new AppleAuthenticationEvents());
 

src/AspNet.Security.OAuth.Apple/AppleAuthenticationOptions.cs

@@ -29,6 +29,9 @@ public AppleAuthenticationOptions()
 
         Events = new AppleAuthenticationEvents();
 
+        // Apple requires the response mode to be form_post when the email or name scopes are requested
+        AdditionalAuthorizationParameters["response_mode"] = "form_post";
+
         Scope.Add("openid");
         Scope.Add("name");
         Scope.Add("email");

src/AspNet.Security.OAuth.Deezer/DeezerAuthenticationHandler.cs

@@ -98,6 +98,14 @@ protected override string BuildChallengeUrl([NotNull] AuthenticationProperties p
             ["perms"] = scopes,
         };
 
+        if (Options.AdditionalAuthorizationParameters?.Count > 0)
+        {
+            foreach (var parameter in Options.AdditionalAuthorizationParameters)
+            {
+                parameters[parameter.Key] = parameter.Value;
+            }
+        }
+
         if (Options.UsePkce)
         {
             var bytes = RandomNumberGenerator.GetBytes(256 / 8);

src/AspNet.Security.OAuth.Line/LineAuthenticationHandler.cs

@@ -35,13 +35,20 @@ protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] OA
     {
         var tokenRequestParameters = new Dictionary<string, string>
         {
-            ["grant_type"] = "authorization_code",
             ["code"] = context.Code,
             ["redirect_uri"] = context.RedirectUri,
             ["client_id"] = Options.ClientId,
             ["client_secret"] = Options.ClientSecret,
         };
 
+        if (Options.AdditionalAuthorizationParameters?.Count > 0)
+        {
+            foreach (var parameter in Options.AdditionalAuthorizationParameters)
+            {
+                tokenRequestParameters[parameter.Key] = parameter.Value;
+            }
+        }
+
         // PKCE https://tools.ietf.org/html/rfc7636#section-4.5, see BuildChallengeUrl
         if (context.Properties.Items.TryGetValue(OAuthConstants.CodeVerifierKey, out var codeVerifier))
         {

src/AspNet.Security.OAuth.Line/LineAuthenticationOptions.cs

@@ -23,6 +23,8 @@ public LineAuthenticationOptions()
         TokenEndpoint = LineAuthenticationDefaults.TokenEndpoint;
         UserInformationEndpoint = LineAuthenticationDefaults.UserInformationEndpoint;
 
+        AdditionalAuthorizationParameters["grant_type"] = "authorization_code";
+
         Scope.Add("profile");
         Scope.Add("openid");
 

src/AspNet.Security.OAuth.Mixcloud/MixcloudAuthenticationHandler.cs

@@ -35,9 +35,16 @@ protected override string BuildChallengeUrl([NotNull] AuthenticationProperties p
         {
             ["client_id"] = Options.ClientId,
             ["scope"] = scope,
-            ["response_type"] = "code",
         };
 
+        if (Options.AdditionalAuthorizationParameters?.Count > 0)
+        {
+            foreach (var parameter in Options.AdditionalAuthorizationParameters)
+            {
+                parameters[parameter.Key] = parameter.Value;
+            }
+        }
+
         if (Options.UsePkce)
         {
             var bytes = RandomNumberGenerator.GetBytes(256 / 8);

src/AspNet.Security.OAuth.Mixcloud/MixcloudAuthenticationOptions.cs

@@ -23,6 +23,8 @@ public MixcloudAuthenticationOptions()
         TokenEndpoint = MixcloudAuthenticationDefaults.TokenEndpoint;
         UserInformationEndpoint = MixcloudAuthenticationDefaults.UserInformationEndpoint;
 
+        AdditionalAuthorizationParameters["response_type"] = "code";
+
         ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "key");
         ClaimActions.MapJsonKey(ClaimTypes.Name, "username");
         ClaimActions.MapJsonKey(Claims.FullName, "name");

src/AspNet.Security.OAuth.Reddit/RedditAuthenticationHandler.cs

@@ -58,15 +58,6 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync(
         return new AuthenticationTicket(context.Principal!, context.Properties, Scheme.Name);
     }
 
