2. Handling the Redirect

Once the user has completed authentication on Singpass, we will redirect the user to the redirect_uri that you have specified in your authorization request.

As per the OIDC specification, the URL that the user is redirected to will contain two additional query parameters:

Parameter

Description

Data type

code

The authorization code. This will be used in a later step to obtain the user's ID token and access token.

A base64url-encoded string.

state

This will be the same state parameter passed in the authorization request.

A string with a maximum length of 255 characters. It must match the regular expression pattern [A-Za-z0-9/+_-=.]+

Sample redirect URL

https://partner.gov.sg/redirect?code=XcyzlSeX1hIyJFlstxsSF_UeXC5DtiYkFgJ8VVx52mg&state=e32b9f28-5d34-4c0f-8b0e-6b670566c97f

Upon redirect, your application's backend should check the state parameter provided and ensure that it is the same as the state which you have sent in the Pushed Authorization Request. This is an important measure to guard against CSRF attacks.

If you are using a certified OIDC Relying Party library, this check will be automatically performed by the library if you have configured it to do so.

Once you have completed this check, you may proceed to perform token exchange to obtain the ID token and access token.

Previous1. Authorization Request Next3. Token Exchange

Last updated 4 days ago

Was this helpful?