Singpass Developer Docs
Legacy Myinfo v3/v4
Legacy Myinfo v3/v4
  • Legacy Myinfo v3/v4
  • Data Catalog
  • Key Principles
  • Technical Specifications
    • Myinfo v4
      • Difference between v3 and v4
      • Technical Guidelines
      • Technical Concepts
        • OAuth 2.1 Concepts
        • Proof of Key Code Exchange (PKCE)
        • JSON Web Token (JWT)
        • Client Assertions
        • JSON Web Key Store (JWKS)
        • Demonstration of Proof-of-Possession (DPoP)
      • API Specifications
      • Tutorials
        • Tutorial 1: Myinfo Person sample Data
        • Tutorial 2: End-to-end Integration with Myinfo v4 APIs
      • Resources
        • Myinfo Connectors
        • Error Codes
      • FAQ
    • Myinfo v3
      • Technical Guidelines
      • API Specifications
      • Latest X.509 Public Key Certificate
      • Tutorials
        • Tutorial 1: Basic Person API
        • Tutorial 2: Using OAuth2
        • Tutorial 3: Implementing PKI Digital Signature
      • Resources
        • Myinfo Connectors
        • Error Codes
      • FAQ
Powered by GitBook
On this page
  • 1. Authorization Flow
  • 2. Token Flow

Was this helpful?

  1. Technical Specifications
  2. Myinfo v4
  3. Technical Concepts

OAuth 2.1 Concepts

PreviousTechnical ConceptsNextProof of Key Code Exchange (PKCE)

Last updated 1 month ago

Was this helpful?

MyInfo APIs use - Authorization code flow to perform authentication & authorization; it allows mobile and web clients to obtain tokens securely.

The code flow comprises 2 main parts:

  1. Authorization flow that runs in the browser

  2. Token flow that is a server-to-server call


1. Authorization Flow

  1. Browser redirects to the /authorize endpoint of the AuthZ server.

  2. The AuthZ server redirects to the Singpass, the AuthN server.

  3. The User authenticates and redirects back to the AuthZ server.

  4. The AuthZ server redirects to the consent page for user consent.

  5. The User consents.

  6. The AuthZ server redirects back to the client application callback URL with a one-time token called Authorization Code(authcode)

2. Token Flow

  1. The client application makes a post request to the /token API endpoint with the Authorization code (authcode) and client_assertion.

  2. The AuthZ Server validates the authcode and client_assertion before issuing the access_token.

OAuth2.1