sgID is an OpenID Connect (OIDC) identity provider by the Singapore government. sgID uses a privacy-preserving version of the OIDC protocol. This allows applications to integrate with sgID based on familiar industry standards, while providing privacy guarantees for end users.
sgID's implementation of OpenID Connect (OIDC) supports the standard authorization code grant type. This means that integration steps are based on the familiar OAuth 2.0 authorization code flow.
As a government identity provider, sgID distinguishes itself from private sector identity providers because it provides Singapore resident data that is verified by the government to be true. Because the data is both signed and separately encrypted with an end user-specific key pair, this allows sgID to verify that the data is not tampered with when the sgID relying party receives it.
One of the key features of the sgID protocol is its privacy-preserving approach. End user data is encrypted with keys held on their device, so the sgID server handling the transaction cannot read the data that is being transmitted. This means that only the end user knows who they've been transacting with, and what information has been transacted.
sgID enforces client-specific identifiers. This means that different sgID relying parties receive different identifiers for the same end user. For example, if Xiao Ming logs into McDonald's with sgID, McDonald's might receive Xiao Ming's data, identifying him with a system ID of
abcde. But if Xiao Ming logs into KFC, with sgID, KFC will receive a different system ID, such as
If you're interested in learning more about the design of the sgID protocol, you can refer to the sgID White Paper.