Token Endpoint

authorization_code

Used to securely exchange an authorization code for an ID token and access token. Requires prior user authentication and is suitable for confidential clients. Refer to Section 3.1 of the OIDC Core Specification for more details on this grant.

Content-Type

Yes

Must be set to application/x-www-form-urlencoded for POST requests. Indicates the encoding format of the request body.

DPoP

Yes

The JWK Thumbprint of your proof-of-possession public key, for binding the access token. The JWK thumbprint should be computed using the SHA256 hash algorithm, and encoded using base64url.

Must be created using the same key as the DPoP proof presented in the Pushed Authorization Request. Refer to the Demonstrating Proof of Possession section for more details.

redirect_uri

Yes

The URL that Corppass will eventually redirect the user to after user completes Singpass authentication. The value will be validated against the list of redirect URLs that were pre-registered with Corppass during onboarding.

grant_type

Yes

The type of grant being requested. This must be set to authorization_code.

code

Yes

The authorization code issued during the /mga/sps/oauth/oauth20/authorize call. Note: The authorization code must be exchanged within 60 seconds of issuance. Expired codes will result in an error.

client_id

Yes

The client identifier assigned to the Relying Party during onboarding with Corppass.

client_assertion_type

Yes

Must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer, as mandated by OIDC specifications.

client_assertion

Yes

A JWT identifying the client.

Refer to Client Assertion JWT section for more details.

code_verifier

Yes

The code verifier generated by the client when constructing the authorization request.

This must be the same value used to generate the code_challenge in the authorization request.

The authorization server uses this value to recompute the code_challenge and validate it against the original value sent in the authorization request.

Refer to Proof Key of Code Exchange for more details.

access_token

JWS

The access token containing standard claims in JWS format, signed by Corppass.

The token is only valid for 10 minutes from time of issuance.

Refer to the Access Token section for more details.

scope

String

The scopes granted for the issued tokens. This field may include openid along with other scopes requested during authorization.

id_token

JWE

The ID token containing relevant claims in JWT format, signed by Corppass.

Refer to the ID Token Structure section for more details.

token_type

String

The type of token issued. Currently, only DPoP is supported.

expires_in

Numeric

The lifetime of the access token in seconds.

error

String

The error code identifying the type of error. The possible values are detailed below.

error_description

String

Human-readable description of the error.

invalid_request

400 / 401

The request is missing a required parameter, includes an unsupported or duplicated parameter, or is malformed.

invalid_client

400 / 401

Client authentication failed due to a missing, invalid, expired, or improperly formatted client credential or assertion.

invalid_grant

400 / 401

The provided authorization code is invalid, expired, revoked, or does not match the authenticated client.

invalid_dpop_proof

401

The DPoP proof is invalid, expired, malformed, or failed verification.

unsupported_grant_type

400

The grant type is not supported.

server_error

500

The authorization server encountered an unexpected internal error while processing the request. The error can potentially be due to the RP’s JWK endpoint being unreachable or returning a malformed JWK.

temporarily_unavailable

503

The server is temporarily unable to handle the request due to maintenance or high load.