| Query Parameter | Required | Description |
|---|---|---|
| scope | Yes | Must contain at least the openid scope. For a comprehensive list of valid scopes, refer to the Scopes Overview section. Unrecognised or unauthorised scopes will result in an error. |
| response_type | Yes | Specifies the response processing flow. Currently, Corppass only supports code as a valid value. |
| client_id | Yes | The client identifier assigned to the Relying Party during onboarding with Corppass. |
| redirect_uri | Yes | The callback URL for receiving the authorization response. Must exactly match one of the RPs' registered callback URLs registered. |
| state | Yes | A client-provided value used to maintain state between the request and the callback. Helps to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks. |
| nonce | Yes | A unique value provided by the RP that is returned in the ID Token. Used to prevent replay attacks and must be validated by the RP. |
| esrvcID | No | Applicable only to specific RPs authorized by Corppass. |
| code_challenge | Yes | The hashed value generated from the code verifier. Refer to Proof Key of Code Exchange for more details about the concept. |
| code_challenge_method | Yes | The code verifier transformation method. Currently, Corppass only supports S256 as a valid value. |
| Query Parameter | Description |
|---|---|
| code | The authorization code returned by the authorization server in the callback URL. This one-time code must be used by the Relying Party to invoke the token endpoint and retrieve the user's ID token and access token. Learn more. |
| state | The state parameter returned as-is to help the client maintain state between the request and the callback. It is typically employed to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks. Learn more. |