Invoke Authorization Endpoint
Last updated
Developer Docs for Singpass
Last updated
This section demonstrates how to invoke the authorization endpoint for Singpass to begin the authentication process. First, you will need to create a Singapss Login button to trigger the redirection. Once the user has been authenticated, your application will be redirected to the redirect URL that has been set up in the Application configuration with the authorization code.
| Staging | Production |
|---|---|
Create a new file in your application for the login button. For the demo singpass application, app.js contains the Login button code. You may also copy the logic needed to create a simple login button from the code panel below.
Update request parameters accordingly for the authorization endpoint with the following attributes:
| Key | Description | |
|---|---|---|
Create attributes for all the request parameters and update them accordingly. This URL will be triggered once the user triggers the login button. For the demo singpass application, update all the following fields within the app.js file.
Run the application and click on the login button. You should be redirected to the Singpass staging login page. The authentication type will be based on the configuration of the Application.
There will only be a QR displayed, use the Staging Singpass Mobile App to scan the QR and approve to get authenticated.
Select Singpass App or Password Login. If the Singpass App is selected, the process flow is the same as QR Authenticated.
For Password Login, use the Staging Login Credentials requested via Test Account Request Portal. Alternatively, you can use the following Singpass ID and Password to test the login.
Scan the QR via the Staging Singpass Mobile App and approve to get authenticated or select Password Login using the Staging Login Credentials requested via Test Account Request Portal.
For Login via Password Login, you will be required to provide an SMS OTP. This OTP will be sent to the mobile number you register when requesting a Test Account via the Test Account Request Portal.
Once the user has authenticated via any of the 3 authentication methods, verify that Singpass redirects you to your application registered redirect_uri along with the code and state parameters like the following example.
If you have received the code and state successfully, your application is ready for the next steps.
Singpass generally follows OIDC error response specifications. For more information, please refer to Authorization Error Response specifications.
Setup the Client Assertion and build the Client Assertion function
If you already have it, proceed to set up your Application Server to call Singpass's Token Endpoint.
scope
Supported value is openid.
response_type
The authorization processing flow to be used. Supported value is code for the Authorization Code Flow.
client_id
This should be client_id of the registered client provided in the Application configuration for each Application
redirect_uri
The URL that Singpass will eventually redirect the user to after the user completes the login process using the Singpass Application. The value will be validated against the list of redirect URIs that were pre-configured in Application Configuration.
nonce
A session-based, unique, and non-guessable value that the RP should generate per auth session. This parameter should ideally be generated and set by the RP’s backend and passed to the frontend. As part of threat modelling, Singpass is requesting for the nonce parameter so as to mitigate MITM replay attacks against the ASP Service’s Token Endpoint and its resulting ID Token. This parameter serves the same purpose as OIDC 1.0’s nonce parameter.
state
A session-based, unique, and non-guessable value that the RP should generate per auth session. This parameter should ideally be generated and set by the RP’s backend and passed to the frontend. As part of threat modelling, NDI is requesting for the state parameter so as to mitigate replay attacks against the RP’s redirection endpoint (redirectUri). This parameter serves the same purpose as OAuth 2.0’s state parameter.
Maximum of 255 characters. Must match regexp pattern of [A-Za-z0-9/+_\-=.]+
