Pushed Authorization Request (PAR) Endpoint

POST /request

This endpoint allows the client to send authentication request parameters directly to Corppass in a back-channel request before redirecting the user for authentication. This ensures that sensitive authentication request details are securely transmitted and validated before user interaction.

Request

Request Headers

Header

Value

Content-Type

application/x-www-form-urlencoded; charset=utf-8

Request Body

Field

Required

Description

redirect_uri

Yes

The redirect URI used in the current authentication session

scope

Yes

Must contain at least the openid scope. For a comprehensive list of valid scopes, refer to the Overview of Scopes section. Unrecognized or unauthorized scopes will result in an error.

response_type

Yes

Specifies the response processing flow. Currently, Corppass only supports code as a valid value.

client_assertion_type

Yes

Must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer

client_assertion

Yes

A JWT identifying the client. Refer to Overview of Client Assertion JWT section for more details about the JWT structure.

state

Yes

A client-provided value used to maintain state between the request and the callback. Helps to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks.

nonce

Yes

A unique value provided by the RP that is returned in the ID Token. Used to prevent replay attacks and must be validated by the RP.

client_id

Yes

The client identifier assigned to the Relying Party during onboarding with Corppass.

code_challenge

Yes

code_challenge_method

Yes

The code verifier transformation method. Currently, Corppass only supports S256 as a valid value.

Response

Response Body Example

{
  "expires_in": 60,
  "request_uri": "urn:ietf:params:oauth:request_uri:h8YQPVV0Dgm5MGaD_koAm"
}

Response Body Fields

Field

Type

Description

expires_in

Numeric

The remaining lifetime of the access token in seconds.

request_uri

String

A reference to the pre-registered authorization request.

PreviousTPAuthInfo Structure NextUser Guide

Last updated 3 months ago

Pushed Authorization Request (PAR) Endpoint

POST /request

Request

Request Headers

Header

Value

Content-Type

application/x-www-form-urlencoded; charset=utf-8

Request Body

Field

Required

Description

redirect_uri

Yes

The redirect URI used in the current authentication session

scope

Yes

Must contain at least the openid scope. For a comprehensive list of valid scopes, refer to the Overview of Scopes section. Unrecognized or unauthorized scopes will result in an error.

response_type

Yes

Specifies the response processing flow. Currently, Corppass only supports code as a valid value.

client_assertion_type

Yes

Must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer

client_assertion

Yes

A JWT identifying the client. Refer to Overview of Client Assertion JWT section for more details about the JWT structure.

state

Yes

A client-provided value used to maintain state between the request and the callback. Helps to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks.

nonce

Yes

A unique value provided by the RP that is returned in the ID Token. Used to prevent replay attacks and must be validated by the RP.

client_id

Yes

The client identifier assigned to the Relying Party during onboarding with Corppass.

code_challenge

Yes

The hashed value generated from the code verifier. Refer to for more details about the concept.

code_challenge_method

Yes

The code verifier transformation method. Currently, Corppass only supports S256 as a valid value.

Response

Response Body Example

{
  "expires_in": 60,
  "request_uri": "urn:ietf:params:oauth:request_uri:h8YQPVV0Dgm5MGaD_koAm"
}

Response Body Fields

Field

Type

Description

expires_in

Numeric

The remaining lifetime of the access token in seconds.

request_uri

String

A reference to the pre-registered authorization request.

PreviousTPAuthInfo Structure NextUser Guide

Last updated 3 months ago