OAuth 2
Please ensure you have a good understanding of the OAuth2 workflows within the OAuth2 GitHub documentation.
OAuth2 allows the TASS Parent Orbit app and third party products to connect to TASS.web APIs as an entity (e.g. a parent) and uniquely identify them in order to return targeted data. It does not require the entity (e.g. parent) to share any password data, but instead uses authorisation 'bearer' tokens to identify an entity. It is separate to the existing LDAP, SAML or proprietary Username/Password combination.
The OAuth2 method provides Mobile Apps with the ability to perform push notifications.
Parents are required to login to the Parent Orbit or other Mobile App and give their consent for the app to identify them. Once authorised, the mobile app will receive a unique identifier for the parent and will be able to call the OAuth2 API endpoints.
As a security provision, TASS has implemented PCKE to provide an extra layer of security in the authentication layer to prevent malicious attacks.
Adding an OAuth2 Application
- Click Add an OAuth2 Application and enter details.
| OAuth2 Application Details | |
|---|---|
*Application ID | An alphanumeric text field (max 40 characters). |
| *Application Type | Select from the drop-down menu. 'Parent' is currently the only option for third party apps. 'Orbit Parent' is for users using TASS.web's parent mobile app. |
| *Application Name | A text field (max 1,000 characters). |
| *Login Title | A text field (max 400 characters). This will display to parents on the OAuth login screen (LDAP or TASS.web login only). |
| *Authorisation Title | A text field (max 400 characters). This will display to parents on the OAuth login screen. |
| *Redirect URI | A text field (max 1,000 characters). The App provider can provide this information. |
| Redirect URI 2 | A text field (max 1,000 characters). |
| Redirect URI 3 | A text field (max 1,000 characters). |
| Redirect URI 4 | A text field (max 1,000 characters). |
| * | Enter the number of days the authorisation remains for (between 1 - 90). |
| School Logo | Click 'Choose File' to locate and upload your school logo. Not available when the Orbit Parent application the is selected. |
OAuth2 Scope - API Access | |
For the 'Parent' application type, refer to the OAuth2 GitHub documentation for these details. For the 'Orbit Parent' application type, select each component that you wish to share between TASS.web/Staff Kiosk and the Parent Orbit app. | |
| SAML Configuration | |
| * | Select Yes or No. |
| SP Entity ID | A user definable value used to identify the OAuth2 app in your SAML identity provider. |
| SP Endpoint | This value is derived from the TASS.web product domain and Application Type. Format is: https://[tassweb product domain]/tassweb/api/[application type]/oauth/SAML/index.cfm |
| IDP Metadata URL | This is a URL that is obtained from the identity provider. Fetch IDP Metadata XML: Click to check if there is an entry in the IDP Metadata URL field and to populate the remaining fields. |
| IDP Metadata XML | A free text field. |
| Certificate (X.509) | An encrypted free text field. Extract IDP Certificate (X.509) Click to generate the certificate (if it was not populated previously or if changes have been made). |
| SP Metadata XML | This is a free text field. Generate SP Metadata XML: Click to generate (if it was not populated previously or if changes have been made). Download SP Metadata XML: This button will become active after performing a Save. Click to download the SP Metadata XML. |
| SP Private Key | 'Add Private Key' is not required unless advised. |
- Click Save.
- Click Download SP Metadata XML.
- Re-upload the SP Metadata XML to the SAML IDP.
For more information, refer to https://github.com/TheAlphaSchoolSystemPTYLTD/OAuth2
Permission
Access to this tab requires a security permission.
Use TASS.web program System Admin > Users > Security Role Permissions > Administration section > 'API Gateway Maintenance' > 'OAuth2 API Applications' permission.