After successful authentication, Singpass will return an authorization code and state back to your application redirect URL as described under the section Invoke Authorization Endpoint.
The value of the code parameter received will be used to call the Singpass token endpoint to exchange for the security tokens (i.e. ID token and access token) per the authorization flow.
Token endpoint for different environments:
Staging
Production
Token Endpoint can only be called from server-side code.
Step 1: Setup Token Endpoint Code
Create a new server-side code file called api.js and copy the logic needed for login from the code panel. This file contains the function to generate the client assertion as explained in section Setup Client Assertion. For the demo Singpass application, the api.js file is within the Singpassdemoappserver code.
Do not use the sample private key as it has been compromised. For demo purposes, all keys have been displayed but It is recommended not to directly store your private key/ public key in your code, you should follow the best practices to store them in either Database or Secure Storage, or perhaps store them as environment variables, or in a config files, should avoid hardcoding.
Update request parameters accordingly for the token endpoint with the following attributes:
Key
Description
client_id
redirect_uri
grant_type
The type of grant being requested. This must be set to authorization_code
code
The code issued earlier in the auth session
client_assertion_type
This MUST be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion
Create attributes for all the request parameters and update them accordingly. For the demo singpass application, update all the following fields within the api.js file.
const REACT_APP_SIGNATURE_PRIVATE_KEY = {
kty: "EC",
d: "0GlHbGc8vSnyiB-Lf4_im_WFwrxM0MJjkk96o1-K3JQ",
crv: "P-256",
x: "wg11s6ZpBc0my5gT-mYatTZRDhgStyd_0qARVBwAWa4",
y: "hlVoYWwlCuTMnm79Ppmf3RslIwDRhqdCCnm01PkhA2s"
};
//Update to the signature JWT private key
const REACT_APP_ENCRYPTION_PRIVATE_KEY = {
kty: "EC",
d: "p4YZHS0_BS4VMUayEtt38qi2sMdkhs4JRFlks7HJCD8",
crv: "P-256",
x: "0GR5oBa1FINjCZP_W-nR8Yqoz4E_9j7lgCuRPh9PZTA",
y: "0leGfxdQSJdtubopqhj5uhPVYV3LSd_yf3y2DdRD5No"
}
//Update to the encryption JWT private key. Mandatory only if profile type is direct-pii-allowed
const REACT_APP_CLIENT_ID="tLRDBkf1CNy5Rsi34mEKuOD5EpQAwjIq"
//Update to the ClientID obtain from Singpass Developer Portal
const REACT_APP_JWTTOKENURL="https://stg-id.singpass.gov.sg"
//Default to staging JWT endpoint
const REACT_APP_SPTOKENURL="https://stg-id.singpass.gov.sg/token"
//Default to staging token endpoint
const REACT_APP_KID="testing123"
//Update to the signature JWT kid key ID
const REACT_APP_REDIRECT_URI="https://singpassdemoapp.netlify.app/callback"
//Update to the Redirect/Callback URL indicated in Singpass Developer Portal
Step 3: Call the Token Endpoint and Test
After configuring the token request parameter, and calling the server function through a postman call by providing the code retrieved from the authorization endpoint response, upon successful authorization, your application will be responded to with an ID token and access token like the following example.
The type of token being requested, Bearer only so far.
id_token
Step 4: Decode the ID Token
After receiving the ID token, your application needs to decrypt the ID token with your encryption JWT private key to obtain the NRIC/UUID. For the demo singpass application, the following code works as the decrypt function.
This should be client_id of the registered client provided in the for each Application
The redirect URL being used in this auth session. The value will be validated against the list of redirect URIs that were pre-configured in .
A JWT identifying the client as setup in the
The ID token with relevant claims in JWT format signed by the Singpass. Note that the example response body shows a JWS (3-part structure separated by dots), but the format will differ for a JWS in JWE (5-part structure). Refer for more details about the ID token structure.
