OpenID Discovery Endpoint

Responses from this endpoint can and should be cached for at least 1 hour, and NOT retrieved for each OIDC/Auth2 operation. Cache-Control headers on the response indicate a possible policy.

If you are using an off-the-shelf OIDC client to integrate with Singpass, you will probably only need to specify our Issuer URL.

OIDC Discovery URLs in general may be derived by concatenating the string /.well-known/openid-configuration to the Issuer URL.

Curl request

$ curl 'https://stg-id.singpass.gov.sg/.well-known/openid-configuration' -i -X GET \
    -H 'Accept: application/json'

HTTP request

GET /.well-known/openid-configuration HTTP/1.1
Accept: application/json
Host: stg-id.singpass.gov.sg

HTTP response

HTTP/1.1 200 OK
Cache-Control: max-age=21600, must-revalidate, no-transform, public
X-XSS-Protection: 0
X-Frame-Options: DENY
Date: Thu, 26 Sep 2024 03:38:09 GMT
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
Transfer-Encoding: chunked
Content-Type: application/json
Content-Length: 1125

{
  "issuer" : "https://stg-id.singpass.gov.sg",
  "authorization_endpoint" : "https://stg-id.singpass.gov.sg/auth",
  "jwks_uri" : "https://stg-id.singpass.gov.sg/.well-known/keys",
  "response_types_supported" : [ "code" ],
  "scopes_supported" : [ "openid" ],
  "subject_types_supported" : [ "public" ],
  "claims_supported" : [ "nonce", "aud", "iss", "sub", "exp", "iat" ],
  "grant_types_supported" : [ "authorization_code", "urn:openid:params:grant-type:ciba" ],
  "token_endpoint" : "https://stg-id.singpass.gov.sg/token",
  "token_endpoint_auth_methods_supported" : [ "private_key_jwt" ],
  "token_endpoint_auth_signing_alg_values_supported" : [ "ES256", "ES384", "ES512" ],
  "id_token_signing_alg_values_supported" : [ "ES256" ],
  "id_token_encryption_alg_values_supported" : [ "ECDH-ES+A256KW", "ECDH-ES+A192KW", "ECDH-ES+A128KW" ],
  "id_token_encryption_enc_values_supported" : [ "A256CBC-HS512" ],
  "backchannel_authentication_endpoint" : "https://stg-id.singpass.gov.sg/bc-auth",
  "backchannel_token_delivery_modes_supported" : [ "poll" ],
  "userinfo_endpoint" : "https://stg-id.singpass.gov.sg/userinfo"
}

HTTPie request

$ http GET 'https://stg-id.singpass.gov.sg/.well-known/openid-configuration' \
    'Accept:application/json'

Request body

Response body

{
  "issuer" : "https://stg-id.singpass.gov.sg",
  "authorization_endpoint" : "https://stg-id.singpass.gov.sg/auth",
  "jwks_uri" : "https://stg-id.singpass.gov.sg/.well-known/keys",
  "response_types_supported" : [ "code" ],
  "scopes_supported" : [ "openid" ],
  "subject_types_supported" : [ "public" ],
  "claims_supported" : [ "nonce", "aud", "iss", "sub", "exp", "iat" ],
  "grant_types_supported" : [ "authorization_code", "urn:openid:params:grant-type:ciba" ],
  "token_endpoint" : "https://stg-id.singpass.gov.sg/token",
  "token_endpoint_auth_methods_supported" : [ "private_key_jwt" ],
  "token_endpoint_auth_signing_alg_values_supported" : [ "ES256", "ES384", "ES512" ],
  "id_token_signing_alg_values_supported" : [ "ES256" ],
  "id_token_encryption_alg_values_supported" : [ "ECDH-ES+A256KW", "ECDH-ES+A192KW", "ECDH-ES+A128KW" ],
  "id_token_encryption_enc_values_supported" : [ "A256CBC-HS512" ],
  "backchannel_authentication_endpoint" : "https://stg-id.singpass.gov.sg/bc-auth",
  "backchannel_token_delivery_modes_supported" : [ "poll" ],
  "userinfo_endpoint" : "https://stg-id.singpass.gov.sg/userinfo"
}

