A service provider application may be provided by either:
- a third-party digital service provider
- in-house by a client organisation or an organisation acting on behalf of a client organisation.
To create an authorisation token to access gateway services using our OAuth authorisation services, the following steps are used for both cloud and native (desktop client) application usage.
User accesses service
The authorised user is interacting with the service provider application. They access a protected service provided by us (for example, to file a return or retrieve a balance).
User provides myIR logon
We prompt the authorised user to provide the myIR logon, they are authenticated. On first use the authorised user must also confirm their consent for the service provider application to access our site on their behalf.
User is directed to myIR
The service provider application invokes the authorisation API to get an authorisation code, and the user’s browser is redirected to our logon page.
We issue authorisation code
We issue the authorisation code which is returned to the service provider application via the browser. It has a finite time to live (TTL) of 15 minutes.
Provider redeems authorisation code
The service provider application invokes our token service to redeem the authorisation code for an OAuth access token.
This OAuth access token has a finite time to live (TTL) of 8 hours. For cloud providers a refresh token is also provided with a finite TTL of 6 months.
Provider can access our protected services
The service provider application can then invoke our protected services (for example, to file a return) supplying the OAuth access token in the header.
The OAuth access token can be used for multiple invocations until it expires.
A cloud-based service provider application can use the refresh token to request another access token for ongoing usage of the gateway service until it expires.