Custom Integration
If your app is written in a language other than Javascript, you'll need to write your own OAuth integration code to integrate with sgID.
Creating an authorization URL
To allow your user to login into your app with sgID, you need to create an sgID authorization URL to redirect your user to so that they can authenticate with Singpass. You will need to supply the following query string parameters:
Key | Value |
---|---|
response_type | Must be set to |
client_id | |
redirect_uri | |
scope | A URL-encoded string of the scopes your client will request for |
nonce | |
state | A unique and non-guessable value associated with each authentication request about to be initiated. Used to prevent CSRF attacks and to maintain state. (RECOMMENDED) |
Example URL:
Exchange auth code for access token
After the user authenticates with Singpass, sgID will redirect the user back to the callback URL you provided, together with the authorization code and a state value. Reusing the callback URL defined in the example above:
http://localhost:3000/other_callback?
code
=someauthcode&
state
=somestate
Using this authorization code, we can use the SDK to exchange it for an access token, which will be used to retrieve user information. To do so, make a POST
request to
with the following request body parameters:
Key | Value |
---|---|
client_id | |
client_secret | |
code | The value returned to you as part of the callback URL |
grant_type | Must be set to |
redirect_uri |
You should receive a response with the following attributes:
Key | Value |
---|---|
access_token | Access Token to be used with retrieving the encrypted payload from user info endpoint |
id_token | JWT token with the associated user claims. Encodes the following:
|
Example JSON response body:
The ID token is signed with sgID's private key. It is highly recommended that you verify the ID token with our public keys, which are available at https://api.id.gov.sg/.well-known/jwks.json
Request for user info
Once you have the access token, you can use it to request information about the user corresponding to the scopes that you requested. To do so, make a GET
request to
with the access token you received in the previous step. Example request:
You should receive a response with the following attributes:
Key | Value |
---|---|
sub | End user's unique identifier for your client - This is the same value as the Note that as part of sgID's privacy-preserving measures, each end user's unique identifier is different for each sgID client |
key | An AES-128-GCM symmetric key, or a block key, that is encrypted with your client's RSA-2048 public key. |
data | JSON object which contains the data you requested in your application scope. To prevent sgID from reading the data, the payload is encrypted with the block key referenced in the definition for the |
Example JSON response body:
Decrypting the payload
As part of sgID's privacy-preserving measures, user data is transmitted in encrypted form, so that the sgID server is unable to read the data being transacted. The data is encrypted with a block key, which is itself encrypted with your client's public key so that only your client has access to the block key.
Therefore, to obtain the user data in plaintext, you will need to:
Decrypt the
key
received from the user info response with your client private key. This will give you the block keyDecrypt the
data
received from the user info response with the block key you have just obtained
Examples decryption:
Example of decrypted data:
Last updated