Userinfo Endpoint

The Userinfo Endpoint allows Relying Parties (RPs) to retrieve detailed information of the authenticated user — such as entity roles, delegated permissions, and access levels. This endpoint also allows RPs to retrieve information about the entity the authenticated user has chosen to represent during login. These information are not included in the ID Token and must be fetched explicitly after authentication.

This is a protected resource endpoint, accessed using the Access Token returned by the Token endpoint.

Supported Methods

Corppass supports both GET and POST methods for Userinfo Endpoint.

Method
Endpoint

GET

/userinfo

POST

/userinfo

As recommended by OIDC Specification Section 5.3.2, use the GET method and include the Access Token in the Authorization header.

Request

The DPoP proof sent to this endpoint must include the ath claim, which binds it to the DPoP-bound access token.

GET

GET /userinfo Request Example

GET /userinfo HTTP/1.1
Authorization: DPoP eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
DPoP: <signed-dpop-proof-jwt>
Field
Required
Description

Authorization

Yes

The Access Token issued by the Token endpoint, passed as a DPoP token in the header.

Example:

Authorization: DPoP <Access-Token>

DPoP

Yes

A proof-of-possession JWT (JWS) signed with the client’s private key. This header is used to bind the access token to a specific HTTP request. Refer to the Demonstrating Proof of Possession section for more details.

POST

An example of a POST /userinfo request

POST /userinfo HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Authorization: DPoP eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
DPoP: <signed-dpop-proof-jwt>
Field
Required
Description

Content-Type

Yes

Must be set to application/x-www-form-urlencoded; charset=utf-8. Indicates the encoding format of the request body.

Authorization

Yes

The Access Token issued by the /token endpoint, passed as a DPoP token in the header.

Example:

Authorization: DPoP <Access-Token>

DPoP

Yes

A proof-of-possession JWT (JWS) signed with the client’s private key. This header is used to bind the access token to a specific HTTP request. Refer to the Demonstrating Proof of Possession section for more details.

No body is required in the POST request. Corppass ignores any request body and uses the Access Token for context.

Response

The Userinfo Endpoint returns a response in the form of a JWS (JSON Web Signature) — not plain JSON.

Note: The response is a signed JWT (JWS), not a regular JSON object. Relying Parties must decode and verify the signature using Corppass’s JWKS before consuming the payload.

Successful Response Example

{
  "iat": 1624086842,
  "exp": 1624087442,
  "aud": "vOIljWVrGyBMK6f31QYq",
  "iss": "https://id.corppass.gov.sg",
  "sub": "vOIljWVrGyBMK6f31QYq",
  "auth_info": {
    ...
  },
  "tp_auth_info": {
    ...
  },
  "person_info": {
    ...
  },
  "entity_info": {
    ...
  }
}
Claim
Type
Description

aud

String

The client ID of the Relying Party (RP).

iss

String

The issuer of the JWT.

sub

String

The unique user identifier (e.g. client ID) for the authenticated user.

iat

Number

The time the JWT was issued, expressed as a UNIX timestamp.

exp

Number

The expiration time of the JWT. Defaults to 10 minutes from iat.

auth_info

JSON

Authorization information assigned to the user. Refer to the Auth Info Structure section for more details.

tp_auth_info

JSON

Third-party authorization information assigned to the user. Refer to the Third-party Auth Info Structure section for more details.

person_info

JSON

Personal information of the user. Refer to the Person Info Structure section for more details.

entity_info

JSON

Entity information of the entity that the user is representing on behalf. Refer to the Entity Info Structure section for more details.

Error

An example of an error response

{
  "error": "invalid_request",
  "error_description": "Request is missing or malformed."
}
Error Code
HTTP Status
Description

invalid_request

400

Required parameter is missing or malformed.

invalid_token

401

Access token is expired, invalid, or not properly bound.

insufficient_scope

403

Access token is valid, but the client lacks the required scope.

If the request lacks authentication altogether (e.g., no Authorization header or unsupported scheme), the server SHOULD return HTTP 401 without including any error code, description, or body.

This prevents revealing information about authentication requirements to unauthenticated or potentially malicious clients, as recommended by RFC 6750 Section 3.1.

Last updated