Corppass Authorization API (FAPI 2.0)

Introduction

This technical specification describes the web-based Application Programming Interfaces (APIs) provided by Corppass for use by Relying Parties (RPs).

It defines the required endpoints and interactions to:

• Initiate user authentication using the OpenID Connect (OIDC) protocol

• Securely and reliably retrieve identity and authorization information

Corppass implements the OpenID Foundation’s Financial-grade API (FAPI) 2.0 Security Profile, a high-assurance security standard built on top of OAuth 2.0 and OpenID Connect.

This ensures that all authentication and authorization flows are protected using:

• JWE-encrypted ID tokens

• JWT-based client authentication (client assertions)

• Sender-constrained access tokens via DPoP (Demonstration of Proof of Possession)

Authorization Flow

1. Discover OpenID Provider Configuration

   • Initiate a request to the OpenID Discovery endpoint to retrieve the provider configuration.

   • This provides endpoint URLs, supported scopes, algorithms, and JWKS locations needed for the authorization flow.

   • Refer to OpenID Discovery Endpoint for more details.

2. Pushed Authorisation Request (PAR)

   • Initiate the authorization request by sending the required parameters (e.g., scope, redirect_uri, client assertion, PKCE) to the PAR /request endpoint.

   • Corppass returns a request_uri referencing the validated request object, which will be used in the next step.

   • Refer to Pushed Authorization Request (PAR) Endpoint for more details.

3. Authorization Request

   • Redirect the user agent to the Authorization Endpoint (/mga/sps/oauth/oauth20/authorize) with the request_uri obtained from the PAR step.

   • This starts the end-user authentication process.

   • Refer to Authorization Endpoint for more details.

4. Authentication

   • The user authenticates with Singpass credentials and completes any required authentication steps.

   • Where required, the user also provides consent for requested scopes.

5. Receive Authorization Code

   • After authentication (and consent, if applicable), the user agent is redirected to the client's redirect URI with a DPoP-bound authorization code.

   • Refer to the Authorization Response section for more details

6. Token Exchange: Initiate

   • Exchange the authorization code at the Token Endpoint by presenting a valid DPoP proof, client assertion, and the authorization code obtained from the authorization request.

   • Corppass processes the request and prepares the ID token and access token for issuance.

   • Refer to Token Endpoint for more details.

7. Token Exchange: Issue Tokens

   • Corppass encrypts the ID token (JWE) using the client’s encryption public key obtained from the client's JWKS endpoint.

   • After encryption, Corppass returns the encrypted ID token along with the DPoP-bound access token to the client.

   • Refer to the ID Token section for more details.

8. Token Exchange: Token Validation and Decryption

   • Retrieve Corppass’s signing public keys from the JWKS endpoint and validate the ID token signature before processing the claims.

   • Refer to the ID Token section for more details.

9. Userinfo Endpoint: Retrieve Additional Information (Where Required)

   • Call the Userinfo Endpoint using the access token obtained from the token exchange, along with a matching DPoP proof, to retrieve information based on the requested scopes, where applicable:

     • Authorization details for the authenticated user

     • Personal information for the authenticated user

     • Entity information for the transacting entity

   • Only call this step if additional entity or user information is required.

   • Refer to Userinfo Endpoint for more details.