-    protected override string BuildChallengeUrl([NotNull] AuthenticationProperties properties, [NotNull] string redirectUri)
-    {
-        var challengeUrl = base.BuildChallengeUrl(properties, redirectUri);
-
-        // Add duration=permanent to the authorization request to get an access token that doesn't expire after 1 hour.
-        // See https://github.com/reddit/reddit/wiki/OAuth2#authorization for more information.
-        return QueryHelpers.AddQueryString(challengeUrl, "duration", "permanent");
-    }
-
     /// <inheritdoc />
     protected override string FormatScope([NotNull] IEnumerable<string> scopes)
     {

src/AspNet.Security.OAuth.Reddit/RedditAuthenticationOptions.cs

@@ -24,6 +24,10 @@ public RedditAuthenticationOptions()
         TokenEndpoint = RedditAuthenticationDefaults.TokenEndpoint;
         UserInformationEndpoint = RedditAuthenticationDefaults.UserInformationEndpoint;
 
+        // Add duration=permanent to the authorization request to get an access token that doesn't expire after 1 hour.
+        // See https://github.com/reddit/reddit/wiki/OAuth2#authorization for more information.
+        AdditionalAuthorizationParameters["duration"] = "permanent";
+
         Scope.Add("identity");
 
         ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");

src/AspNet.Security.OAuth.Shopify/ShopifyAuthenticationHandler.cs

@@ -116,6 +116,14 @@ protected override string BuildChallengeUrl([NotNull] AuthenticationProperties p
             ["redirect_uri"] = redirectUri,
         };
 
+        if (Options.AdditionalAuthorizationParameters?.Count > 0)
+        {
+            foreach (var parameter in Options.AdditionalAuthorizationParameters)
+            {
+                parameters[parameter.Key] = parameter.Value;
+            }
+        }
+
         if (Options.UsePkce)
         {
             var bytes = RandomNumberGenerator.GetBytes(256 / 8);

src/AspNet.Security.OAuth.Weixin/WeixinAuthenticationHandler.cs

@@ -131,9 +131,16 @@ protected override string BuildChallengeUrl([NotNull] AuthenticationProperties p
         {
             ["appid"] = Options.ClientId,
             ["scope"] = scope,
-            ["response_type"] = "code",
         };
 
+        if (Options.AdditionalAuthorizationParameters?.Count > 0)
+        {
+            foreach (var parameter in Options.AdditionalAuthorizationParameters)
+            {
+                parameters[parameter.Key] = parameter.Value;
+            }
+        }
+
         if (Options.UsePkce)
         {
             var bytes = RandomNumberGenerator.GetBytes(256 / 8);

src/AspNet.Security.OAuth.Weixin/WeixinAuthenticationOptions.cs

@@ -23,6 +23,8 @@ public WeixinAuthenticationOptions()
         TokenEndpoint = WeixinAuthenticationDefaults.TokenEndpoint;
         UserInformationEndpoint = WeixinAuthenticationDefaults.UserInformationEndpoint;
 
+        AdditionalAuthorizationParameters["response_type"] = "code";
+
         Scope.Add("snsapi_login");
         Scope.Add("snsapi_userinfo");
 

src/AspNet.Security.OAuth.WorkWeixin/WorkWeixinAuthenticationHandler.cs

@@ -110,6 +110,14 @@ protected override string BuildChallengeUrl([NotNull] AuthenticationProperties p
             ["redirect_uri"] = redirectUri,
         };
 
+        if (Options.AdditionalAuthorizationParameters?.Count > 0)
+        {
+            foreach (var parameter in Options.AdditionalAuthorizationParameters)
+            {
+                parameters[parameter.Key] = parameter.Value;
+            }
+        }
+
         if (Options.UsePkce)
         {
             var bytes = RandomNumberGenerator.GetBytes(256 / 8);