Overview
This article provides a detailed description of how to obtain an access token via the OAuth 2.0 Resource Owner Password Flow. The access token can then be used to access the Class API.
This flow is only available for use by private clients (Class users accessing their own data via the API). Public clients must use the Authorization code flow.
Overview of flow
The Resource owner password flow involves the following high-level steps
- Your integration makes a request to the token endpoint containing the username and password of the authorizing user. This request identifies your integration and the resources you wish to access.
- Your integration parses the response body to obtain the access token.
Token request
The token request is used to obtain an access token that can be used to access the Class API.
Requests are made via an HTTP POST request to the token endpoint. The URI of this endpoint should be obtained dynamically from the token_endpoint field of the Discovery document.The following parameters are supported for token requests:
|
Parameter
|
Required
|
Value |
Description
|
|---|---|---|---|
| grant_type | True | password | The type of OAuth 2.0 grant being exchanged. For resource owner password requests this field must be set to password. |
| username | True |
string |
The username of the Resource Owner. |
| password | True | string |
The password of the Resource Owner. |
| scope | False | A space-delimited list of scope values | List of scope values describing the access being requested by your integration. See Authorization scope for a detailed description of this parameter and the values supported. |
An example token request, with white space added for readability:
Token response
The token endpoint returns a response in JSON format.
For unsuccessful requests, the JSON object will contain two properties, error with an error value as described in Error codes, and error_description containing a more specific, human-readable error message.
For successful requests, the JSON object will contain the following properties:
|
Parameter
|
Value
|
Description
|
|---|---|---|
| access_token | An access token | This is the token that is used to access user resources via the Class API. |
| token_type | bearer | The type of access token. Currently, the Class API only supports Bearer tokens and this property will always have the value bearer. |
| id_token | An ID Token |
An ID Token containing identity information about the Class user that can be used for authentication. This property will only be included if OpenID was included in the scope parameter. |
| expires_in | Integer | The number of seconds until the access token expires. |
| scope | A space-delimited list of scope values | The actual scope of the access token. This may be different from what was requested in the scope parameter in the authorization request. See Authorization scope for a detailed description of this parameter and possible scope values. |
Examples of successful and unsuccessful token responses, with white space added for readability:
Successful Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Content-Length: 959
Cache-Control: no-cache
Pragma: no-cache
{
"access_token":"CBfgN5Z5...",
"token_type":"bearer",
"expires_in":899,
"scope":"target:b/OAUTH_TEST offline_access business.fund.create fund.read"
}
Error Response