ID Token Structure

The ID Token contains both standard claims and Corppass-specific custom claims.

Claim
Claim Content
Claim Format

Standard Claims

Standard claims such as iss , iat, exp, etc., as defined in the Section 5.1. of OIDC Core Specification

String

Custom Claims

Corppass-specific claims providing details about the authenticated user:

  • userInfo: Includes Corppass user's personal information, such as full name and account type

  • entityInfo: Includes Corppass user's entity information, detailing entities the user is authorized for or selected during authorization (applicable when the user has access to multiple entities)

JavaScript Notation Object (JSON)

ID Token Format

The ID Token is issued as a JWS encapsulated in a JWE (compact serialisation). Below is an overview of its structure:

Component
Description

JWE Header

Contains metadata such as the encryption algorithm (alg) and key identifier (kid).

Encrypted Payload

Contains the Base64-encoded representation of the JWS (decrypted).

JWS Header

Includes metadata such as the signing algorithm (alg) and the key identifier (kid).

JWS Payload

Contains claims, including user and authorization information.

Signature

Ensures the integrity and authenticity of the payload.

Clients must use the kid field in the JWE header to identify the key Corppass used for encryption. Refer to RFC 7515 Section 4 for more information about the JWE structure.

JWS Payload Example

The following an example of the JWS payload returned by the ID Token

{
    "iat": 1623162109,
    "iss": "https://stg-id.corppass.gov.sg",
    "at_hash": "6J4VlBBQpbAyy1NL4NBW-Q",
    "sub": "s=S1234567P,uuid=0f14a2fc-09c2-4780-95f0-8c28347f2780,u=CP192,c=SG",
    "exp": 1623165709,
    "aud": "vOIljWVrGyBMK6f31QYq",
    "amr": ["pwd", "sms"],
    "nonce": "ZEF+97zc3YZP7huv6nzKspfabDv0wRtce/aVNud23vU=",
    "userInfo":{
        "CPAccType": "User",
        "CPUID_FullName": "John Grisham",
        "ISSPHOLDER": "YES"
    },
    "email": "[email protected]",
    "email_verified": true,
    "entityInfo": {
        "CPEntID": "82532759L",
        "CPEnt_TYPE": "UEN",
        "CPEnt_Status": "Registered",
        "CPNonUEN_Country": "",
        "CPNonUEN_RegNo": "",
        "CPNonUEN_Name": ""
    }
}

Claims in the JWS Payload

Claim
Type
Description

sub

String

The principal that is the subject of the JWT. It contains a comma-separated list of key=value pairs that uniquely identify the user, which may include multiple alternate identifiers.

Format

The format of the sub is as follows:

  • s : Identity ID (e.g. NRIC/FIN/Foreign ID)

  • uuid : User's globally unique identifier (e.g. 0f14a2fc-09c2-4780-95f0-8c28347f2780 )

  • u : System-defined ID (e.g. CP1234 )

  • c : Two-character country code, conforming to ISO 3166-1 Alpha-2 (e.g. SG )

Example:

"sub": "s=F1234567P,uuid=0f14a2fc-09c2-4780-95f0-8c28347f2780,u=CP192,c=SG"

Corppass does NOT guarantee the order of key-value pairs in the sub claim. Relying Parties (RPs) must not depend on the positional order of these pairs but must parse them by their keys to ensure accurate data processing.

Instead of assuming s is always in the first position, RPs should identify and process the values by their keys:

  • s: F1234567P

  • uuid: 0f14a2fc-09c2-4780-95f0-8c28347f2780

  • u: CP192

  • c: SG

aud

String

The client ID of the Relying Party. Refer to Section 4.1.3 of RFC 7519.

iss

String

The issuer of the token. Refer to Section 4.1.1 of RFC 7519.

iat

Number

The time the token was issued, expressed as a UNIX timestamp. Refer to Section 4.1.6 of RFC 7519.

exp

Number

The expiration time of the token, expressed as a UNIX timestamp. The default validity is 10 minutes from iat. Refer to Section 4.1.6 of RFC 7519.

nonce

String

A unique string to associate the ID Token with the authorization request to prevent replay attacks.

amr

Array

Authentication methods used during Singpass login

Authentication Methods

Values

1FA

["pwd"]

2FA SMS OTP

["pwd","sms"]

QR Code

["pwd","swk"]

Facial Biometrics

["pwd","fv"]

at_hash

String

A hash of the Access Token issued alongside the ID Token.

We strongly encourage Relying Parties (RPs) to use at_hash claim to validate the Access Token's integrity, ensuring it has not been tampered with. For more details on at_hash claim, refer to Section 2 of the OIDC Core Specification.

userInfo

JSON

Contains the user's personal information, such as full name and account type. Refer to the UserInfo Claim Structure section for more details.

entityInfo

JSON

Includes the user's entity information (e.g., entity type, ID) used during authentication. Refer to the EntityInfo Claim Structure section for more details.

email

String

The user's email address tied to the selected entity. Only provided if business_profile.email was included in the scope during the /authorize request and the client is authorized to access this data.

email_verified

Boolean

Indicates whether the user's email address has been verified. Only provided if business_profile.email was included in the scope during the /authorize request and the client is authorized to access this data.

PreviousToken EndpointNextUserInfo Claim Structure

Last updated