Pushed Authorization Request (PAR) Flow

GET /mga/sps/oauth/oauth20/authorize 

This endpoint is used to initiate the OpenID Connect (OIDC) authentication flow and obtain an authorization code. When using Pushed Authorization Requests (PAR) flow, the authorization request parameters are first sent securely via the PAR endpoint, and a request_uri is obtained. Instead of sending the full set of parameters in the authorization request, the RP includes the request_uri, which references the pre-registered request.

The authorization code can later be exchanged with Corppass at the token endpoint to retrieve an ID token and an access token. After the user successfully authenticates with Singpass, the authorization code is returned to the user agent as part of a 302 redirect response to the Relying Party's specified redirect_uri.

Request

Query Parameter
Required
Description

client_id

Yes

The client identifier assigned to the Relying Party during onboarding with Corppass.

request_uri

Yes

A reference to the pre-registered authorization request. This reference is issued during /request call.

Response

Query Parameter
Description

code

The authorization code returned by the authorization server in the callback URL. This one-time code must be used by the Relying Party to invoke the token endpoint and retrieve the user's ID token and access token. Learn more.

The authorization code issued by the authorization server has a validity period of 10 minutes. The client must exchange it for an ID token and access token within this timeframe; otherwise, it will expire and cannot be used.

state

The state parameter returned as-is to help the client maintain state between the request and the callback. It is typically employed to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks. Learn more.

Last updated