Key concepts

This section provides foundational knowledge required to successfully integrate with the Corppass Authorization API. It introduces the core standards, security mechanisms, and token structures that underpin Corppass’s authentication and authorization flows.

Understanding these concepts is critical for implementing secure, standards-compliant interactions between Relying Parties (RPs) and Corppass, and ensures alignment with the OpenID Connect (OIDC) and OAuth 2.0 protocols.

What This Section Covers

Client JWKS – How public keys are published and rotated for signature/encryption validation.
JWS and JWE – Token formats used to sign or encrypt authentication data.
Client Assertion JWT – A secure, private-key-based method for client authentication.
Proof Key for Code Exchange (PKCE) – Mitigates code interception during OAuth flows.
Demonstrating Proof of Possession (DPoP) – Ensures tokens are bound to a client-held key and can't be replayed.

Standards and Specifications Reference

For developers who are interested in the underlying standards Corppass adheres to

Reference

Summary

OpenID Connect Core 1.0

Defines the core protocol for identity authentication built on top of OAuth 2.0. Covers ID tokens, user authentication flows, and UserInfo endpoints.

OpenID Connect Overview

High-level overview of OpenID Connect and its role in identity federation and SSO. Ideal starting point for newcomers.

RFC 7519: JSON Web Token (JWT)

Defines the structure of JWTs — compact, URL-safe tokens used for conveying claims securely between parties.

RFC 7515: JSON Web Signature (JWS)

Describes how to digitally sign content (like JWTs) to ensure integrity and authenticity. Used in ID/access tokens.

RFC 7516: JSON Web Encryption (JWE)

Describes how to encrypt content (like ID tokens) to protect confidentiality. Used when issuing encrypted ID tokens.

RFC 7636: PKCE (Proof Key for Code Exchange)

An extension to OAuth 2.0 that adds security to public clients by mitigating code interception attacks.

RFC 7523: JWT Profile for OAuth 2.0 Client Authentication

Specifies how clients can use signed JWTs to authenticate to the token endpoint — used in Client Assertion JWT.

RFC 8705: OAuth 2.0 DPoP

Defines a proof-of-possession mechanism for OAuth 2.0 to bind access tokens to a public key. Used to prevent token replay and enforce sender-constrained access. RPs must generate and sign a DPoP proof JWT with every protected API request.

FAPI 2.0 Security Profile

Specifies a high-security profile for OpenID and OAuth APIs. Includes requirements for DPoP, JWS-request objects, client authentication, and error handling best practices.

JSON Schema Draft 07

Defines how JSON structures are validated — used to describe token claims, payloads, or configuration metadata.

Last updated 4 months ago