Skip to main content

Budget 2024: The Government has announced FamilyBoost, a proposed new childcare payment to help eligible families with the rising costs of Early Childhood Education (ECE). Find out more:

A service provider application may be provided by either:

  • a third-party digital service provider
  • in-house by a client organisation or an organisation acting on behalf of a client organisation.

To create an authorisation token to access gateway services using our OAuth authorisation services, the following steps are used for both cloud and native (desktop client) application usage.

User accesses service

The authorised user is interacting with the service provider application. They access a protected service provided by us (for example, to file a return or retrieve a balance).

User is directed to myIR

The service provider application invokes the authorisation API to get an authorisation code, and the user’s browser is redirected to our logon page.

User provides myIR logon

We prompt the authorised user to provide the myIR logon, they are authenticated. On first use the authorised user must also confirm their consent for the service provider application to access our site on their behalf.

We issue authorisation code

We issue the authorisation code which is returned to the service provider application via the browser. It has a finite time to live (TTL) of 10 minutes.

Provider redeems authorisation code

The service provider application invokes our token service to redeem the authorisation code for an OAuth access token.

This OAuth access token has a finite time to live (TTL) of 8 hours. For cloud providers a refresh token is also provided with a finite TTL of 1 year.

Provider can access our protected services

The service provider application can then invoke our protected services (for example, to file a return) supplying the OAuth access token in the header.

The OAuth access token can be used for multiple invocations until it expires.

Ongoing usage

A cloud-based service provider application can use the refresh token to request another access token for ongoing usage of the gateway service until it expires.

Last updated: 28 Apr 2021
Jump back to the top of the page