# 2. Handling the Redirect

Once the user has completed authentication on Singpass, we will redirect the user to the `redirect_uri` that you have specified in your authorization request.

Depending on whether the authentication was successful or not, the query parameters attached to the URL will be different.

## Failed Authentication

If the user failed to authenticate, or if an error occurred, we may return an Authentication Error Response, as specified in [section 3.1.2.6 of the OIDC specifications](https://openid.net/specs/openid-connect-core-1_0.html#AuthError). The URL will contain the following query parameters:

<table><thead><tr><th width="164.765625">Parameter</th><th width="458.14453125">Description</th><th>Data type</th></tr></thead><tbody><tr><td><code>error</code></td><td>An error code identifying the type of error that has occurred.</td><td>This will be an enum value. The possible values are detailed <a href="#possible-error-values">below</a>.</td></tr><tr><td><code>error_description</code></td><td>A human-readable text description of the error.</td><td>String. This is optional.</td></tr><tr><td><code>error_uri</code></td><td>URI of a web page that includes additional information about the error</td><td>URL. This is optional.</td></tr><tr><td><code>state</code></td><td>This will be the same state parameter passed in the authorization request.</td><td>A string with a maximum length of 255 characters. It must match the regular <kbd>expression</kbd> pattern <code>[A-Za-z0-9/+_-=.]+</code></td></tr></tbody></table>

<details>

<summary>Sample URL for Authentication Error Response</summary>

{% code overflow="wrap" %}

```
https://partner.gov.sg/redirect?error=invalid_request_uri&error_description=The%20request_uri%20provided%20is%20invalid&state=e32b9f28-5d34-4c0f-8b0e-6b670566c97f
```

{% endcode %}

</details>

If you receive an Authentication Error Response, you should display an error page to your users. You may also display different content on your error pages depending on the `error` parameter. However, you should not display `error` or `error_description` verbatim on your web page in order to prevent [content spoofing](https://owasp.org/www-community/attacks/Content_Spoofing) attacks.

#### Possible error values

The table below lists the possible values of the `error` query parameter that we may return.

<table><thead><tr><th width="218.87109375">error</th><th>What this error indicates</th></tr></thead><tbody><tr><td><code>server_error</code></td><td>The server has encountered an unexpected error. You should guide the user to perform a retry.</td></tr><tr><td><code>temporarily_unavailable</code></td><td>The server is temporarily unavailable to handle the request. You should guide users to alternative authentication methods, or to guide them to try again some time later.</td></tr></tbody></table>

## Successful Authentication

As per the OIDC specification, when the authentication is successful, the URL that the user is redirected to will contain two additional query parameters:

<table><thead><tr><th width="121.1015625">Parameter</th><th width="458.14453125">Description</th><th>Data type</th></tr></thead><tbody><tr><td><code>code</code></td><td>The authorization code. This will be used in a later step to obtain the user's ID token and access token.</td><td>A base64url-encoded string.</td></tr><tr><td><code>state</code></td><td>This will be the same state parameter passed in the authorization request.</td><td>A string with a maximum length of 255 characters. It must match the regular expression pattern <code>[A-Za-z0-9/+_-=.]+</code></td></tr></tbody></table>

<details>

<summary>Sample URL for successful authentication</summary>

{% code overflow="wrap" %}

```
https://partner.gov.sg/redirect?code=XcyzlSeX1hIyJFlstxsSF_UeXC5DtiYkFgJ8VVx52mg&state=e32b9f28-5d34-4c0f-8b0e-6b670566c97f
```

{% endcode %}

</details>

Upon redirect, your application's backend should check the `state` parameter provided and ensure that it is the same as the `state` which you have sent in the Pushed Authorization Request. This is an important measure to guard against CSRF attacks.

{% hint style="info" %}
If you are using a [certified OIDC Relying Party library](https://openid.net/developers/certified-openid-connect-implementations/), this check will be automatically performed by the library if you have configured it to do so.
{% endhint %}

Once you have completed this check, you may proceed to perform token exchange to obtain the ID token and access token.