Response fields

Path Type Description

Path	Type	Description
`issuer`	`String`	URL (identity) of the issuer
`authorization_endpoint`	`String`	URL of the OP’s OAuth 2.0 Authorization Endpoint
`jwks_uri`	`String`	URL of the OP’s JSON Web Key Set
`response_types_supported`	`Array`	JSON array containing a list of the OAuth 2.0 response_type values that OP supports
`scopes_supported`	`Array`	JSON array containing a list of the OAuth 2.0 scope values that OP supports
`subject_types_supported`	`Array`	JSON array containing a list of the Subject Identifier types that this OP supports
`claims_supported`	`Array`	JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for
`grant_types_supported`	`Array`	JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
`token_endpoint`	`String`	URL of the OP’s OAuth 2.0 Token Endpoint. This contains the signing key(s) the RP uses to validate signatures from the OP.
`token_endpoint_auth_methods_supported`	`Array`	JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
`token_endpoint_auth_signing_alg_values_supported`	`Array`	JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt authentication methods
`id_token_signing_alg_values_supported`	`Array`	JSON array containing a list of the JWS signing algorithms (alg values) supported bythe OP for the ID Token to encode the Claims in a JWT.
`id_token_encryption_alg_values_supported`	`Array`	JSON array containing a list of the JWE encryption algorithms (alg values) supportedby the OP for the ID Token to encode the Claims in a JWT.
`id_token_encryption_enc_values_supported`	`Array`	JSON array containing a list of the JWE encryption algorithms (enc values) supportedby the OP for the ID Token to encode the Claims in a JWT.
`backchannel_token_delivery_modes_supported`	`Array`	JSON array containing supported backchannel delivery modes
`backchannel_authentication_endpoint`	`String`	URL of the OP’s Backchannel Authentication Endpoint
`userinfo_endpoint`	`String`	URL of the OP’s UserInfo Endpoint

issuer

String

URL (identity) of the issuer

authorization_endpoint

String

URL of the OP’s OAuth 2.0 Authorization Endpoint

jwks_uri

String

URL of the OP’s JSON Web Key Set

response_types_supported

Array

JSON array containing a list of the OAuth 2.0 response_type values that OP supports

scopes_supported

Array

JSON array containing a list of the OAuth 2.0 scope values that OP supports

subject_types_supported

Array

JSON array containing a list of the Subject Identifier types that this OP supports

claims_supported

Array

JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for

grant_types_supported

Array

JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.

token_endpoint

String

URL of the OP’s OAuth 2.0 Token Endpoint. This contains the signing key(s) the RP uses to validate signatures from the OP.

token_endpoint_auth_methods_supported

Array

JSON array containing a list of Client Authentication methods supported by this Token Endpoint.

token_endpoint_auth_signing_alg_values_supported

Array

JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt authentication methods

id_token_signing_alg_values_supported

Array

JSON array containing a list of the JWS signing algorithms (alg values) supported bythe OP for the ID Token to encode the Claims in a JWT.

id_token_encryption_alg_values_supported

Array

JSON array containing a list of the JWE encryption algorithms (alg values) supportedby the OP for the ID Token to encode the Claims in a JWT.

id_token_encryption_enc_values_supported

Array

JSON array containing a list of the JWE encryption algorithms (enc values) supportedby the OP for the ID Token to encode the Claims in a JWT.

backchannel_token_delivery_modes_supported

Array

JSON array containing supported backchannel delivery modes

backchannel_authentication_endpoint

String

URL of the OP’s Backchannel Authentication Endpoint

userinfo_endpoint

String

URL of the OP’s UserInfo Endpoint

Previous.well-known Endpoints NextJWKS Endpoint

Last updated 1 month ago