Skip to main content
 

The Help Centre

Search

Authorization Code Flow

In this article, we will provide a detailed description of how to obtain access tokens, refresh tokens and ID Tokens via the OAuth 2.0 Authorization Code Flow. Access tokens can be used to access the Class API.

The authorization code flow is designed for use by integrations that can ensure the confidentiality of their client_secret, such as web server applications. The assumption of confidentiality allows this flow to offer additional functionality, most notably supporting the use of refresh tokens.

 In order to use this flow, you will require to update your redirect URL by sending an email to partners@class.com.au.  

Outline of Flow

The authorization code flow involves the following high-level steps:

  1. Your integration directs the user to the Class authorization endpoint by making an authorization request. This request identifies your integration and the resources you wish to access.
  2. Class authenticates the user and prompts them to authorize the requested access.
  3. Class redirects the user to a redirection endpoint registered for your integration. An authorization code is included in the query component of the redirect URL.
  4. Your integration makes a token request to the Class token endpoint, including your client credentials and the authorization code.
  5. Class returns a token response containing the access token and, if requested, a refresh token and/or ID Tokens

Client Authentication

Some requests involved in this flow require client authentication using the client_id and client_secret issued for your integration. This is indicated in the documentation for these requests.

Authentication is accomplished via the HTTP Basic authentication scheme as follows:

  1. Form the authentication string by concatenating the client_id and client_secret, separated by a single colon, for example: <client_id>:<client_secret>
  2. Base64 encode the authentication string, for example, PGNsaWVudF9pZD46PGNsaWVudF9zZWNyZXTvu78+
  3. Include the Base64 encoded authentication string in the Authorization request header, preceded by the string "Basic".

The following is an example of a correctly formed Authorization header:

The authorization header is case-sensitive, including the word Basic.

Authorization: Basic PGNsaWVudF9pZD46PGNsaWVudF9zZWNyZXTvu78+

Authorization Request

The authorization request prompts the user for consent before redirecting them to the specified redirect URI. If the authorization was successful, the redirect will also include an authorization code that can be exchanged for an access token.

Requests are made via HTTP GET request to the authorization endpoint. The URI of this endpoint should be obtained dynamically from the authorization_endpoint field of the Discovery document.

The following query parameters are supported for authorization requests:

Parameter
Required

Value
Description
response_type True code The desired Response type. For the authorization code flow, the value must be code.
client_id True

Id issued for your integration

Identifies the requesting integration to the authorization server. The value must be the id that was issued for your integration.
redirect_uri True One of the redirection endpoints for your integration

Specifies where the authorization response will be sent. The value must be an absolute URI and must exactly match one of the redirection endpoints registered for your application, including protocol (https), case, and trailing/character if present.

Optionally, a query string may be included in the URI. If present, any query parameters will be echoed in the authorization response, in addition to the regular response parameters defined in the Authorization response section.
scope False A space-delimited list of scope values List of scope values describing the access being requested by your integration. See Authorization scope for a detailed description of this parameter and the values supported.
state False Any string This value is not used by the authorization server, but is echoed in the response to your integration and can be used to track state through the authorization process.
response_mode False code Class supports query (default), form_post.
prompt False none, login, consent

Specifies how the authorization server should prompt the authorizing user for consent.

  • none - Never display a login or consent prompt to the user. This request will fail unless the user is already logged in to Class and has already authorized the requested access previously.
  • login - Requires the user to re-login to Class before authorizing the request, even if they are already logged in to Class.
  • consent - Always prompt the user for consent, even when access to the request scopes has already been granted previously.

With the exception of none, multiple values may be specified for this parameter in a space-delimited list. For example, prompt=login consent combines both the login and consent behaviours.
login_hint False Email address Provides a hint to the authorization server as to the identity of the authorizing user. This value will be pre-filled in the email field of the login prompt if the user needs to login to Class before authorizing the request.

While the state parameter is optional as per OAuth specification, Class mandates that this parameter be used to mitigate the risk of cross-site request forgery (CSRF) attacks. State parameter should be a random value and not linked to any account and is not traceable for subsequent requests. Please see Section 10.12 of the OAuth 2.0 specification for further details. 

An example authorization request, with white space added for readability:

Authorization response

Once the request has been handled by the authorization server, the user will be redirected to the URI specified in the redirect_uri parameter in the request.

For unsuccessful requests, the response consists of a single parameter, error, with an error value as described in Error codes.

For successful requests, the response parameters are as follows:

Parameter
Value
Description
code An authorization code An authorization code that can be exchanged for an access token. As described in the following section.
state Any string The same value that was specified for the state parameter in the authorization request.

