> For the complete documentation index, see [llms.txt](https://docs.developer.singpass.gov.sg/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect.md).

# 2. Handling the Redirect

Once the user has completed authentication on Singpass, we will redirect the user to the `redirect_uri` that you have specified in your authorization request.

Depending on whether the authentication was successful or not, the query parameters attached to the URL will be different.

## Failed Authentication

If the user failed to authenticate, or if an error occurred, we may return an Authentication Error Response, as specified in [section 3.1.2.6 of the OIDC specifications](https://openid.net/specs/openid-connect-core-1_0.html#AuthError). The URL will contain the following query parameters:

<table><thead><tr><th width="164.765625">Parameter</th><th width="458.14453125">Description</th><th>Data type</th></tr></thead><tbody><tr><td><code>error</code></td><td>An error code identifying the type of error that has occurred.</td><td>This will be an enum value. The possible values are detailed <a href="#possible-error-values">below</a>.</td></tr><tr><td><code>error_description</code></td><td>A human-readable text description of the error.</td><td>String. This is optional.</td></tr><tr><td><code>error_uri</code></td><td>URI of a web page that includes additional information about the error</td><td>URL. This is optional.</td></tr><tr><td><code>state</code></td><td>This will be the same state parameter passed in the authorization request.</td><td>A string with a maximum length of 255 characters. It must match the regular <kbd>expression</kbd> pattern <code>[A-Za-z0-9/+_-=.]+</code></td></tr></tbody></table>

<details>

<summary>Sample URL for Authentication Error Response</summary>

{% code overflow="wrap" %}

```
https://partner.gov.sg/redirect?error=invalid_request_uri&error_description=The%20request_uri%20provided%20is%20invalid&state=e32b9f28-5d34-4c0f-8b0e-6b670566c97f
```

{% endcode %}

</details>

If you receive an Authentication Error Response, you should display an error page to your users. You may also display different content on your error pages depending on the `error` parameter. However, you should not display `error` or `error_description` verbatim on your web page in order to prevent [content spoofing](https://owasp.org/www-community/attacks/Content_Spoofing) attacks.

#### Possible error values

The table below lists the possible values of the `error` query parameter that we may return.

<table><thead><tr><th width="218.87109375">error</th><th>What this error indicates</th></tr></thead><tbody><tr><td><code>server_error</code></td><td>The server has encountered an unexpected error. You should guide the user to perform a retry.</td></tr><tr><td><code>temporarily_unavailable</code></td><td>The server is temporarily unavailable to handle the request. You should guide users to alternative authentication methods, or to guide them to try again some time later.</td></tr></tbody></table>

## Successful Authentication

As per the OIDC specification, when the authentication is successful, the URL that the user is redirected to will contain two additional query parameters:

<table><thead><tr><th width="121.1015625">Parameter</th><th width="458.14453125">Description</th><th>Data type</th></tr></thead><tbody><tr><td><code>code</code></td><td>The authorization code. This will be used in a later step to obtain the user's ID token and access token.</td><td>A base64url-encoded string.</td></tr><tr><td><code>state</code></td><td>This will be the same state parameter passed in the authorization request.</td><td>A string with a maximum length of 255 characters. It must match the regular expression pattern <code>[A-Za-z0-9/+_-=.]+</code></td></tr></tbody></table>

<details>

<summary>Sample URL for successful authentication</summary>

{% code overflow="wrap" %}

```
https://partner.gov.sg/redirect?code=XcyzlSeX1hIyJFlstxsSF_UeXC5DtiYkFgJ8VVx52mg&state=e32b9f28-5d34-4c0f-8b0e-6b670566c97f
```

{% endcode %}

</details>

Upon redirect, your application's backend should check the `state` parameter provided and ensure that it is the same as the `state` which you have sent in the Pushed Authorization Request. This is an important measure to guard against CSRF attacks.

{% hint style="info" %}
If you are using a [certified OIDC Relying Party library](https://openid.net/developers/certified-openid-connect-implementations/), this check will be automatically performed by the library if you have configured it to do so.
{% endhint %}

Once you have completed this check, you may proceed to perform token exchange to obtain the ID token and access token.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.