Corppass Authorization API

This technical specification outlines the web-based Application Programming Interfaces (APIs) designed for use by Relying Parties (RPs) and clients. It specifies the APIs that RPs must invoke to facilitate OpenID Connect (OIDC) authentication and retrieve authorization information for Corppass users.

The following diagram illustrates the OIDC flow between the RP and Corppass, detailing the interactions required to authenticate users and access their authorization information:

All RPs should follow these steps, as illustrated in the above diagram. A short summary of the diagram:

1. Discover OpenID Provider Configuration

   • Retrieve the details of the OpenID Provider by querying the OpenID Discovery endpoint. Refer to the OpenID Discovery Endpoint section.

2. Initiate Authorization Request

   • Send an authorization request to the Corppass Authorization Endpoint to obtain an authorization code. Refer to the Authorization Endpoint section.

3. User Authentication

   • The user will be prompted to log in with Singpass and authenticate using their Singpass credentials.

4. Token Exchange

   • Exchange the authorization code and client assertion at the Token Endpoint to obtain the ID token and access token. Refer to the Token Endpoint section.

5. ID Token Encryption

   • Corppass retrieves the RP's encryption public key from the client’s JWKS during the token issuance process. Refer to the Client JWKS section.

6. ID Token Signature Validation

   • The RP retrieves Corppass's signing public key from the JWKS endpoint to validate the signature of the ID token. Refer to the JWKS Endpoint section.

7. Retrieve Authorization Information

   • Use the access token to query the Authorization Info Endpoint and retrieve the Corppass user’s authorization details. Refer to the Authorization Info Endpoint section