Corppass
  • INTRODUCTION
    • About Corppass
    • Corppass Design Guidelines
      • Brand Guidelines
      • Button Guidelines
  • Technical Specifications
    • Corppass Authorization API
      • Key concepts
        • Client JWKS
        • JWS and JWE
        • Client Assertion JWT
        • Proof Key of Code Exchange (PKCE)
      • Staging and Production URLs
      • Well-known Endpoints
        • OpenID Discovery Endpoint
        • JWKS Endpoint
      • Scopes
      • Authorization Endpoint
        • Authorization Code with Proof Key of Code Exchange (PKCE) Flow
        • Pushed Authorization Request (PAR) Flow
      • Token Endpoint
        • ID Token Structure
          • UserInfo Claim Structure
          • EntityInfo Claim Structure
        • Access Token Structure
      • Authorization Info Endpoint
        • AuthInfo Structure
        • TPAuthInfo Structure
      • Pushed Authorization Request (PAR) Endpoint
  • Corppass Developer Portal (CDP)
    • User Guide
      • Getting Started
      • Login to CDP
      • Available Digital Service Settings
        • FAQs
      • Toggle Between Staging and Production Environments
      • Portal Features
        • Updating the Digital Service and Managing Metadata
      • User Roles and Permissions
      • Frequently Asked Questions (FAQ)
        • Login Issues
        • Access and Permissions
        • How is CDP Different from Corppass Agency Admin (AA) Portal?
        • Other Common Issues
  • MORE INFORMATION
    • Is Corppass working?
    • Contact Us
Powered by GitBook
On this page
  1. Technical Specifications
  2. Corppass Authorization API
  3. Well-known Endpoints

OpenID Discovery Endpoint

GET /.well-known/openid-configuration

The OpenID Discovery Endpoint provides essential metadata about the OpenID Provider (OP) configuration. This metadata allows Relying Parties (RPs) to dynamically configure their interactions with the OP.

Responses from the OpenID Discovery Endpoint should be cached for at least 1 hour to minimize repeated requests during OIDC/OAuth2 operations.

Response

Response Example

HTTP/2 200
content-type: application/json; charset=utf-8
content-length: 1667  

{
  "authorization_endpoint": "https://stg-id.corppass.gov.sg/mga/sps/oauth/oauth20/authorize",
  "claims_parameter_supported": false,
  "claims_supported": [
    "nonce",
    "aud",
    "iss",
    "sub",
    "exp",
    "iat",
    "userInfo",
    "entityInfo",
    "AuthInfo",
    "TPAuthInfo",
    "rt_hash",
    "at_hash",
    "amr",
    "email",
    "email_verified",
    "sid",
    "auth_time",
    "EntityInfo"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ],
  "grant_types_supported": [
    "authorization_code"
  ],
  "issuer": "https://stg-id.corppass.gov.sg",
  "jwks_uri": "https://stg-id.corppass.gov.sg/.well-known/keys",
  "authorization_response_iss_parameter_supported": false,
  "response_modes_supported": [
    "form_post",
    "fragment",
    "query"
  ],
  "response_types_supported": [
    "code"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint_auth_methods_supported": [
    "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "ES256",
    "ES256K",
    "ES384",
    "ES512"
  ],
  "token_endpoint": "https://stg-id.corppass.gov.sg/mga/sps/oauth/oauth20/token",
  "id_token_signing_alg_values_supported": [
    "ES256"
  ],
  "id_token_encryption_alg_values_supported": [
    "ECDH-ES+A128KW",
    "ECDH-ES+A192KW",
    "ECDH-ES+A256KW"
  ],
  "id_token_encryption_enc_values_supported": [
    "A256CBC-HS512"
  ],
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "userinfo_endpoint": "https://stg-id.corppass.gov.sg/authorization-info",
  "userinfo_signing_alg_values_supported": [
    "ES256"
  ],
  "userinfo_encryption_alg_values_supported": [
    "A128KW",
    "A256KW",
    "ECDH-ES",
    "RSA-OAEP",
    "RSA-OAEP-256",
    "dir"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A128GCM",
    "A256CBC-HS512",
    "A256GCM"
  ],
  "claim_types_supported": [
    "normal"
  ],
  "name": "corppass",
  "authorization-info_endpoint": "https://stg-id.corppass.gov.sg/authorization-info"
}

Response Fields

Field
Type
Description

issuer

String

authorization_endpoint

String

jwks_uri

String

response_types_supported

Array

JSON array containing a list of OAuth 2.0 response_type values that the OP supports. Defined in OAuth 2.0 Multiple Response Type Encoding Practices.

