Auth0 Integration with Singpass

Learn how to enable Singpass login with QR code in Auth0 Universal Login.
Read more…

Brought to you by @amin

1 Like

Hey everyone! Let us know if you have any questions in the comments below!

This topic was automatically closed after 29 days. New replies are no longer allowed.

@robertino.calcaterra Hello
can you please let me know in details what url need to be added in Authorization Url and Token url during create custom extension under social connection. See screenshot Screenshot by Lightshot

hi @pawanvir.impinge ,

webtask domain depend on your tenant region and extensibility version. If follows a pattern like https://YOUR_TENANT.regionNodeVersion.webtask.io/

you can find sample of full domain name per region here: Delegated Administration Extension v3

Remaining of URL is a follows:

  • authorization endpoint: /auth0-singpass-extension/authorize
  • token endpoint: /auth0-singpass-extension/token

hope that helps,
Amin

hello @robertino.calcaterra and @amin thank you for the detailed post! can i check if the relying party on the create extension page refers to Singpass? ive tried to use the JWKS endpoint and KID from both singpass and my own domain and they both lead me to the error below.

Accessing the following two URL following the format below shows that error as well.

Error:

hi @alice.zhang ,

@Vikas_Jayaram pushed a new change to extension today (PR1). Would you please check if the dependency issue is resolved?

Regards,
Amin

Hello @amin ,

Yep the update resolved my previous issue. Thanks a lot.

Can I check if you’ve encountered this error before, or is this bug cause by Singpass?

Singpass cannot generate QR code

@alice.zhang good to know the extension issue is resolved. I’m not across the error message. can you supply further information? does it happen all the time? can you send a HAR file?

Hi @amin
Yes this happens every time I attempt to generate a QR to login.

I was reading through their documentation and am wondering if I needed to whitelist Singpass domain or integrate relevant CSP headers onto the Universal Login HTML? Or does singpass need to whitelist my webapp’s domain instead?

Here’s the HAR file as i attempt to login:
ngs-development.au.auth0.com.har (1.9 MB)

@alice.zhang you’re right. this is because you need to use Auth0 Custom Domain that’s registered in Singpass and not the Auth0 canonical domain.

@robertino.calcaterra @amin
Can I check if there is any way to configure the Singpass Environment to Production mode?

From the code found in the extension, it seems that staging environment is pointing to https://stg-id.singpass.gov.sg instead of the production URL which is https://id.singpass.gov.sg

We are getting “client_id or client_assertion was invalid” after we attempt to switch it to Singpass with Production configuration.

Hi,

You need a different set of client credentials for production, which should be obtained from Singpass. Staging credentials won’t work in production.

Kind regards,
Amin

@amin Yes, we are using production’s client credential and Singpass login page does load but upon successful login, we would get error and we suspect it has something to do with the Singpass Environment configured on the extension itself.

Any possibility you are able to verify on this?

@shuxyan.ng extension version is not suitable for the production workload. I suggest you deploy one of the self-hosted versions of the proxy listed here GitHub - auth0-blog/auth0-singpass: Auth0 Singpass Integration, and change the upstream server to id.singpass.gov.sg in the config.

@amin We have managed to deploy it with production mode, thank you for the help!

Hi @amin , do you happened to know if Auth0 is able to support login via MyInfo?
https://api.singpass.gov.sg/library/myinfo/developers/overview

Hi @shuxyan.ng ,

According to the overview, Myinfo is a resource server, and the process we have to obtain access_token from Singpass is still valid and relevant.

However, we haven’t considered DPoP in our design, that’s is required for Myinfo v4. If you add DPoP functionality to either proxy endpoint or custom social connection fetchUserProxy, integration system should be able to invoke PII from Myinfo and attach to Auth0 user profile.

Hope this helps,
Amin