2. Authorization Endpoint

The Authorization Endpoint is the entry point for the user's authentication journey.

After successfully registering the request parameters via the Pushed Authorization Request (PAR) endpoint, the user's browser must be redirected to this endpoint to authenticate with Corppass.

Request (Redirect the User)

To initiate the authentication session, redirect the user's browser to the Authorization Endpoint URL obtained from the OpenID Discovery Endpoint (authorization_endpoint).

GET /mga/sps/oauth/oauth20/authorize

Query Parameters

Unlike legacy flows, this request does not contain sensitive parameters (such as scope or redirect_uri) in the query string. Instead, it utilises the request_uri obtained from the PAR response to reference the pre-validated payload.

Parameter

Required

Description

client_id

Yes

The unique identifier assigned to the Relying Party application during onboarding.

Validation:

Must strictly match the client_id used in the preceding Pushed Authorization Request (PAR).

request_uri

Yes

The unique Uniform Resource Identifier (URI) that references the authorization parameters stored during the PAR step.

Validation:

Must be the exact request_uri value returned in the response from the PAR Endpoint.
This URI is short-lived. The client must redirect the user to the Authorization Endpoint before the URI expires (within 60 seconds).

Sample Request (Redirect URL)

GET /mga/sps/oauth/oauth20/authorize
?client_id=51YUlwazLASM7aqMiBNW
&request_uri=urn:ietf:params:oauth:request_uri:h8YQPVV0Dgm5MGaD_koAm HTTP/1.1
Host: id.corppass.gov.sg

Success Response (Callback)

Upon successful authentication, the user agent is redirected to the redirect_uri registered in the PAR step via a 302 Found response.

The following paramters are appended to the query string.

Query Parameters

Parameter

Description

code

Authorization Code. A short-lived, single-use credential required to retrieve Access Token and ID Token at the Token Endpoint.

The code is valid for 60 seconds and can only be used once.

state

The opaque value originally provided by the client in the authorization request (PAR), returned unmodified. This is to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks.

Validation:

The Relying Party must verify that this value strictly matches the state stored in the user's session from the initial request (PAR).
If the values do not match, the response is invalid and likely part of a Cross-Site Request Forgery (CSRF) attack. Reject the request immediately.

It is strongly recommended to use a certified OIDC Relying Party library, as the standard checks are automatically handled by the library.

Sample Reponse (Callback URL)

HTTP/1.1 302 Found
Location: https://client.example.org/callback
?code=KxygiAyIIHu4OCCqjF9XAxpCjKk0uUkKNA6mfVD9HZw
&state=5de6a954-a762-4975-a8f4-b692cc35b964

Error Response (Callback)

If authentication fails, is denied by the user, or a processing error occurs, the user agent is redirected to the redirect_uri (provided in the PAR step), where applicable, with the following error parameters appended to the query string.

Clients must handle the error parameters on provide appropriate feedback or guidance to the user, to ensure smooth user experience.

Query Parameters

Query Parameter

Description

error

A standardised error code identifying the type of error that occurred.

See Error Codes below for a complete list of possible values.

error_description

A human-readable text description providing additional details about the error.

state

The opaque value originally provided by the client in the authorization request (PAR), returned unmodified if available.

Validation:

Used to correlate the error response with the correct user session.

Error Codes

Error Code

Description

invalid_request

The request is missing a required parameter, includes invalid or unsupported values, or is otherwise malformed.

Examples:

Missing or unrecognized client_id
client_id does not match the client associated with the referenced request_uri
Invalid client JWKS URL or invalid values being returned by the URL

invalid_request_uri

The request_uri parameter provided was missing, malformed, expired, or does not match the client associated with the referenced request_uri.

server_error

The authorization server encountered an unexpected internal error while processing the request. The error can potentially be due to the RP’s JWK endpoint being unreachable or returning a malformed JWK.

temporarily_unavailable

The server is temporarily unable to handle the request due to maintenance or high load.

Sample Response (Callback URL)

HTTP/1.1 302 Found
Location: https://client.example.org/callback
?error=invalid_request_uri
&error_description=The%20request_uri%20is%20invalid%2C%20expired%2C%20malformed%2C%20or%20was%20not%20issued%20by%20the%20authorization%20server.
&state=5de6a954-a762-4975-a8f4-b692cc35b964

Next Steps

Exchange the Code for Tokens: Once the Authorization Code is received, exchange it for the Access Token and ID Token via a secure back-channel call.

Proceed to 3. Token Endpoint to perform the token exchange.

PreviousAuthentication Context Parameters Next3. Token Endpoint

Last updated 6 days ago

hashtagRequest (Redirect the User)

hashtagQuery Parameters

hashtagSample Request (Redirect URL)

hashtagSuccess Response (Callback)

hashtagQuery Parameters

hashtagSample Reponse (Callback URL)

hashtagError Response (Callback)

hashtagQuery Parameters

hashtagError Codes

hashtagSample Response (Callback URL)

hashtagNext Steps

Request (Redirect the User)

Query Parameters

Sample Request (Redirect URL)

Success Response (Callback)

Query Parameters

Sample Reponse (Callback URL)

Error Response (Callback)

Query Parameters

Error Codes

Sample Response (Callback URL)

Next Steps