Skip to content
Untis Documentation

Authentication Model

Authentication in the Untis Platform covers three distinct concerns depending on who is making the request.

User

Identifying an end user in UI/SSO scenarios — who is this person?

Application

Identifying your backend for server-to-server API access — which application is making this request?

Request

Verifying that an incoming webhook actually came from Untis Platform — is this request legitimate?

What a token allows you to access (scopes and permissions) is a separate concern — see Authorization Model.

User authentication — OIDC Authorization Code

Section titled “User authentication — OIDC Authorization Code”

User sign-in uses OpenID Connect Authorization Code flow. For platform applications, Untis Platform acts as the identity provider — users authenticate with Untis Platform and your app receives tokens to establish a session.

FlowOIDC Authorization Code
Authorize endpointv3 authorize endpoint
Token endpointv3 token endpoint
API versionv3 only — earlier endpoints not supported
SSO Integration guide Redirect URI rules, well-known configuration, token endpoint requirements, and parameter handling.

Application authentication — Client Credentials

Section titled “Application authentication — Client Credentials”

Server-to-server integrations obtain access tokens using the OAuth Client Credentials grant.

FlowOAuth Client Credentials
Token endpointv3 token endpoint with grant_type=client_credentials
Auth methodBasic Auth — username = OIDC client ID, password = platform-generated password (not the OIDC client secret)
Token lifetimeShort-lived (3 minutes) — use expires_in and cache tokens
API Reference API endpoints, data models, and authorization scopes.

Java example

Section titled “Java example”

The OneRosterClient handles token acquisition via the Client Credentials grant internally. Construct it with the tenant ID, client ID, and platform-generated password — the token is fetched and applied automatically.

OneRosterClient.java
8 collapsed lines
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestClient;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Map;


public class OneRosterClient {


    private static final String API_URL = "https://api.integration.webuntis.dev";


    private final RestClient http;


    public OneRosterClient(String tenantId, String clientId, String password) {
        String accessToken = fetchAccessToken(tenantId, clientId, password);
        this.http = RestClient.builder()
                .baseUrl(API_URL)
                .defaultHeader(HttpHeaders.AUTHORIZATION, "Bearer " + accessToken)
                .defaultHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE)
                .build();
    }


    private String fetchAccessToken(String tenantId, String clientId, String password) {
        String credentials = Base64.getEncoder()
                .encodeToString((clientId + ":" + password).getBytes(StandardCharsets.UTF_8));


        MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
        form.add("grant_type", "client_credentials");


        Map<String, Object> response = RestClient.create().post()
                .uri(API_URL + "/WebUntis/api/sso/v3/" + tenantId + "/token")
                .header(HttpHeaders.AUTHORIZATION, "Basic " + credentials)
                .header(HttpHeaders.CONTENT_TYPE,
                        MediaType.APPLICATION_FORM_URLENCODED_VALUE)
                .body(form)
                .retrieve()
                .body(Map.class);


        if (response == null || !(response.get("access_token") instanceof String token)) {
            throw new IllegalStateException("Token endpoint did not return an access_token");
        }
        return token;
    }
}

Request authentication — RSA signature

Section titled “Request authentication — RSA signature”

When Untis Platform calls your endpoints (webhooks), requests are authenticated via RSA request signing — not OAuth tokens. Your endpoint must verify the signature on every incoming request.

MethodRSA request signing
DirectionUntis Platform → Your App
Required actionVerify signature before processing any webhook payload
Verifying Untis Platform Identity Signature verification, canonicalization rules, and key handling.
Section titled “Related guides”
Authorization Model Scopes, permissions, and tenant boundaries.
SSO Integration Step-by-step OIDC implementation guide.
Verifying Untis Platform Identity RSA signature verification for incoming webhooks.
API Reference API endpoints and data models.