Overview
This flow is only available for use by Class Customers (signed SSLA agreements) accessing their own data. Partners/integrations must use the Authorization code flow. Customers are also encouraged to use the Authorization code for increased security and better audit trail of which users made changes to data, as multiple users can authorise access to the data.
Where a customer has multiple business codes on Class, you can request that all the codes be added to your OAuth credentials. You will need to obtain a separate access token for each business before exchanging the token for data from that business.
Overview of flow
The Resource owner password flow involves the following high-level steps:
- Your integration makes a request to the token endpoint https://app.class.com.au/connect/token containing the username and password of the authorizing user. This request identifies your integration and the scope of resources you wish to access.
- Class returns a token response containing the Access token and, if requested an ID Token.
Token request
The token request is used to obtain an Access Token that can be used to access the Class API.
Requests are made via a POST request to the token endpoint.
Authorisation Header
Requests involved in this flow require basic authentication using the client_id and client_secret issued for your Application/integration. The authorization header is case-sensitive, including the word Basic. It can be constructed as follows:
- Concatenate the client_id and client_secret, separated by a single colon
for example: <client_id>:<client_secret> - Base64 encode the authentication string above, for example: PGNsaWVudF9pZD46PGNsaWVudF9zZWNyZXTvu78+
- Include the Base64 encoded authentication string in the Authorization request header, preceded by the string "Basic".
Authorization: Basic PGNsaWVudF9pZD46PGNsaWVudF9zZWNyZXTvu78+
Parameter
|
Required
|
Value |
Description
|
---|---|---|---|
grant_type | True | password | The type of OAuth 2.0 grant being exchanged. For resource owner password requests this field must be set to password. |
username | True |
string |
The username of the Resource Owner. |
password | True | string |
The password of the Resource Owner. |
scope | False | A space-delimited list of scope values | List of scope values describing the access being requested by your integration. See Authorization scope for a detailed description of this parameter and the values supported. |
An example token request, with white space added for readability:
Token response
The token endpoint returns a response in JSON format.
For unsuccessful requests, the JSON object will contain two properties, error with an error value as described in Error codes, and error_description containing a more specific, human-readable error message.
For successful requests, the JSON object will contain the following properties:
Parameter
|
Value
|
Description
|
---|---|---|
access_token | An access token | This is the token that is used to access user resources via the Class API. |
token_type | bearer | The type of access token. Currently, the Class API only supports Bearer tokens and this property will always have the value bearer. |
expires_in | Integer | The number of seconds until the access token expires. I.e. 899 |
scope | A space-delimited list of scope values | The actual scope of the access token. This may be different from what was requested in the scope parameter in the authorization request. See Authorization scope for a detailed description of this parameter and possible scope values. |
Optional (depending on authorization scope requested) | ||
id_token | An ID Token |
An ID Token containing identity information about the Class user that can be used for authentication. This property will only be included if openid was included in the authorization scope parameter. |
Examples of successful and unsuccessful token responses, with white space added for readability:
Successful Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Content-Length: 959
Cache-Control: no-cache
Pragma: no-cache
{
"access_token":"CBfgN5Z5...",
"token_type":"bearer",
"expires_in":899,
"scope":"target:b/OAUTH_TEST offline_access business.fund.create fund.read"
}
Error Response