Authorization Code with Proof Key of Code Exchange (PKCE) Flow

PreviousAuthorization Endpoint NextPushed Authorization Request (PAR) Flow

Last updated 1 month ago

Authorization Code with Proof Key of Code Exchange (PKCE) Flow

GET /mga/sps/oauth/oauth20/authorize

This endpoint is used to initiate the OpenID Connect (OIDC) authentication flow and obtain an authorization code, known as the Authorization Code flow. The authorization code can later be exchanged with Corppass at the token endpoint to retrieve an ID token and an access token.

After the user successfully authenticates with Singpass, the authorization code is returned to the user agent as part of a 302 Redirect response to the Relying Party's specified redirect_uri.

Request

Query Parameter

Required

Description

scope

Yes

Must contain at least the openid scope. For a comprehensive list of valid scopes, refer to the section. Unrecognised or unauthorised scopes will result in an error.

response_type

Yes

Specifies the response processing flow. Currently, Corppass only supports code as a valid value.

client_id

Yes

The client identifier assigned to the Relying Party during onboarding with Corppass.

redirect_uri

Yes

The callback URL for receiving the authorization response. Must exactly match one of the RPs' registered callback URLs registered.

state

Yes

A client-provided value used to maintain state between the request and the callback. Helps to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks.

nonce

Yes

A unique value provided by the RP that is returned in the ID Token. Used to prevent replay attacks and must be validated by the RP.

esrvcID

Applicable only to specific RPs authorized by Corppass.

code_challenge

Yes

The hashed value generated from the code verifier. Refer to for more details about the concept.

code_challenge_method

Yes

The code verifier transformation method. Currently, Corppass only supports S256 as a valid value.

Response

Query Parameter

Description

code

The authorization code returned by the authorization server in the callback URL. This one-time code must be used by the Relying Party to invoke the token endpoint and retrieve the user's ID token and access token. .

state

The state parameter returned as-is to help the client maintain state between the request and the callback.

It is typically employed to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks. .

PreviousAuthorization Endpoint NextPushed Authorization Request (PAR) Flow

Last updated 1 month ago

GET /mga/sps/oauth/oauth20/authorize

After the user successfully authenticates with Singpass, the authorization code is returned to the user agent as part of a 302 Redirect response to the Relying Party's specified redirect_uri.

Request

Query Parameter

Required

Description

scope

Yes

Must contain at least the openid scope. For a comprehensive list of valid scopes, refer to the section. Unrecognised or unauthorised scopes will result in an error.

response_type

Yes

Specifies the response processing flow. Currently, Corppass only supports code as a valid value.

client_id

Yes

The client identifier assigned to the Relying Party during onboarding with Corppass.

redirect_uri

Yes

The callback URL for receiving the authorization response. Must exactly match one of the RPs' registered callback URLs registered.

state

Yes

A client-provided value used to maintain state between the request and the callback. Helps to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks.

nonce

Yes

A unique value provided by the RP that is returned in the ID Token. Used to prevent replay attacks and must be validated by the RP.

esrvcID

Applicable only to specific RPs authorized by Corppass.

code_challenge

Yes

The hashed value generated from the code verifier. Refer to for more details about the concept.

code_challenge_method

Yes

The code verifier transformation method. Currently, Corppass only supports S256 as a valid value.

Response

Query Parameter

Description

code

state

The state parameter returned as-is to help the client maintain state between the request and the callback.

It is typically employed to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks. .