The Class API supports a subset of the OpenID Connect scope values defined below, as well as a set of custom values for restricting the scope of the request to a Fund or Business, as well as specifying the resources and operations available within that Fund or Business.
Supported OpenID Connect values
The Class API supports the following standard OpenId Connect scopes as defined in OpenID Connect Core 1.0.
Required for all OpenID Connect requests. When specified, an ID Token will be returned:
When specified, the following Standard Claims will be included in UserInfo responses:
|When specified, the email Standard Claim will be included in ID Tokens and UserInfo responses.|
|address||When specified, the address Standard Claim will be included in UserInfo responses.|
|phone||When specified, the phone_number Standard Claim will be included in UserInfo responses.|
The class_profile scope value
When combined with the OpenID scope value, class_profile scope value allows the following additional OpenID Claims to be retrieved from the UserInfo Endpoint:
|business_name||The name of the user's business|
|business_code||The code for the user's business in Class|
|business_address||The address of the user's business, in the same format as the standard address Claim|
|business_phone_number||The phone number of the user's business, in the same format as the standard phone_number Claim|
|class_role||A comma-delimited list of strings describing the user's role in Class, e.g. Administrator, Access Controller, adviser|
The Target Scope Value
This scope value specifies if the client is requesting Business or Fund level access, and allows the client to specify a specific Business or Fund or allow the authorising user to select one.
This scope value is required if any access specifiers are present.
The format of this scope value is target: context, where context is one of the following:
- b: Indicates the client is requesting access to a Business. The user will be prompted to select a Business as part of the authorization step.
- f: Indicates the client is requesting access to a single Fund. The user will be prompted to select a Fund as part of the authorization step.
- b/BUSINESS: Indicates the client is requesting access to the specific Business with the code BUSINESS.
- f/BUSINESS/FUND: Indicates the client is requesting access to the specific Fund in Business BUSINESS with code FUND
Please note that the above request to access a single fund and request to access a specific fund in a business code is currently not supported.
Access specifier scope values
Refer to the documentation for the specific API endpoints you wish to use to determine the access specifiers required by your integration.
Class strongly recommends that your integration requests the minimum set of scopes possible and does not request scopes that are not needed.
These scope values allow the client to request access to specific resources, and the operations they wish to perform using those resources.
The format of this scope value is context, resource, and operation. The components are defined as follows
- context: The context for the resource that access is being requested for, e.g. business, fund. This component is required for each access specifier.
- resource: Indicates the resources that access is being requested for, e.g. members, funds, details. If this component is omitted, the request is for all resources within the specified context.
- operation: Indicates the operation the client is requesting access to perform. e.g. read, maintain, create. Not all operations are applicable to all resources. If this component is omitted, it defaults to read
The initial list of supported access specifiers is:
|business.fund.list||List summarised data of funds in the business|
|business.fund.create||Create new funds in the business|
|fund.details.read||View basic fund details|
|fund.details.maintain||View and maintain basic fund details||fund.details.read|
|fund.member.read||View member details|
|fund.member.maintain||View and maintain member details||fund.member.read|
|fund.read||View all fund information||fund.*.read|
|fund.maintain||View and maintain all fund information||fund.*.maintain|
Considerations when requesting offline_access
The following additional requirements apply the offline_access scope is requested:
- offline_access is only supported for the authorization grant flow used by Authorization code flow. It cannot be used by Implicit flow using the implicit flow.
- When making an Authorization request, the prompt parameter must be included and it's value must be consent.
- The include_granted_scopes scope value cannot be used concurrently with the offline_access scope value. Requests for offline access must always include the full set of required access specifiers.