Corppass
  • INTRODUCTION
    • About Corppass
    • Corppass Design Guidelines
      • Brand Guidelines
      • Button Guidelines
  • Technical Specifications
    • Corppass Authorization API
      • Key concepts
        • Client JWKS
        • JWS and JWE
        • Client Assertion JWT
        • Proof Key of Code Exchange (PKCE)
      • Staging and Production URLs
      • Well-known Endpoints
        • OpenID Discovery Endpoint
        • JWKS Endpoint
      • Scopes
      • Authorization Endpoint
        • Authorization Code with Proof Key of Code Exchange (PKCE) Flow
        • Pushed Authorization Request (PAR) Flow
      • Token Endpoint
        • ID Token Structure
          • UserInfo Claim Structure
          • EntityInfo Claim Structure
        • Access Token Structure
      • Authorization Info Endpoint
        • AuthInfo Structure
        • TPAuthInfo Structure
      • Pushed Authorization Request (PAR) Endpoint
  • Corppass Developer Portal (CDP)
    • User Guide
      • Getting Started
      • Login to CDP
      • Available Digital Service Settings
        • FAQs
      • Toggle Between Staging and Production Environments
      • Portal Features
        • Updating the Digital Service and Managing Metadata
      • User Roles and Permissions
      • Frequently Asked Questions (FAQ)
        • Login Issues
        • Access and Permissions
        • How is CDP Different from Corppass Agency Admin (AA) Portal?
        • Other Common Issues
  • MORE INFORMATION
    • Is Corppass working?
    • Contact Us
Powered by GitBook
On this page
  1. Technical Specifications
  2. Corppass Authorization API
  3. Authorization Endpoint

Pushed Authorization Request (PAR) Flow

PreviousAuthorization Code with Proof Key of Code Exchange (PKCE) FlowNextToken Endpoint

Last updated 4 months ago

GET /mga/sps/oauth/oauth20/authorize 

This endpoint is used to initiate the OpenID Connect (OIDC) authentication flow and obtain an authorization code. When using Pushed Authorization Requests (PAR) flow, the authorization request parameters are first sent securely via the PAR endpoint, and a request_uri is obtained. Instead of sending the full set of parameters in the authorization request, the RP includes the request_uri, which references the pre-registered request.

The authorization code can later be exchanged with Corppass at the token endpoint to retrieve an ID token and an access token. After the user successfully authenticates with Singpass, the authorization code is returned to the user agent as part of a 302 redirect response to the Relying Party's specified redirect_uri.

Request

Query Parameter
Required
Description

client_id

Yes

The client identifier assigned to the Relying Party during onboarding with Corppass.

request_uri

Yes

A reference to the pre-registered authorization request. This reference is issued during /request call.

Response

Query Parameter
Description

code

The authorization code returned by the authorization server in the callback URL. This one-time code must be used by the Relying Party to invoke the token endpoint and retrieve the user's ID token and access token. .

state

The state parameter returned as-is to help the client maintain state between the request and the callback. It is typically employed to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks. .

The authorization code issued by the authorization server has a validity period of 10 minutes. The client must exchange it for an ID token and access token within this timeframe; otherwise, it will expire and cannot be used.

Learn more
Learn more