Hi, I am not sure how to set up the Singpass login with the Auth0 plugin in production. The support team has managed to make the staging work, but they are not providing support for actual production set-up.
I have tried to duplicate the Github extension but it is giving me an error “invalid client_id”. For the production app, do I have to create the login as a Regular Web application and connect it to the Express app deployed in Heroku for the login to work?
Will I also have to purchase the Enterprise plan for OIDC or any other additional setup?
You need to deploy a self-hosted proxy to enable production mode in Singpass. The integration configuration in Auth0 only allows you to select staging mode. You also need a different set of client credentials for production, which should be obtained from Singpass. Staging credentials won’t work in production.
You can find the code and instructions for the self-hosted proxy on GitHub. You need to change the upstream server to id.singpass.gov.sg in the config file. You also need to create a custom connection in Auth0 using the client ID and secret from the companion app. You can follow the steps in this guide to configure Singpass as an OAuth provider in WordPress.
You do not need to purchase the Enterprise plan for OIDC, as Singpass uses OIDC authorization code flow. You can use the Regular Web Application template in Auth0 and connect it to your Express app deployed in Heroku. You can also use the Auth0 Universal Login to enable Singpass login with QR code.
I hope this helps 
1 Like
Hi Pratyush,
There seems to be something wrong with the express proxy code provided in this github repo. When we tried to deploy, it is returning 2 client IDs:
&client_id=<auth0-app-clientid>&client_id=<singpass-clientid>&
After a few email exchanges, the Support Engineer advised us to remove the Auth0 client_id from the req.url and we managed to load the QR code.
However, after scanning the QR code, the following error message is thrown:
# Fatal error in HandleScope::HandleScope
# Entering the V8 API without proper locking in place
#
We cannot find a solution to solve this as it seems that the credentials and variables are now wrongly set.
Singpass has also migrated to Login V4, and deprecated their Client Secret authentication altogether so this data is no longer available to us.
What do we do to get it work in Production?