> For the complete documentation index, see [llms.txt](https://docs.corppass.gov.sg/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-fapi-2.0/integration-guide/2.-authorization-endpoint.md).

# 2. Authorization Endpoint

The **Authorization Endpoint** is the entry point for the user's authentication journey.

After successfully registering the request parameters via the [Pushed Authorization Request (PAR) endpoint](/technical-specifications/corppass-authorization-api-fapi-2.0/integration-guide/1.-pushed-authorization-request-par-endpoint.md), the user's browser must be redirected to this endpoint to authenticate with Corppass.

## Request (Redirect the User)

To initiate the authentication session, redirect the user's browser to the Authorization Endpoint URL obtained from the [OpenID Discovery Endpoint](/technical-specifications/corppass-authorization-api-fapi-2.0/integration-guide/0.-well-known-endpoints/openid-discovery-endpoint.md) (`authorization_endpoint`).

```http
GET /mga/sps/oauth/oauth20/authorize 
```

### Query Parameters

Unlike legacy flows, this request does *not* contain sensitive parameters (such as `scope` or `redirect_uri`) in the query string. Instead, it utilises the `request_uri` obtained from the PAR response to reference the pre-validated payload.

<table><thead><tr><th width="169.57421875">Parameter</th><th width="106">Required</th><th>Description</th></tr></thead><tbody><tr><td><code>client_id</code></td><td>Yes</td><td><p>The unique identifier assigned to the Relying Party application during onboarding.<br></p><p><strong>Validation:</strong></p><ul><li>Must strictly match the <code>client_id</code> used in the preceding Pushed Authorization Request (PAR).</li></ul></td></tr><tr><td><code>request_uri</code></td><td>Yes</td><td><p>The unique Uniform Resource Identifier (URI) that references the authorization parameters stored during the PAR step.</p><p></p><p><strong>Validation:</strong></p><ul><li>Must be the exact <code>request_uri</code> value returned in the response from the PAR Endpoint.</li><li>This URI is short-lived. The client must redirect the user to the Authorization Endpoint before the URI expires (within 60 seconds).</li></ul></td></tr></tbody></table>

### Sample Request (Redirect URL)

{% code overflow="wrap" %}

```http
GET /mga/sps/oauth/oauth20/authorize
?client_id=51YUlwazLASM7aqMiBNW
&request_uri=urn:ietf:params:oauth:request_uri:h8YQPVV0Dgm5MGaD_koAm HTTP/1.1
Host: id.corppass.gov.sg
```

{% endcode %}

## Success Response (Callback)

Upon successful authentication, the user agent is redirected to the `redirect_uri` registered in the PAR step via a `302 Found` response.

The following paramters are appended to the query string.

### Query Parameters

<table><thead><tr><th width="185">Parameter</th><th>Description</th></tr></thead><tbody><tr><td><code>code</code></td><td><p><strong>Authorization Code</strong>. A short-lived, single-use credential required to retrieve Access Token and ID Token at the <a href="/pages/tdw1eZJeFJxNFBu1QGx2">Token Endpoint</a>.</p><p><br>The code is valid for <strong>60 seconds</strong> and can only be used once.</p></td></tr><tr><td><code>state</code></td><td><p>The opaque value originally provided by the client in the authorization request (PAR), returned unmodified. This is to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks.</p><p></p><p><strong>Validation:</strong></p><ul><li>The Relying Party <strong>must</strong> verify that this value strictly matches the <code>state</code> stored in the user's session from the initial request (PAR).</li><li>If the values do not match, the response is invalid and likely part of a Cross-Site Request Forgery (CSRF) attack. Reject the request immediately.</li></ul></td></tr><tr><td><code>iss</code></td><td>The issuer identifier of the Corppass authorization server (See the <code>issuer</code> field in the <a href="https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-fapi-2.0/integration-guide/0.-well-known-endpoints/openid-discovery-endpoint#response">OpenID Discovery Endpoint</a>). Both success and failure response redirects will contain this parameter. For security, it is recommended that clients verify this value against the expected Corppass issuer before acting on the response. If you are using an OpenID/OAuth2 client, this will be validated by the library for you.</td></tr></tbody></table>

