What's New

This section summarises the key changes introduced in Corppass Authorization API V2 relative to V1.

Enhanced Security

Pushed Authorization Request (PAR) Flow

• All RPs must implement the PAR flow for enhanced security.

• The authorization request is initiated via the backchannel /request endpoint (PAR).

• Refer to Authorization Endpoint for more details.

Proof Key of Code Exchange (PKCE)

• PKCE is mandatory for all RPs performing the PAR flow for enhanced security. This provides additional protection against authorization code interception.

• Refer to Proof Key of Code Exchange for more details.

Demonstrating Proof of Possession (DPoP)

• A DPoP Proof JWT must be included for:

  • PAR requests

  • Token requests

  • Subsequent calls to protected resource endpoints (e.g., Userinfo Endpoint)

• Refer to Demonstrating Proof of Possession (DPoP) for more details.

Stricter TTL requirements

• Maximum client assertion lifespan reduced is reduced from 10mins to 2mins. Refer to Client Assertion JWT for more details.

• Authorization code expiry is reduced from 10 min to 1 min. Refer to Token Endpoint for more details.

Authentication Context Parameters

• Two new parameters are introduced to support contextualizing authentication requests:

  • authentication_context_type (Mandatory)

  • authentication_context_message (Optional)

• See Authorization Endpoint - Request Body and Authentication Context Parameters for more details.

Scopes and Consent

• New finer-grained scopes are introduced to provide more control over requested authorization:

  • Authorization scopes

    • authinfo

    • tpauthinfo

  • Entity scopes

    • entity.identity

    • entity.basic_profile.entity_name

    • entity.basic_profile.uen_status

  • User scopes

    • user.identity

    • user.name

    • user.corppass.email

• The consent screen now reflects these scopes during authorization, where applicable.

• Refer to Scopes for more details.

ID Token and Userinfo Changes

Changes to ID Token Structure

• sub claim value now references the entity's UEN or Corppass-issued entity identifier for non-UEN entities

• New claims introduced

  • sub_type

  • sub_attributes - primary subject (entity) information

  • act - actor subject (user) information

• Deprecated claims

  • entityInfo -> replaced by sub_attributes

  • userInfo -> replaced by act.sub_attributes

  • email -> replaced by act.sub_attributes.corppass_email

  • email_verified -> replaced by act.sub_attributes.corppass_email_verified

• Refer to ID Token for more details.

Userinfo Endpoint

• The Authorization Info Endpoint (/authorization-info) is replaced by the Userinfo Endpoint (/userinfo).

• The userinfo_endpoint URL is provided in the Corppass OpenID Discovery document.

• Minor adjustments to the response payload structure:

  • AuthInfo claim -> auth_info

  • TPAuthInfo claim -> tp_auth_info

• Refer to Userinfo Endpoint for more details.

Other Changes

Error Handling

• Callback / redirect URLs must now handle new error query parameters returned after failures on the Authorization Endpoint.

• Refer to Authorization Endpoint - Error Response for more details.