Understanding the Basics
Last updated
Last updated
This guide demonstrates how to integrate with Singpass and display user profile information after the authentication and authorization process.
Check out our to experience the login flow for yourself or refer to the interactive demo below for the outcome of this integration guide.
Singpass uses two endpoints for the authentication and authorization process.
This endpoint provides information about Singpass's endpoints and other configuration details.
This is the only endpoint where Singpass will interact with the users and get their authorization. Singpass will then return the authorization code in response via this endpoint.
This section provides a high-level overview of the attributes and details that are exchanged during the federated authentication flow. This section aims to highlight the key attributes/information exchange during Singpass authentication. Details for each request parameter will be explained later in each integration step.
Authorization Endpoint
client_id
redirect_uri
response_type
state
nonce
scope
code: A 60-digit random string known as authorization code that is to be exchanged when calling token endpoint
state: Same state parameter sent in the request parameter will be returned back
Token Endpoint
authorization code
redirect_uri
response_type
client_id
JWT Assertion
access_token:A non-usable random string known as access token
id_token:A signed and encrypted JWT containing user’s identity and other standard claims explained in the next section
Claims are name/value pairs that contain information about a user, as well as meta-information about the OIDC service. The following are the details of the set of Claims (the JWT Claims Set) returned in the ID Token sent by Singpass.
In OpenID Connect (OIDC), a client profile refers to the configuration and settings associated with a particular client application that interacts with an OIDC provider. Depending on the client profile, the details of the claim content returned by the token endpoint will differ.
direct
UUID Only
Example:
u=32af8b7d-ad1d-4c25-8dc7-0a981b533000
direct_pii_allowed
NRIC and UUID
Example:
s=S1234567A,u=32af8b7d-ad1d-4c25-8dc7-0a981b533000
Details of ID token claims are shown below:
sub
aud
iss
iat
exp
nonce
A string that uniquely identifies the authentication.
amr
Singpass provides three authentication types, however, each authentication type is granted according to your company profile.
QR Authentication
This method allow users to scan a QR code displayed on the Singpass login page using the Singpass Mobile App on for authentication. It provides a convenient and secure way to log in without needing to enter a username or password directly on the device.
1FA Authentication
This method requires users to provide their Singpass ID and password when requested on the Singpass login page for authentication.
2FA Authentication
2FA adds an additional layer of security beyond just a Singpass ID and password. It typically involves combining two different types of authentication factors. After providing Singpass ID and password, users can select Face Verification or enter a One-Time Password sent via SMS to complete the 2FA authentication.
This is the endpoint where Singpass will exchange the code received from the authorization endpoint for an ID Token and access token. Singpass only supports confidential clients, hence every application is required to authenticate at the token endpoint using a and .
The principal that is the subject of the JWT. Contains a key value mapping that identifies that user of the token. For clients with profile direct, the expected format is u=userId. For other clients, the expected format is s=NRIC,u=userId.
The client_id of the relying party.
The principal that issued the JWT.
The time at which the JWT was issued.
The expiration time on or after which the JWT MUST NOT be accepted for processing. Defaults to 10 minutes since "iat".
Authentication Methods References . JSON array of strings that are identifiers for authentication methods used in the authentication. This will allow the agencies to know if the user has used 1-factor or 2-factors when authenticating.
Understand the for integrating with Singpass.
If you already have it, proceed to with Singpass.
1FA
[“pwd”]
2FA SMS OTP
[“pwd”,”sms”]
2FA HW Token
[“pwd”,”hwk”]
2FA Soft Token (Push)
[“pwd”,”swk”]
QR Code
[“pwd”,”swk”]
