--- config: theme: base sequence: noteMargin: 20 --- sequenceDiagram actor User participant yaFE as Your App's
Frontend participant yaBE as Your App's
Backend participant Sing as Singpass note right of User: The Authentication Request User->>yaFE: The user clicks "login with
Singpass" on your app's FE. yaFE->>yaBE: This calls your app's BE. activate yaBE yaBE->>yaBE: Your app's BE generates a code_verifier, code_challenge, nonce,
& state, then associates it with a session (to be sent to the FE). yaBE->>yaBE: Your app's BE constructs an authorization URL with specific
query parameters: scope, response_type, client_id, redirect_uri,
code_challenge_method, code_challenge, nonce, & state. yaBE->>User: Your app's BE sets a session cookie on the user's browser,
and redirects the user to the authorization URL. deactivate yaBE activate yaFE User->>Sing: The user is redirected to the authorization URL.
On this page, they authenticate with Singpass and give consent
to release Myinfo data to your app (if applicable). activate Sing Sing->>Sing: Singpass does some checks (this is a simplification),
then generates an authorization code. Sing->>Sing: Singpass constructs a redirect URL (based on
the redirect_uri received) with specific
query parameters: code (the authorization
code) & state (exactly as received). Sing->>User: Singpass redirects the user
to the redirect URL. note right of User: The Token Request User->>yaBE: The user is redirected to the redirect URL,
with the authorization code, state, and session cookie. deactivate yaFE activate yaBE yaBE->>yaBE: Using the session cookie, your app's BE retrieves the
code_verifier, state, & nonce for this session. yaBE->>yaBE: Your app's BE verifies that the received state matches
the one generated earlier. yaBE->>yaBE: Your app's BE generates a client assertion. yaBE->>Sing: Your app's BE sends a POST request to Singpass' token endpoint
with: scope, grant_type, client_id, redirect_uri,
client_assertion_type, client_assertion,
code_verifier, & code (the authorization code). Sing->>Sing: Singpass does some checks (again, this is a
simplification), then generates an Access Token and
an ID Token. The ID Token contains the nonce sent in
the initial authentication request. If applicable,
the ID Token will also be encrypted using your
public encryption key. Sing->>yaBE: Singpass returns the Access Token and ID Token. yaBE->>yaBE: If applicable, your app's BE decrypts the ID Token
using your private encryption key. yaBE->>yaBE: Your app's BE validates the ID Token:
it must be signed with one of Singpass' signing keys,
its iss value must match Singpass' Issuer URL,
its aud value must match or contain your app's client_id, and
its nonce value must match the one generated earlier. Note right of yaBE: At this point, your app is able to use the user's ID Token
(i.e. the Singpass Login flow ends here). note right of User: The UserInfo Request (If Applicable) yaBE->>Sing: Your app's BE sends a GET request to Singpass' userinfo endpoint,
including the Access Token as a Bearer Token (via the
Authorization request header field. Sing->>Sing: Singpass does some checks (yet another
simplification), then prepares the userinfo response.
This comes in the form of a signed and encrypted
JWT (i.e. a nested JWT). Note that this JWT is
encrypted using your public encryption key. Sing->>yaBE: Singpass returns the userinfo response. yaBE->>yaBE: Your app's BE decrypts the userinfo response
using your private encryption key. yaBE->>yaBE: Your app's BE validates the userinfo response:
it must be signed with one of Singpass' signing keys,
its iss value must match Singpass' Issuer URL,
its aud value must match or contain your app's client_id, and
its sub value must match the sub claim in the ID token. Note right of yaBE: At this point, your app is able to use the user's info
(i.e. the Myinfo integration flow ends here). deactivate Sing deactivate yaBE