search

ID Token Structure

The ID Token contains both standard claims and Corppass-specific custom claims.

Claim
Claim Content
Claim Format

Standard Claims

Standard claims such as iss , iat, exp, etc., as defined in the Section 5.1. of OIDC Core Specificationarrow-up-right

String

Custom Claims

Corppass-specific claims providing details about the authenticated user:

  • userInfo: Includes Corppass user's personal information, such as full name and account type

  • entityInfo: Includes Corppass user's entity information, detailing entities the user is authorized for or selected during authorization (applicable when the user has access to multiple entities)

JavaScript Notation Object (JSON)

hashtag
ID Token Format

The ID Token is issued as a JWS encapsulated in a JWE (compact serialisation). Below is an overview of its structure:

Component
Description

JWE Header

Contains metadata such as the encryption algorithm (alg) and key identifier (kid).

Encrypted Payload

Contains the Base64-encoded representation of the JWS (decrypted).

JWS Header

Includes metadata such as the signing algorithm (alg) and the key identifier (kid).

JWS Payload

Contains claims, including user and authorization information.

Signature

Ensures the integrity and authenticity of the payload.

circle-exclamation

Clients must use the kid field in the JWE header to identify the key Corppass used for encryption. Refer to RFC 7515 Section 4arrow-up-right for more information about the JWE structure.

hashtag
JWS Payload Example

The following an example of the JWS payload returned by the ID Token

hashtag
Claims in the JWS Payload

Claim
Type
Description

aud

String

The client ID of the Relying Party. Refer to Section 4.1.3 of RFC 7519arrow-up-right.

iss

String

The issuer of the token. Refer to Section 4.1.1 of RFC 7519arrow-up-right.

iat

Number

The time the token was issued, expressed as a UNIX timestamp. Refer to Section 4.1.6 of RFC 7519arrow-up-right.

exp

Number

The expiration time of the token, expressed as a UNIX timestamp. The default validity is 10 minutes from iat. Refer to Section 4.1.6 of RFC 7519arrow-up-right.

nonce

String

A unique string to associate the ID Token with the authorization request to prevent replay attacks.

amr

Array

Authentication methods used during Singpass login

at_hash

String

A hash of the Access Token issued alongside the ID Token.

sub

String

The principal that is the subject of the JWT. It contains a comma-separated list of key=value pairs that uniquely identify the user, which may include multiple alternate identifiers.

Format

The format of the sub is as follows:

  • s : Identity ID (e.g. NRIC/FIN/Foreign ID)

  • uuid : User's globally unique identifier (e.g. 0f14a2fc-09c2-4780-95f0-8c28347f2780 )

  • u : System-defined ID (e.g. CP1234 )

  • c : Two-character country code, conforming to ISO 3166-1 Alpha-2 (e.g. SG )

Example:

userInfo

JSON

Contains the user's personal information, such as full name and account type.

Refer to the UserInfo Claim Structure section for more details.

entityInfo

JSON

Includes the user's entity information (e.g., entity type, ID) used during authentication.

Refer to the EntityInfo Claim Structure section for more details.

email

String

Corppass registered email address.

For transactional and notification purposes only. Not intended for use as a user identifier, authentication, or contact database.

Required scope: business_profile.email

email_verified

Boolean

Indicates if the Corppass registered email has been verified.

Required scope: business_profile.email

PreviousToken EndpointNextUserInfo Claim Structure

Last updated