Corppass
  • INTRODUCTION
    • About Corppass
    • Corppass Design Guidelines
      • Brand Guidelines
      • Button Guidelines
  • Technical Specifications
    • Corppass Authorization API
      • Key concepts
        • Client JWKS
        • JWS and JWE
        • Client Assertion JWT
        • Proof Key of Code Exchange (PKCE)
      • Staging and Production URLs
      • Well-known Endpoints
        • OpenID Discovery Endpoint
        • JWKS Endpoint
      • Scopes
      • Authorization Endpoint
        • Authorization Code with Proof Key of Code Exchange (PKCE) Flow
        • Pushed Authorization Request (PAR) Flow
      • Token Endpoint
        • ID Token Structure
          • UserInfo Claim Structure
          • EntityInfo Claim Structure
        • Access Token Structure
      • Authorization Info Endpoint
        • AuthInfo Structure
        • TPAuthInfo Structure
      • Pushed Authorization Request (PAR) Endpoint
  • Corppass Developer Portal (CDP)
    • User Guide
      • Getting Started
      • Login to CDP
      • Available Digital Service Settings
        • FAQs
      • Toggle Between Staging and Production Environments
      • Portal Features
        • Updating the Digital Service and Managing Metadata
      • User Roles and Permissions
      • Frequently Asked Questions (FAQ)
        • Login Issues
        • Access and Permissions
        • How is CDP Different from Corppass Agency Admin (AA) Portal?
        • Other Common Issues
  • MORE INFORMATION
    • Is Corppass working?
    • Contact Us
Powered by GitBook
On this page
  1. Technical Specifications
  2. Corppass Authorization API

Token Endpoint

POST /mga/sps/oauth/oauth20/token

This endpoint allows the client to exchange an authorization code for an ID token and an access token.

  • The ID token is a JWT that includes user information in the sub claim and is signed by Corppass. Relying Parties (RPs) can verify the JWT's signature using the public keys available at the Corppass JWKS endpoint.

  • The Access Token is a signed JWS intended for the Corppass resource server (e.g. /authorization-info).

Supported Grant Types

Grant types define the method by which a client obtains tokens from the authorization server. For the Open ID Connect (OIDC) authentication flow, Corppass supports the following grant types:

Grant Type
Description

authorization_code

Authorization Code Grant

The authorization_code grant type allows the client to exchange an authorization code (provided to the client after the user is authenticated) for an ID token and an access token. This grant is restricted to confidential clients, which must authenticate themselves using Client Assertion JWT. The client must include a JSON Web Token (JWT) in the token request body. Corppass will verify the JWT's signature using the public key provided in the JSON Web Key Set (JWKS) during client onboarding.

Request

Request Headers

Header
Value

Content-Type

application/x-www-form-urlencoded; charset=utf-8

Request Body

Field
Description

redirect_uri

The redirect URI used in the current authentication session.

grant_type

The type of grant being requested. This must be set to authorization_code.

code

The authorization code issued during the /authorize call.

client_assertion_type

Must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer

client_assertion

client_id

The client identifier assigned to the Relying Party during onboarding with Corppass.

code_verifier

A cryptographic random string generated and is used to compare with code_challenge sent during the /authorize or /request call.

Response

Successful Response Example

Response Body Fields

Field
Required
Type
Description

access_token

Yes

JWS

scope

Yes

String

The scopes granted for the issued tokens. This field may include openid along with other scopes requested during authorization.

id_token

Yes

JWE

token_type

Yes

String

The type of token issued. Currently, only Bearer is supported.

expires_in

Yes

Numeric

The remaining lifetime of the access token in seconds.

PreviousPushed Authorization Request (PAR) FlowNextID Token Structure

Last updated 25 days ago

Used to securely exchange an authorization code for an ID token and access token. Requires prior user authentication and is suitable for confidential clients. Refer to for more details on this grant.

A JWT identifying the client. Refer to section for more details about the JWT structure.

The access token containing standard claims in JWS format, signed by Corppass. Refer to the section for more details.

The ID token containing relevant claims in JWT format, signed by Corppass. Refer to the section for more details.

{
    "access_token": "eyJraWQiOiJueGlKSk5OVnh4blRrVTJ3TDY1VEkyUGtJTElKT1VSU1RRU0FCTHVIMmtFIiwiYWxnIjoiRVMyNTYifQ.eyJleHAiOjE2MjQwODQ4MjMsImlhdCI6MTYyNDA4NDIyMywiaXNzIjoiaHR0cHM6Ly9jb3JwcGFzc3JwMDMiLCJhdWQiOiJ2T0lsaldWckd5Qk1LNmYzMVFZcSIsInNjb3BlIjpbImF1dGhpbmZvIiwidHBhdXRoaW5mbyJdfQ.jzzTSQw5w3B_88KgqzThrP237wYWkuuzBdRpHnT4iNoqWAjV8KsXDqwBgOnECsFBeshJXahMDswyqw6xlgTO9g",
    "scope": "openid",
    "id_token": "eyJraWQiOiJueGlKSk5OVnh4blRrVTJ3TDY1VEkyUGtJTElKT1VSU1RRU0FCTHVIMmtFIiwiYWxnIjoiRVMyNTYifQ.eyJlbnRpdHlJbmZvIjp7IkNQRW50SUQiOiJWQlIwMDAwMDQiLCJDUEVudF9UWVBFIjoiVUVOIiwiQ1BFbnRfU3RhdHVzIjoiUmVnaXN0ZXJlZCIsIkNQTm9uVUVOX0NvdW50cnkiOiIiLCJDUE5vblVFTl9SZWdObyI6IiIsIkNQTm9uVUVOX05hbWUiOiIifSwiYW1yIjpbInB3ZCJdLCJpYXQiOjE2MjQwODQyMjIsImlzcyI6Imh0dHBzOi8vY29ycHBhc3NycDAzIiwic3ViIjoicz1udWxsLHU9YW1pdGVzaCxjPW51bGwiLCJhdF9oYXNoIjoiMncxWjlBNW9qZExic2hSLUIwbFV4QSIsImV4cCI6MTYyNDA4NzgyMiwiYXVkIjoidk9JbGpXVnJHeUJNSzZmMzFRWXEifQ.lwTieBCXxOHMtKFkpLZDarzGe5QsZiFnZoWxVoSPLEzPhTABMgStGknzlf9m1hZiw6rCP_4InngFNLeh8DeztA",
    "token_type": "Bearer",
    "expires_in": 599
}

The access token issued by the token endpoint has a validity period of 10 minutes. Clients should ensure that it is used within this timeframe to access the protected resources.

Section 3.1 of the OIDC Core Specification
Client Assertion JWT
Access Token
ID Token