Dear Partners,
We would like to inform you of a change that will be made to the Corppass Authorization endpoint.
What has changed
In line with OAuth 2.0 security best practices, we’ve added a new `iss` (issuer) parameter to the `redirect_uri` callback response of the Corppass Authorization endpoint, that explicitly identifies the unique URL of the Authorization Server that issued the response. The redirect response will now include `iss=https://id.corppass.gov.sg`. You can view the updated documentation here.
This change is already live in the Staging environment and will be deployed in the Production environment on 23 July 2026.
What you need to do
To prevent disruption to your services, please review your current implementation and ensure that no rules or configurations are in place that would block or reject the `iss` parameter in the callback response. This includes but may not be limited to:
- URL validation or allowlist rules on callback parameters
- Strict query string parsing that rejects unknown parameters
- Web Application Firewall (WAF) or proxy rules filtering callback parameters
If your implementation already handles parameters gracefully, no further action is required.
We apologise for any disruption or inconvenience this may bring. Should you need assistance or have any questions, please do not hesitate to reach out to our support team here.
Thank you for your understanding and continued partnership.
Best regards,
Corppass Team
Comments
0 comments
Please sign in to leave a comment.