# Authorization Code with Proof Key of Code Exchange (PKCE) Flow

```
GET /mga/sps/oauth/oauth20/authorize 
```

This endpoint is used to initiate the OpenID Connect (OIDC) authentication flow and obtain an authorization code, known as the Authorization Code flow. The authorization code can later be exchanged with Corppass at the token endpoint to retrieve an ID token and an access token. 

After the user successfully authenticates with Singpass, the authorization code is returned to the user agent as part of a `302 Redirect` response to the Relying Party's specified `redirect_uri`.

#### Request

<table data-full-width="false"><thead><tr><th width="233">Query Parameter</th><th width="100">Required</th><th>Description</th></tr></thead><tbody><tr><td>scope</td><td>Yes</td><td>Must contain at least the <code>openid</code> scope. For a comprehensive list of valid scopes, refer to the <a href="/pages/68Rr4dCUcGIZ1F7HHp1a">Scopes Overview</a> section. Unrecognised or unauthorised scopes will result in an error.</td></tr><tr><td>response_type</td><td>Yes</td><td>Specifies the response processing flow. Currently, Corppass only supports <code>code</code> as a valid value.</td></tr><tr><td>client_id</td><td>Yes</td><td>The client identifier assigned to the Relying Party during onboarding with Corppass.</td></tr><tr><td>redirect_uri</td><td>Yes</td><td>The callback URL for receiving the authorization response. Must exactly match one of the RPs' registered callback URLs registered.</td></tr><tr><td>state</td><td>Yes</td><td>A client-provided value used to maintain state between the request and the callback. Helps to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks.</td></tr><tr><td>nonce</td><td>Yes</td><td>A unique value provided by the RP that is returned in the ID Token. Used to prevent replay attacks and must be validated by the RP.</td></tr><tr><td>esrvcID</td><td>No</td><td>Applicable only to specific RPs authorized by Corppass.</td></tr><tr><td>code_challenge</td><td>Yes</td><td>The hashed value generated from the code verifier. Refer to <a href="/pages/TOFgMaQYGoeEs2HmOyj3">Proof Key of Code Exchange</a> for more details about the concept.</td></tr><tr><td>code_challenge_method</td><td>Yes</td><td>The code verifier transformation method. Currently, Corppass only supports <code>S256</code> as a valid value.</td></tr></tbody></table>

#### Response

<table><thead><tr><th width="183">Query Parameter</th><th>Description</th></tr></thead><tbody><tr><td>code</td><td>The authorization code returned by the authorization server in the callback URL. This one-time code must be used by the Relying Party to invoke the token endpoint and retrieve the user's ID token and access token. <a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint">Learn more</a>.</td></tr><tr><td>state</td><td><p>The state parameter returned as-is to help the client maintain state between the request and the callback. <br></p><p>It is typically employed to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks. <a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest">Learn more</a>.</p></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy/endpoints/authorization-endpoint/authorization-code-with-proof-key-of-code-exchange-pkce-flow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.