Examples of successful and unsuccessful authorization responses, with white space added for readability:

Query Response

Successful authorization response

GET https://app.class.com.au/oauth-callback?
    code=1fd827c4-9ea3-4290-a99a-84c7d62d8b11&
    state=security_token%Y2eeg2eCMB5owJ
Unsuccessful authorization response

GET https://app.class.com.au/oauth-callback?
    error=access_denied&
    state=security_token%Y2eeg2eCMB5owJ

Form POST response

Successful authorization response

POST https://app.class.com.au/oauth-callback
     Content-Type: application/x-www-form-urlencoded; charset=utf-8
     Host: app.class.com.au
     Content-Length: 77
 
     code=1fd827c4-9ea3-4290-a99a-84c7d62d8b11&
     state=security_token%Y2eeg2eCMB5owJ
Unsuccessful authorization response

POST https://app.class.com.au/oauth-callback
     Content-Type: application/x-www-form-urlencoded; charset=utf-8
     Host: app.class.com.au
     Content-Length: 57
 
     error=invalid_request&
     state=security_token%Y2eeg2eCMB5owJ

Token Request

This request requires Client authentication.

The token request is used to exchange the authorization code from the authorization response for an access token that can be used to access the Class API.

Requests are made via an HTTP POST request to the token endpoint. The URI of this endpoint should be obtained dynamically from the token_endpoint field of the Discovery document.

The following parameters are supported for token requests:

Parameter
Required

Value
Description
grant_type True authorization_code The type of OAuth 2.0 grant being exchanged. For authorization code grant requests this field must be set to authorization_code.
code True

The code from the authorization request

The code that is being exchanged for an access token. Each authorization code can only be exchanged once.
redirect_uri True The URI from the authorization request

The value must exactly match URI that was specified in the redirect_uri parameter for the authorization request.

An example token request, with white space added for readability: 

Token Response

The token endpoint returns a response in JSON format.

For unsuccessful requests, the JSON object will contain two properties, error with an error value as described in Error codes, and error_description containing a more specific, human-readable error message.

For successful requests, the JSON object will contain the following properties:

Parameter
Value
Description
access_token An access token This is the token that is used to access user resources via the Class API.
token_type bearer The type of access token. Currently, the Class API only supports Bearer tokens and this property will always have the value bearer.
refresh_token A refresh token

A refresh token that can be used to obtain a new access token without user interaction as described in Refresh request.

This property will only be included if offline_access was included in the scope parameter.
id_token An ID Token

An ID Token containing identity information about the Class user that can be used for authentication.

This property will only be included if OpenID was included in the scope parameter.
expires_in String The number of seconds until the access token expires.
scope A space-delimited list of scope values The actual scope of the access token. This may be different from what was requested in the scope parameter in the authorization request. See Authorization scope for a detailed description of this parameter and possible scope values.

Examples of successful and unsuccessful token responses, with white space added for readability:

Example successful response

HTTP/1.1 200 OK
 Content-Type: application/json;charset=UTF-8
 Content-Length: 959
 Cache-Control: no-cache
 Pragma: no-cache
 
 {
 "access_token":"CBfgN5Z5...",
 "token_type":"bearer",
 "expires_in":"899",
 "scope":"target:b/OAUTH_TEST offline_access business.fund.create fund.read",
 "refresh_token":"9e0fccdb-ec4f-4e6a-ae60-83ad66be9547",
 "BusinessName":"OAuth Test Business",
 "BusinessCode":"OAUTH_TEST"
 }

Example error response

HTTP/1.1 400 Bad Request
 Content-Type: application/json;charset=UTF-8
 Content-Length: 77
 Cache-Control: no-cache
 Pragma: no-cache
 
 {
 "error":"invalid_client",
 "error_description":"Client authentication failed"
 }

This request requires Client authentication.

The refresh request allows integrations with offline_access to obtain new access tokens without interaction from the user via an authorization request.

Requests are made via an HTTP POST request to the token endpoint. The URI of this endpoint should be obtained dynamically from the token_endpoint field of the Discovery document.

The following parameters are supported for refresh requests:

Parameter
Required

Value
Description
grant_type True refresh_token The type of OAuth 2.0 grant being exchanged. For the refresh requests, this field must be set to refresh_token.
refresh_token True

The refresh token from the original token response

The refresh token that is being exchanged for an access token. Each refresh token can only be exchanged once.

An example refresh request, with white space added for readability:

Example refresh request
POST https://app.class.com.au/connect/token
 Authorization: Basic PGNsaWVudF9pZD46PGNsaWVudF9zZWNyZXTvu78+
 Content-Type: application/x-www-form-urlencoded; charset=utf-8
 Host: app.class.com.au
 Content-Length: 75
 
 grant_type=refresh_token&
 refresh_token=9e0fccdb-ec4f-4e6a-ae60-83ad66be9547 

What's Next?

Was this article helpful?
0 out of 0 found this helpful

Related articles

Class Education

On-demand training courses and webinars to help you get the most from Class.

Click here