{% hint style="warning" %}
**It is strongly recommended** to use a [certified OIDC Relying Party library](https://openid.net/developers/certified-openid-connect-implementations/), as the standard checks are automatically handled by the library.
{% endhint %}

### Sample Reponse (Callback URL)

```http
HTTP/1.1 302 Found
Location: https://client.example.org/callback
?code=KxygiAyIIHu4OCCqjF9XAxpCjKk0uUkKNA6mfVD9HZw
&state=5de6a954-a762-4975-a8f4-b692cc35b964
&iss=https%3A%2F%2Fid.corppass.gov.sg
```

## Error Response (Callback)

If authentication fails, is denied by the user, or a processing error occurs, the user agent is redirected to the `redirect_uri` (provided in the PAR step), where applicable, with the following error parameters appended to the query string.

{% hint style="warning" %}
Clients **must** handle the error parameters to provide appropriate feedback or guidance to the user, to ensure smooth user experience.
{% endhint %}

### Query Parameters

<table><thead><tr><th width="256.484375">Query Parameter</th><th>Description</th></tr></thead><tbody><tr><td><code>error</code></td><td><p>A standardised error code identifying the type of error that occurred.</p><p><br>See <a href="#error-codes">Error Codes</a> below for a complete list of possible values.</p></td></tr><tr><td><code>error_description</code></td><td>A human-readable text description providing additional details about the error.</td></tr><tr><td><code>state</code></td><td><p>The opaque value originally provided by the client in the authorization request (PAR), returned unmodified if available.</p><p></p><p><strong>Validation:</strong></p><ul><li>Used to correlate the error response with the correct user session.</li></ul></td></tr><tr><td><code>iss</code></td><td>The issuer identifier of the Corppass authorization server (See the <code>issuer</code> field in the <a href="https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-fapi-2.0/integration-guide/0.-well-known-endpoints/openid-discovery-endpoint#response">OpenID Discovery Endpoint</a>). Both success and failure response redirects will contain this parameter. For security, it is recommended that clients verify this value against the expected Corppass issuer before acting on the response.</td></tr></tbody></table>

#### Error Codes

<table><thead><tr><th width="256.484375">Error Code</th><th>Description</th></tr></thead><tbody><tr><td>login_required</td><td>The user does not have an active session, the session has expired, or the session has been invalidated.</td></tr><tr><td>access_denied</td><td>The resource owner or authorization server denied the request.</td></tr><tr><td>server_error</td><td>The authorization server encountered an unexpected internal error while processing the request.<br>The error can potentially be due to the RP’s JWK endpoint being unreachable or returning a malformed JWK.</td></tr><tr><td>temporarily_unavailable</td><td>The server is temporarily unable to handle the request due to maintenance or high load.</td></tr></tbody></table>

### Sample Response (Callback URL)

<pre class="language-http" data-overflow="wrap"><code class="lang-http">HTTP/1.1 302 Found
<strong>Location: https://client.example.org/callback
</strong><strong>?error=server_error
</strong><strong>&#x26;error_description=The+server+encountered+an+unexpected+internal+error+while+processing+the+request.
</strong><strong>&#x26;state=Zw_r_a2uBDoy-kR7562RjM4-C9K3C2zDRQg-AJsDwb4
</strong>&#x26;iss=https%3A%2F%2Fid.corppass.gov.sg
</code></pre>

## Next Steps

**Exchange the Code for Tokens:** Once the Authorization Code is received, exchange it for the Access Token and ID Token via a secure back-channel call.

**Proceed to** [**3. Token Endpoint**](/technical-specifications/corppass-authorization-api-fapi-2.0/integration-guide/3.-token-endpoint.md) **to perform the token exchange.**
