1. Authorization Endpoint
NOTE: This section is only applicable for the Redirect Authentication Flow.
Upon user action (e.g. user clicks on a login button on the RP’s website), the RP should redirect the User Agent (browser) to Singpass's authorization endpoint with the request parameters documented below. See OpenID connect specs for more details.
Sample Request
NOTE: The actual GET request is made by the browser - RPs only need to construct the URL and redirect the browser to it.
Sample Response
This will be a 302 response that redirects the browser to the Singpass login page.
Request Parameters
scope
response_type
The authorization processing flow to be used. Supported value is code
for the Authorization Code Flow.
client_id
The clientId
provided by Singpass during onboarding.
redirect_uri
The URL that Singpass will eventually redirect the user to after the user completes the login process using the Singpass App. The value will be validated against the list of redirect URIs that were pre-registered with Singpass during onboarding.
nonce
Maximum of 255 characters. We recommend that you use a hex-encoded random number such as java.security.SecureRandom
or UUIDv4
.
state
Maximum of 255 characters. Must match regexp
pattern of [A-Za-z0-9/+_\-=.]+
code_challenge
Must match regexp
pattern of [a-zA-Z0-9_\-]{43} (Mandatory)
code_challenge_method
The method used to generate the code_challenge
from the code verifier.
Only S256
is supported. (Mandatory)
redirect_uri_https_type
app_launch_url
(Optional) Intended for iOS mobile apps or Android mobile apps which use QR authentication via redirect auth. This adds the possibility for the user to be redirected back to the provided App Link after they successfully authorize themselves on the Singpass App. The value passed here should be the App Link registered with Apple’s App Store and/or Google’s Play Store. The provided value will be validated according to the list of app launch URLs which the RP has pre-registered with NDI.
esrvc
(Special case internal use only.) eService ID value for multi-tenant RPs / Singpass OIDC bridge. The value will be validated against registered eServices or registered RP’s client_external_id
.
acr_values
(Special case internal use only.) Authentication Context Class Reference passed by the Singpass Portal kickoff endpoint. Will be forwarded to Singpass OIDC authorize endpoint if provided.
Refer to this table to determine whether to include the app_launch_url
param:
Relying Party website
Do not include
Relying Party website on a mobile browser
Do not include
Relying Party mobile app
Can include
Error Response
Singpass generally follows OIDC error response specifications. For more information, please refer to Authorization Error Response specifications.
Last updated
Was this helpful?