Class API uses OAuth2.0 and OpenID Connect to enable single sign-on experience for your Partner applications.
High level Overview
- Request authorisation from Class, end user authenticates including MFA and Class returns an authorisation code
- Exchange the authorisation code for an Access token and an ID token (if requested)
- Verify claim in ID Token (JWT) and use access token to access claims at the Userinfo endpoint, or other resources from the resource server (API server).
OAuth2.0
The user grants permission to the Partner application to access a resource (e.g. SMSF fund details) on their behalf. The Partner application receives an Access Token, which it uses to access the resource server (API server).
OpenID Connect (OIDC)
OIDC extend OAuth2.0 for authentication. It is used for SSO between OAuth-enabled applications.
OIDC uses and additional JSON Web Token (JWT) called an ID Token. The ID Token standardizes areas that OAuth 2.0 leaves up to choice (e.g. scopes) and it focusses on authentication. Include "openid" in the Authorisation scope request to invoke this. It further unlocks other claims, such as email, address, phone_number, class_profile, etc that should be used in conjunction with "openid". See UserInfo endpoint for further details of claims available.
ID Token
The Class ID tokens are <ahref="https: data-linktype="external">JSON Web Tokens (JWTs)signed by using public key cryptography. </ahref="https:>
The tokens are only returned if the authorisation scope includes "openid" when authorisation is requested.
ID tokens consist of a header, payload and signature. The header and signature are used to verify the authenticity of the token, while the payload contains the information about the user requested.
Partner applications and web APIs that use ID tokens for authorization must validate them because such applications get access to data. We recommend to use a token validation library to parse and validate tokens. Token validation libraries are available for most development languages, frameworks, and platforms. ID Tokens are valid for 20 minutes.
The following claims are returned in the ID Token header
{
"typ": "JWT",
"alg": "RS256",
"kid": "1C438CF0-6183-4E36-A8A8-D9565D716379"
}
The following claims are returned in the ID Token payload:
{
"sub": "2e0742e2-ae4f-4ded-a478-fc5b2bb63b3e",
"email": "firstname.lastname@email.com",
"urn:Class:specialroles": "",
"iat": "1724814986",
"at_hash": "QUo7KqrK2Bme0ANgyVi_Hw",
"iss": "https://app.class.com.au/",
"aud": "d6044958-95a0-4695-8b73-4011e4b4d541",
"exp": 1724816186,
"nbf": 1724814986
}
ID Token claims definitions
kid: Specifies the thumbprint for the public key that can be used to validate the token's signature
iat: Indicates when the authentication for the token occurred as a Unix timestamp.
iss: Identifies the issuer that constructs and returns the token. Should always be https://app.class.com.au
aud: Identifies the intended recipient of the token. The audience is your app's OAuth client ID, assigned to your app by Class Partner team. The token should be rejected if it fails to match your Client ID.
exp: Identifies the expiration time on or after which the JWT can't be accepted for processing. In certain circumstances, a resource may reject the token before this time. For example, if a change in authentication is required or a token revocation has been detected.
nbf: Identifies the time before which the JWT can't be accepted for processing.