Unable to Bypass Face Verification for Singpass Testing

[denniafredo]

Hi everyone,

We're currently integrating Singpass for authentication in our application, and we're encountering an issue during the login process. Every time we try to log in using the provided credentials (Singpass ID : F1612351W, Password : MyInfo2o15), it redirects us to the face verification step. This step is problematic for our team since not all of our developers are located in Singapore.

We are using an /auth endpoint in our application, which generates the authorization URL and redirects users to the Singpass login page. For testing and development purposes, is there a way to bypass or skip the face verification step? Alternatively, are there any sandbox or testing environments provided by Singpass that allow us to simulate this process without requiring actual face verification?

Your guidance or suggestions would be greatly appreciated. Thank you!

Here is my url : https://stg-id.singpass.gov.sg/auth?client_id=Dfn5pqzg4RwCpsJ28Fca83dcVHFVDKup&scope=email%20mobileno%20name%20openid%20regadd%20uinfin&response_type=code&redirect_uri=https%3A%2F%2Fspmw.interaktiv.sg%2Fapi%2Fcallback&code_challenge_method=S256&code_challenge=bxqeZ8NhZK5F2nCqbEOcb8sbn5zIck59Lis5pVZ_g7I&nonce=f67931e5-7d2d-4b47-9acd-1e305a24543d&state=9a2f750be346451925e691acce6dc728

[luiscvega]

I tried on the mobile browser of Safari and I'm getting the same issue, it's asking for a Face Verification.

However, when I try on a desktop browser, I'm getting an authentication error. See the screenshot below:

[dannycsz]

I have the same problem, I tried other test user from the persona list, it's either prompt for 2FA or Face Verification. Nothing works so far.

[poopypoops]

can you try using this test account - S7790795E password: Demo@123

[luiscvega]

Just tried it and still doesn't work.

[poopypoops]

use this password instead - T4!vY9@xL7$p

[luiscvega]

Hmm, just tried S7790795E with T4!vY9@xL7$p and also doesn't work.

[dannycsz]

My side working fine with this.

[denniafredo]

Hi @dannycsz , you could share the code or approach you use for the /auth endpoints?

I am currently working on a similar feature and would greatly appreciate any guidance or examples you could provide.
Thanks!

[dannycsz]

I mean I try the demo and it works but once I change the client to my staging app, it always return AUTH-E0001 even with the exact same keys.

[denniafredo]

i have this problem

[luiscvega]

@denniafredo @dannycsz @poopypoops

If you generate the auth URL correctly and see the sign-in page, it works when you enter S7790795E with T4!vY9@xL7$p in Chrome. But it does not work on Firefox. Strange. Using it on mobile also produces a different result. Highly inconsistent. Will test further.

[casuarinao8]

Anyone found a solution to this? I am also facing the same issue where System Code: AUTH-E0001b is shown.

[luiscvega]

I have been successful in retrieving the /userinfo so I'd be glad to assist anyone.

Here is the code that I used to try and successfully generate a working /auth URL:

package main

import (
	"crypto/rand"
	"crypto/sha256"
	"encoding/base64"
	"encoding/hex"
	"fmt"
	"net/url"

	"github.com/google/uuid"
)

const (
	clientId    = "<your-client-id>"
	redirectUri = "http://localhost:8080/singpass"
	scopes      = "birthcountry dob email marital merdekagen.eligibility name nationality openid race sex uinfin"
	tokenUrl    = "https://stg-id.singpass.gov.sg/token"
)

func main() {
	// Step 1: Get authorize url
	_, codeChallenge, err := generatePkceCodePair()
	if err != nil {
		panic("failed to generate PKCE code pair!")
	}

	fmt.Println(authorizeUrl(codeChallenge))
}

func generatePkceCodePair() (string, string, error) {
	// code verifier
	bs := make([]byte, 32)

	if _, err := rand.Read(bs); err != nil {
		return "", "", err
	}

	codeVerifier := hex.EncodeToString(bs)

	// code challenge
	hash := sha256.New()

	if _, err := hash.Write([]byte(codeVerifier)); err != nil {
		return "", "", err
	}

	codeChallenge := base64.RawURLEncoding.EncodeToString(hash.Sum(nil))

	return codeVerifier, codeChallenge, nil
}

func authorizeUrl(codeChallenge string) string {
	v := url.Values{
		"scope":                 []string{scopes},
		"response_type":         []string{"code"},
		"redirect_uri":          []string{redirectUri},
		"nonce":                 []string{uuid.New().String()},
		"client_id":             []string{clientId},
		"state":                 []string{uuid.New().String()},
		"code_challenge":        []string{codeChallenge},
		"code_challenge_method": []string{"S256"},
	}

	return fmt.Sprintf("https://stg-id.singpass.gov.sg/auth?%s", v.Encode())
}

However, you need to make sure that your SDP settings are correct:

1. Make sure that your Redirect URL is correct and that you are using it in the code correctly. You'll notice in the code, my redirect URI is http://localhost:8080/singpass. This is also exactly is what is set in my SDP settings.
2. Your JWKS must be valid. If you're using the the JWKS URL, it must be publicly accessible and have a valid JWKS object. If you're using the JWKS Object text area, you must use a valid JWKS object as well. Here is a sample one from the demo-app (of course, you must generate your own valid ones when you are testing):

{
  "keys": [
    {
      "kid": "my-sig-key",
      "kty": "EC",
      "use": "sig",
      "alg": "ES256",
      "crv": "P-256",
      "x": "16Ziaq7VMza-agHmM3P6uh887g2Yusp_lE7RBpi1YYI",
      "y": "3XidKG6ImEvtt9dcjX8UoXykPRTovfALxPXaWPBQ7yc"
    },
    {
      "kid": "my-enc-key",
      "kty": "EC",
      "use": "enc",
      "alg": "ECDH-ES+A256KW",
      "crv": "P-256",
      "x": "6MYhNwxiDqIlp2-x7-EXWx9lv6N1C7rqezs7Nl9j7hA",
      "y": "Q2cxMkolRlpdw8QY4Kwpkwqyp1vpoA3KVzoLXG2wvfQ"
    }
  ]
}

3. The only Myinfo Test Persona that works is this: S7790795E / T4!vY9@xL7$p. I've tried other Test Personas and they are not working. Probably an issue with Singpass.

4. Finally, I've noticed that the app only works in Google Chrome. In other browsers, I get the "We are sorry but there seems to be an error" page with the AUTH-E0001 whenever I use the above persona. Again, I think this is an issue with Singpass.

[casuarinao8]

Could I understand whether u found any solution for this?

[luiscvega]

@denniafredo, are you still running into any issues?

[denniafredo]

now it shows like this.

are you get this issue too @luiscvega ?

[luiscvega]

What if your “Authentication flow” setting? Can you try setting it to “1FA”?

[denniafredo]

@luiscvega can you assist me where to change the Authentication flow to 1FA ?

[luiscvega]

Sorry for the delayed response. You can change it in the SDP settings:

[denniafredo]

@luiscvega Thank you for your help, as I don't have access to the dashboard.