scopes_supported

Array

JSON array listing the OAuth 2.0 scope values that the OP supports, such as openid, which is mandatory for OpenID Connect flows.

subject_types_supported

Array

claims_supported

Array

grant_types_supported

Array

JSON array listing the OAuth 2.0 grant_type values supported by the OP, such as authorization_code or refresh_token. Refer to RFC 6749, Section 4.

token_endpoint

String

The URL of the OP's OAuth 2.0 Token Endpoint. Clients exchange an authorization code for tokens at this endpoint.

token_endpoint_auth_methods_supported

Array

token_endpoint_auth_signing_alg_values_supported

Array

id_token_signing_alg_values_supported

Array

id_token_encryption_alg_values_supported

Array

id_token_encryption_enc_values_supported

Array

authorization-info_endpoint

String

The URL of the OP's Authorization Info Endpoint, used to retrieve the user's authorization and third-party authorization details.

claims_parameter_supported

Boolean

code_challenge_methods_supported

Array

authorization_response_iss_parameter_supported

Boolean

Boolean indicating whether the OP includes the iss parameter in the authorization response. If omitted, the default value is false.

response_modes_supported

Array

JSON array listing OAuth 2.0 response_mode values supported by the OP, such as query or fragment. Defined in OAuth 2.0 Multiple Response Type Encoding Practices.

request_parameter_supported

Boolean

Boolean indicating whether the OP supports the request parameter for JWT-based requests. Default is false if omitted.

request_uri_parameter_supported

Boolean

Boolean indicating whether the OP supports the request_uri parameter. Default is true if omitted.

claim_types_supported

Array

userinfo_endpoint

String

userinfo_signing_alg_values_supported

Array

userinfo_encryption_alg_values_supported

Array

userinfo_encryption_enc_values_supported

Array

The userinfo_endpoint in OIDC is analogous to the authorization-info_endpoint in the Corppass Authorization system, which provides similar functionalities, offering detailed information about the authenticated user after a successful login.

PreviousWell-known EndpointsNextJWKS Endpoint

Last updated 3 months ago

The URL identifying the OpenID Provider (OP) as the issuer of tokens. Defined in .

The URL of the OP's OAuth 2.0 Authorization Endpoint, where users authenticate and provide consent. Refer to .

The URL of the OP's JSON Web Key Set (JWKS) endpoint. Clients use this endpoint to retrieve public keys for validating token signatures. Refer to .

JSON array containing a list of Subject Identifier types that the OP supports, such as public or pairwise. Refer to .

JSON array containing a list of Claim Names the OP may supply in tokens or the UserInfo response. Defined in .

JSON array listing the client authentication methods supported by the Token Endpoint, such as private_key_jwt. Refer to .

JSON array listing the JWS signing algorithms (alg values) supported by the Token Endpoint for JWT authentication. Refer to .

JSON array listing the JWS signing algorithms (alg values) supported by the OP for signing ID Tokens. Defined in .

JSON array listing the JWE encryption algorithms (alg values) supported by the OP for encrypting ID Tokens. Defined in .

JSON array listing the JWE encryption algorithms (enc values) supported by the OP for encrypting ID Tokens. Defined in .

Boolean value indicating whether the OP supports the claims parameter to request specific claims. If omitted, the default value is false. Refer to .

JSON array listing the Proof Key for Code Exchange (PKCE) code_challenge methods supported by the OP, such as S256. Defined in .

JSON array listing the Claim Types supported by the OP, such as normal, aggregated, or distributed. Defined in .

The URL of the OP's UserInfo Endpoint, used to retrieve claims about the authenticated user. Defined in .

JSON array listing JWS signing algorithms (alg values) supported by the UserInfo Endpoint for encoding claims in a JWT. Defined in .

JSON array listing JWE encryption algorithms (alg values) supported by the UserInfo Endpoint for encrypting claims in a JWT. Defined in .

JSON array listing JWE encryption algorithms (enc values) supported by the UserInfo Endpoint for encrypting claims in a JWT. Defined in .

RFC 7519, Section 4.1.1
OpenID Connect Core 1.0, Section 3.1.2
RFC 7517, Section 4
OpenID Connect Core 1.0, Section 8
OpenID Connect Core 1.0, Section 5.1
OpenID Connect Core 1.0, Section 9
RFC 7518, Section 3.1
RFC 7518, Section 3.1
RFC 7516, Section 4.1.1
RFC 7516, Section 4.1.2
OpenID Connect Core 1.0, Section 5.5
RFC 7636, Section 4.3
OpenID Connect Core 1.0, Section 5.6
OpenID Connect Core 1.0, Section 5.3
RFC 7515, Section 4
RFC 7516, Section 4.1.1
RFC 7516, Section 4.1.2