Overview of Singpass

Singpass is Singapore's national digital identity authentication provider using the OpenID Connect 1.0 protocol. It stores users' identity information and authenticates them for transactions with government agencies and private organizations online.

How Singpass OIDC Works?

OpenID Provider (OP) is the party that issues the ID token. In this case, Singpass serves as the OpenID provider.

Relying Party (RP) is the party that requests the ID token from Singpass, which in this context refers to your mobile or web application.

OpenID Connect 1.0 offers various authentication flows for integration between an OpenID Provider (OP) and a Relying Party (RP). Singpass as the OpenID Provider supports only the authorization code flow. This flow is the most widely used OpenID Connect authentication method, ideal for web applications and native applications that employ a client/server architecture. In this more secure and confidential flow, instead of returning the ID and access tokens directly to the Relying Party, an authorization code is provided. The Relying Party can then exchange the code for the necessary tokens. This flow requires the Relying Party to manage the parsing of JWT used in JWT assertion, as detailed in our integration guide.

Singpass OIDC Flowchart

Singpass Authorization Code Flow

At a high level, this flow has the following steps:

Client ID is a unique identifier assigned to each application. In this case, it represents your application identity, which will be issued to you once your application is registered with Singpass.

Redirect URI is a specific endpoint or URL to which Singpass will send the authorization or token request response.

Steps	Description
1	The user attempts to access a protected resource on your mobile/web application that requires authentication.
2	Since the user is not authenticated, your application sent an authorization code request to Singpass. The request must include parameters like relying party's client ID and redirect URI.
3	Singpass prompts the user to log in if they are not already authenticated.
4	The user provides their credentials to Singpass to authenticate the request.
5	After successful authentication, authorization code will be provided. In addition, authenticated session of the user is maintained on Singpass.
6	Upon receiving the authorization code, your application to make a token request to Singpass's token endpoint to exchange it for access and/or refresh tokens. The request must include parameters like authorization code, client ID, and redirect URI.
7	Singpass will retrieve the encryption and signing keys of your application to validate the authenticity of the request.
8	Once the request has been validated, Singpass will return ID Token, and Access Token/Refresh Token back to your application.
9	Optionally, your application can fetch Singpass' signing public key via JWKS URL to validate Singpass token's signature.
10	With the access token, users can now access protected resources on your mobile/web application.

Next steps

• If you're integrating with an OIDC provider for the first time, begin by understanding the basics of OIDC before proceeding with the integration.
• If you're ready to try out Singpass, start integration.