Corppass
  • INTRODUCTION
    • About Corppass
    • Corppass Design Guidelines
      • Brand Guidelines
      • Button Guidelines
  • Technical Specifications
    • Corppass Authorization API
      • Key concepts
        • Client JWKS
        • JWS and JWE
        • Client Assertion JWT
        • Proof Key of Code Exchange (PKCE)
      • Staging and Production URLs
      • Well-known Endpoints
        • OpenID Discovery Endpoint
        • JWKS Endpoint
      • Scopes
      • Authorization Endpoint
        • Authorization Code with Proof Key of Code Exchange (PKCE) Flow
        • Pushed Authorization Request (PAR) Flow
      • Token Endpoint
        • ID Token Structure
          • UserInfo Claim Structure
          • EntityInfo Claim Structure
        • Access Token Structure
      • Authorization Info Endpoint
        • AuthInfo Structure
        • TPAuthInfo Structure
      • Pushed Authorization Request (PAR) Endpoint
  • Corppass Developer Portal (CDP)
    • User Guide
      • Getting Started
      • Login to CDP
      • Available Digital Service Settings
        • FAQs
      • Toggle Between Staging and Production Environments
      • Portal Features
        • Updating the Digital Service and Managing Metadata
      • User Roles and Permissions
      • Frequently Asked Questions (FAQ)
        • Login Issues
        • Access and Permissions
        • How is CDP Different from Corppass Agency Admin (AA) Portal?
        • Other Common Issues
  • MORE INFORMATION
    • Is Corppass working?
    • Contact Us
Powered by GitBook
On this page
  1. Technical Specifications
  2. Corppass Authorization API
  3. Authorization Endpoint

Authorization Code with Proof Key of Code Exchange (PKCE) Flow

PreviousAuthorization EndpointNextPushed Authorization Request (PAR) Flow

Last updated 3 months ago

GET /mga/sps/oauth/oauth20/authorize 

This endpoint is used to initiate the OpenID Connect (OIDC) authentication flow and obtain an authorization code, known as the Authorization Code flow. The authorization code can later be exchanged with Corppass at the token endpoint to retrieve an ID token and an access token.

After the user successfully authenticates with Singpass, the authorization code is returned to the user agent as part of a 302 Redirect response to the Relying Party's specified redirect_uri.

Request

Query Parameter
Required
Description

scope

Yes

Must contain at least the openid scope. For a comprehensive list of valid scopes, refer to the section. Unrecognised or unauthorised scopes will result in an error.

response_type

Yes

Specifies the response processing flow. Currently, Corppass only supports code as a valid value.

client_id

Yes

The client identifier assigned to the Relying Party during onboarding with Corppass.

redirect_uri

Yes

The callback URL for receiving the authorization response. Must exactly match one of the RPs' registered callback URLs registered.

state

Yes

A client-provided value used to maintain state between the request and the callback. Helps to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks.

nonce

Yes

A unique value provided by the RP that is returned in the ID Token. Used to prevent replay attacks and must be validated by the RP.

esrvcID

No

Applicable only to specific RPs authorized by Corppass.

code_challenge

Yes

The hashed value generated from the code verifier. Refer to for more details about the concept.

code_challenge_method

Yes

The code verifier transformation method. Currently, Corppass only supports S256 as a valid value.

Response

Query Parameter
Description

code

The authorization code returned by the authorization server in the callback URL. This one-time code must be used by the Relying Party to invoke the token endpoint and retrieve the user's ID token and access token. .

state

The state parameter returned as-is to help the client maintain state between the request and the callback.

It is typically employed to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks. .

Note: This query parameter will be deprecated in the next major version of the API. Please plan to update your applications to remove reliance on this field. We strongly recommend reviewing the updated API documentation as soon as possible to avoid any disruptions.

The authorization code issued by the authorization server has a validity period of 10 minutes. The client must exchange it for an ID token and access token within this timeframe; otherwise, it will expire and cannot be used.

Scopes Overview
Proof Key of Code Exchange
Learn more
Learn more