2. Authorization Endpoint
The Authorization Endpoint is the entry point for the user's authentication journey.
After successfully registering the request parameters via the Pushed Authorization Request (PAR) endpoint, the user's browser must be redirected to this endpoint to authenticate with Corppass.
Request (Redirect the User)
To initiate the authentication session, redirect the user's browser to the Authorization Endpoint URL obtained from the OpenID Discovery Endpoint (authorization_endpoint).
GET /mga/sps/oauth/oauth20/authorize Query Parameters
Unlike legacy flows, this request does not contain sensitive parameters (such as scope or redirect_uri) in the query string. Instead, it utilises the request_uri obtained from the PAR response to reference the pre-validated payload.
client_id
Yes
The client identifier assigned to the RP during onboarding.
This must match the client_id used in the previous Pushed Authorization Request.
request_uri
Yes
The unique URI (request_uri) returned from the PAR endpoint.
Sample Request (Redirect URL)
GET /mga/sps/oauth/oauth20/authorize
?client_id=51YUlwazLASM7aqMiBNW
&request_uri=urn:ietf:params:oauth:request_uri:h8YQPVV0Dgm5MGaD_koAm HTTP/1.1
Host: id.corppass.gov.sgSuccess Response (Callback)
Upon successful authentication and consent, the authorization server redirects the user back to the redirect_uri registered in the PAR step via a 302 Found response.
The callback URL will include the Authorization Code and the state parameter.
Query Parameters
code
The Authorization Code. This is a one-time, short-lived credential used to obtain Access Token and ID Token at the Token Endpoint. The code is valid for 60 seconds and cannot be used once expired.
state
The exact state value provided at PAR, returned as-is to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks.
Security Requirement: State Validation. The Relying Party must validate that the state returned in the callback matches the value originally generated and sent at PAR. This step is critical to prevent Cross-Site Request Forgery (CSRF) attacks.
It is strongly recommended to use a certified OIDC Relying Party library, as these standard checks will be automatically performed by the library.
Sample Reponse (Callback URL)
Error Response (Callback)
If authentication fails, is denied by the user, or an error occurs, the user is redirected to the client's redirect_uri (where applicable) with error parameters.
Clients must handle the error query parameters on the callback URL to ensure a smooth user experience.
Query Parameters
error
The error code identifying the type of error.
See Error Codes below.
error_description
A human-readable description of the error.
state
The exact state value provided at PAR, returned to allow clients to map the error to the correct session.
Error Codes
invalid_request
The request is missing a required parameter, includes invalid or unsupported values, or is otherwise malformed.
Examples:
Missing or unrecognized
client_idclient_iddoes not match the client associated with the referencedrequest_uriInvalid client JWKS URL or invalid values being returned by the URL
invalid_request_uri
The request_uri parameter provided was missing, malformed, expired, or does not match the client associated with the referenced request_uri.
server_error
The authorization server encountered an unexpected internal error while processing the request. The error can potentially be due to the RP’s JWK endpoint being unreachable or returning a malformed JWK.
temporarily_unavailable
The server is temporarily unable to handle the request due to maintenance or high load.
Sample Response (Callback URL)
Next Steps
Exchange the Code for Tokens: Once the Authorization Code is received, exchange it for the Access Token and ID Token via a secure back-channel call.
Proceed to 3. Token Endpoint to perform the token exchange.
Last updated