search

0. Well-known Endpoints

Corppass supports industry-standard OpenID Connect (OIDC) Discovery mechanisms. These publicly accessible endpoints allow Relying Parties (RPs) to programmatically discover Corppass' current configuration, endpoint locations, and cryptographic keys.

By utilizing these endpoints, your application can configure itself dynamically, reducing the risk of hardcoded errors and ensuring resilience against infrastructure changes.

hashtag
Why use these endpoints?

  • Dynamic Configuration: Automatically updates endpoint URLs if Corppass infrastructure changes.

  • Zero-Downtime Key Rotation: Automatically fetches new keys when Corppass rotates signatures, preventing service outages.

  • Standard Compliance: Ensures seamless integration with standard OIDC client libraries.

hashtag
Integration Workflow

To integrate successfully, your application should implement the following logic to "bootstrap" its configuration at startup and handle key rotation at runtime.

hashtag
Step 1: Fetch Provider Metadata

When: Application Startup

  • Initiate a GET request to the OpenID Discovery Endpoint.

  • This returns a JSON document containing critical configuration data, including the locations of the Authorization, Token, and JWKS endpoints.

  • Refer to OpenID Discovery Endpoint for more details.

hashtag
Step 2: Extract & Configure

When: Immediately after Step 1

  • Parse the JSON response.

  • Configure Endpoints: Update your OIDC client with the dynamic URLs (e.g., for pushed_authorization_request_endpoint, authorization_endpoint, and token_endpoint).

  • Locate Keys: Extract the jwks_uri field. This URL is required for the next step.

hashtag
Step 3: Fetch & Cache Public Keys

When: Application Startup (and periodically)

  • Initiate a GET request to the URL found in jwks_uri.

  • Cache Strategy: Store the retrieved JSON Web Key Set (JWKS) in a local cache (e.g., Redis or memory).

  • TTL (Time-To-Live): Set a reasonable expiration (e.g., 1 hour) to balance performance with freshness.

  • Refer to JWKS Endpoint for more details.

hashtag
Step 4: Handle Key Rotation (Runtime)

When: Token Verification Fails

  • If your application receives a token with a Key ID (kid) that is missing from your local cache:

    1. Do not reject immediately.

    2. Force Refresh: Trigger an immediate request to the jwks_uri to fetch the latest keys.

    3. Retry Verification: Attempt to verify the token signature again with the updated key set.

    4. Reject: If the key is still missing after the refresh, reject the request.

OpenID Discovery Endpointchevron-rightJWKS Endpointchevron-right
PreviousIntegration GuideNextOpenID Discovery Endpoint

Last updated