Pushed Authorization Request (PAR) Flow
GET /mga/sps/oauth/oauth20/authorize This endpoint is used to initiate the OpenID Connect (OIDC) authentication flow and obtain an authorization code. When using Pushed Authorization Requests (PAR) flow, the authorization request parameters are first sent securely via the PAR endpoint, and a request_uri is obtained. Instead of sending the full set of parameters in the authorization request, the RP includes the request_uri, which references the pre-registered request.
The authorization code can later be exchanged with Corppass at the token endpoint to retrieve an ID token and an access token. After the user successfully authenticates with Singpass, the authorization code is returned to the user agent as part of a 302 redirect response to the Relying Party's specified redirect_uri.
Request
client_id
Yes
The client identifier assigned to the Relying Party during onboarding with Corppass.
request_uri
Yes
A reference to the pre-registered authorization request. This reference is issued during /request call.
Response
code
The authorization code returned by the authorization server in the callback URL. This one-time code must be used by the Relying Party to invoke the token endpoint and retrieve the user's ID token and access token. Learn more.
The authorization code issued by the authorization server has a validity period of 10 minutes. The client must exchange it for an ID token and access token within this timeframe; otherwise, it will expire and cannot be used.
state
The state parameter returned as-is to help the client maintain state between the request and the callback. It is typically employed to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks. Learn more.
Last updated