Developer Docs for Singpass
  • INTRODUCTION
    • Overview of Singpass
    • Understanding the basics of OIDC
  • GETTING STARTED
    • Onboarding Checklist
    • Understanding the Basics
      • Discovery Endpoint
      • Scopes
      • Setup JSON Web Key Store (JWKS)
      • Configure Singpass Application on SDP (In-Progress)
      • Configure Singpass Application
      • Request for Staging Account and Staging Mobile App
    • Start Integration
    • Custom Integration
      • Demo Application Setup
      • Invoke Authorization Endpoint
      • Setup Client Assertion
      • Invoke Token Endpoint
  • MORE INFOMATION
    • Contact
    • FAQ
Powered by GitBook
On this page
  1. INTRODUCTION

Understanding the basics of OIDC

PreviousOverview of SingpassNextOnboarding Checklist

Last updated 8 months ago

(OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It

  • Allows clients to verify the identity of the end user based on the authentication performed by an Authorization Server

  • Allows clients to obtain basic profile information about the end user in an interoperable and REST-like manner

  • Allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users

OIDC Actors

There are several actors involved in the Open ID Connect protocol. The following sections will detail each actor involved in the communication.

OIDC Provider (OP)

Singpass is an OpenID provider and it is the “vouch for” party in an identity federation. That is, it gives assurances of the identity of the user to the other party. The OpenID provider is responsible for:

  • Managing users and their identities

  • Issuing tokens

  • Handling user administration

  • Authenticating the user

  • Vouching for the user's identity with the relying party

  • Revoking user’s authenticated sessions and tokens

Client or Relying Party (RP)

The business entity will implement the relying party (also client or consumer) which will be the “validating party” in a transaction. The relying party or client is responsible for:

  • Controlling access to services

  • Validating the various tokens issued by OpenID Provider

  • Validating the asserted identity information from the OpenID provider (typically by way of verifying a digital signature)

  • Providing access based on asserted identity

  • Managing only locally relevant user attributes, not an entire user profile

  • Each client must be registered with an OpenID provider.

The clients registered with Singpass OP must be confidential clients, which means every client must be registered with Singpass OP with their Client ID and JWT Assertion.

User Agent

The user agent is a web browser or mobile browser or mobile application via which the user (resource owner) will initiate the communication with the OpenID Provider and Relying Party:

  • Serves static or dynamic pages

  • Handles redirections

  • May store cookies, user, and session information

  • Should not be used to store confidential data like user identity or tokens

Resource Owner

The resource owner could be an end-user or an entity capable of granting access to protected resources. In most cases, it would be the user accessing agency applications.

Resource Server

The resource server will be hosted on the agencies' perimeter. It is the server that is hosting the applications protected by the relying party. Agencies' relying party will communicate with Singpass OP before granting access to protected resources hosted on the resource server.

Here are some additional resources for learning more about OAuth 2.0 and OIDC:

OpenID Connect 1.0
OIDC Actors Flowchart