Userinfo Endpoint
The Userinfo Endpoint allows Relying Parties (RPs) to retrieve detailed information of the authenticated user or entity that the user is representing. These information are not included in the ID Token and must be fetched explicitly after authentication.
Currently, it only supports retrieval of the user's authorization data (akin to V1's Authorization Info Endpoint).
This is a protected resource endpoint, so an Access Token (obtained from the Token Endpoint) is required.
Supported Methods
Corppass supports both GET and POST methods for Userinfo Endpoint.
GET
/userinfo
POST
/userinfo
Request
GET
GET /userinfo Request Example
GET /userinfo Request ExampleGET /userinfo HTTP/1.1
Authorization: DPoP eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
DPoP: <signed-dpop-proof-jwt>Request Headers
Authorization
Yes
The Access Token issued by the Token endpoint, passed as a DPoP token in the header.
Example:
Authorization: DPoP <Access-Token>
DPoP
Yes
A signed proof-of-possession JWT that is binded to access token used for this request.
Refer to the Demonstrating Proof of Possession section for more details.
The DPoP proof sent to this endpoint must include the ath claim, which binds it to the DPoP-bound access token.
POST
An example of a POST /userinfo request
POST /userinfo requestPOST /userinfo HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Authorization: DPoP eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
DPoP: <signed-dpop-proof-jwt>Request Headers
Content-Type
Yes
Must be set to application/x-www-form-urlencoded; charset=utf-8. Indicates the encoding format of the request body.
Authorization
Yes
The Access Token issued by the /token endpoint, passed as a DPoP token in the header.
Example:
Authorization: DPoP <Access-Token>
DPoP
Yes
A signed proof-of-possession JWT that is binded to access token used for this request.
Refer to the Demonstrating Proof of Possession section for more details.
Response
The Userinfo Endpoint returns a response in the form of a JWS (JSON Web Signature) — not plain JSON.
Successful Response Example
An example of how the payload looks for the returned JWS -
{
"iat": 1624086842,
"exp": 1624087442,
"aud": "vOIljWVrGyBMK6f31QYq",
"iss": "https://id.corppass.gov.sg",
"sub": "vOIljWVrGyBMK6f31QYq",
"auth_info": {
... // truncated for brevity, see below sections for more details
},
"tp_auth_info": {
... // truncated for brevity, see below sections for more details
},
}
Response Structure
This is the structure of the payload in the returned JWS -
aud
String
The client ID of the Relying Party (RP).
Y
iss
String
The issuer of the JWT.
Y
sub
String
The unique user identifier (e.g. client ID) for the authenticated user.
Y
iat
Number
The time the JWT was issued, expressed as a UNIX timestamp.
Y
exp
Number
The expiration time of the JWT. Defaults to 10 minutes from iat.
Y
auth_info
JSON
Authorization information assigned to the user. Refer to the Auth Info Structure section for more details.
Only provided if the authinfo scope is present in the access token.
N
tp_auth_info
JSON
Third-party authorization information assigned to the user. Refer to the Third-party Auth Info Structure section for more details.
Only provided if the tpauthinfo scope is present in the access token.
N
Error
An example of an error response
{
"error": "invalid_request",
"error_description": "Request is missing or malformed."
}invalid_request
400
Required parameter is missing or malformed.
invalid_token
401
Access token is expired, invalid, or not properly bound.
insufficient_scope
403
Access token is valid, but the client lacks the required scope.
If the request lacks authentication altogether (e.g., no Authorization header or unsupported scheme), Corppass will return HTTP 401 without including any error code, description, or body.
This prevents revealing information about authentication requirements to unauthenticated or potentially malicious clients, as recommended by RFC 6750 Section 3.1.
Last updated