Add Corppass PAR (Pushed Authorization Request) support with feature flag

[Copilot]

Problem

Corppass OIDC authentication currently passes authorization request parameters in query string, exposing them to potential user modification. Pushed Authorization Requests (PAR) addresses this by POSTing parameters to a secure endpoint first.

Solution

Implement PAR for Corppass behind enable-corppass-par feature flag.

Breaking Changes

• Yes - this PR contains breaking changes
• No - this PR is backwards compatible

Features:

• New enable-corppass-par feature flag
• CpOidcClient.createAuthorisationUrlWithPar() - POSTs auth params to PAR endpoint, returns redirect URL with request_uri
• CpOidcServiceClass.createRedirectUrlWithPar() - service wrapper for PAR flow
• When flag enabled, Corppass redirects use PAR; when disabled, existing flow unchanged

Improvements:

• Protected getter rpRedirectUrl on base client for subclass access

Bug Fixes:

• N/A

Before & After Screenshots

N/A - backend only, no UI changes

Tests

Added unit tests for createAuthorisationUrlWithPar:

• Empty state/esrvcId validation
• PAR endpoint not configured error
• Successful PAR request and URL construction
• Missing request_uri in response
• Network error handling

Deploy Notes

New environment variables:

• CP_OIDC_NDI_PAR_ENDPOINT : Corppass PAR endpoint URL (optional, required when feature flag enabled)

New scripts:

• N/A

New dependencies:

• N/A

New dev dependencies:

• N/A

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• fastdl.mongodb.org
  • Triggering command: /usr/local/bin/node node --experimental-vm-modules node_modules/jest/bin/jest.js --testPathPattern=spcp --testTimeout=30000 (dns block)
  • Triggering command: /usr/local/bin/node node --experimental-vm-modules node_modules/jest/bin/jest.js --testPathPattern=spcp.oidc.client.spec --testTimeout=30000 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Corppass is a Singapore Government OIDC provider which allows citizens to perform actions on behalf of businesses registered in Singapore.

To log in to Corppass, FormSG redirects users to sign in with the Corppass OIDC Identity Provider, which in turn uses Singpass as the OIDC Identity Provider.

The Corppass OIDC server is implementing Pushed Authentication Requests as a security enhancement to the conventional redirect to an authentication endpoint. The primary advantage is that authentication request parameters are protected from user modification, since they are no longer transparently passed in the query parameters.

Your task is to create a pull request that will use PAR instead of a simple redirect, to better improve security.

• This PR should introduce a feature flag named enable-corppass-par
• When the feature flag is enabled, the FormSG backend should POST the authentication parameters to the Corppass PAR endpoint, and redirect users to the returned URL
• When the feature flag is disabled, the FormSG backend should redirect users to the existing auth endpoint.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.