Download the PHP package grantholle/laravel-powerschool-auth without Composer

On this page you can find all versions of the php package grantholle/laravel-powerschool-auth. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package laravel-powerschool-auth

Laravel PowerSchool Auth

Use PowerSchool as an identity provider for your Laravel app, supporting the original OpenID 2.0 implementation, as well as OpenID Connect that was introduced in PowerSchool 20.11.

OpenID 2.0 are links that are within PowerSchool that are sent to your application to perform a data exchange. It can only be performed from PowerSchool to your app. OpenID Connect is a way for users to authenticate against PowerSchool directly from your application and provides a better user experience overall.

Installation

Configuration

First publish the config file, config/powerschool-auth.php.

The configuration is separated by the different user types, staff, guardian, and student. The OpenID Connect OAuth flow supports four types (staff, teacher, parent, student), but for the sake of flexibility staff and teacher will be merged into the singular staff type. The parent OIDC persona will reference the guardian key in the config.

Usage

This assumes you have a plugin installed on your instance of PowerSchool with something similar to the following in your plugin.xml file. The

Use the PowerSchool documentation for more details on tag and attribute meaning. In short, the oauth tag supports configuration about an OpenID Connect OAuth flow, while the openid tag has details about OpenID 2.0 authentication. Installing that plugin will inject links in the application popout menu for only staff. Now we need to create a controller that handles authentication with PowerSchool.

OpenID 2.0

First, let's make the OpenID 2.0 authentication controller:

After the controller is generated, we need to add the trait that handles all the authentication boilerplate.

Now let's add the applicable routes to your web.php file:

By default, the verification route back to PowerSchool is expected to be /auth/powerschool/openid/verify, but that can be changed by overwriting getVerifyRoute() as discussed below.

Once the user opens your SSO link in PowerSchool, there will be the OpenID exchange and data will be given to your app from PowerSchool. There are several "hooks" where you can change the behavior without having to modify the underlying behavior itself. Here is a snippet of the functions and their default behavior you can overwrite in your controller.

OpenID Connect

Note: This requires a PowerSchool version of 20.11 or newer.

OpenID Connect (OIDC) provides a better experience from your application to use PowerSchool as an Identity Provider. You can send a user from your app to their PowerSchool server to authenticate, then back to your app with some information. For OIDC to work, you must include these keys in your .env:

You will notice that these are shared with the grantholle/powerschool-api to avoid duplication.

Next, we'll need to create another controller:

After the controller is generated, we need to add the trait that handles all the authentication boilerplate.

Now let's add the applicable routes to your web.php file:

Now when users visit /auth/powerschool/oidc in your application, the OAuth flow begins with PowerSchool. If the user is already logged in to PowerSchool, it seamlessly logs in without interruption. If they aren't logged in to PowerSchool, they are brought to a prompt in PowerSchool to log in via admin, teachers, parents, or students, depending on your configuration in your plugin. Be sure to read the docs on the allow-persona sub elements in the docs for the ability to restrict the user types that can authenticate. You may also pass a persona or _persona query variable to tell PowerSchool the type of user that is authenticating. This will allow PowerSchool to bypass the user type prompt and go directly to the desired login page. For example:

The above link will tell PowerSchool that a parent is authenticating, so it can take them directly to the /public login page. You can also allow for longer authenticated sessions by adding a remember query variable with a truthy value, such as 1 or true. By default, it is false. For example:

Just like the OpenID 2.0 "hook" functionality, the OIDC trait has the same ability to modify user attributes and other behavior.

Caveats

Right now there is no SAML integration because it's considerably more complicated to include. There also is the question, why add it if OpenID works? It's more configurable, but also adds a lot more complexity. I'm willing to add it once I have the bandwidth and will certainly entertain a pull request to include it.

That being said, PowerSchool doesn't support the <identityAttribute/> configuration to customize the user's identity attribute. For OpenID 2.0, as far as I can tell, it defaults to {url}/oid/{usertype}/{username}. In our company we have experienced unwanted behavior if the username contains weird characters. For example, it's valid in PowerSchool to have Chinese/Korean usernames. The identifier that gets sent is just encoded spaces, i.e. {url}/oid/guardian/%20%20%20. For some reason email addresses work ok, thankfully.

This also means that if a user's username changes who has already authenticated in your application, they will be authenticated as a new user because their OpenID identifier has also changed. For this reason you may want to configure a different attribute, such as email, to be used as the identifying attribute. It depends on whether you expect emails or usernames to change more often.

For OpenID Connect, there is an included sub attribute. According to the docs:

It is the unique and unchanging identifier for the authenticated user, which will never be reused for any future users.

This sounds as if it will always be unique despite the username, as is the problem with OpenID 2.0. However, if there are shared user accounts (staff have a parent account), those accounts would be separate. This is why often times I will use email despite the potential risks. OpenID Connect also excludes student IDs for guardians and admin schools for staff, which is unfortunate. You will have to provide your own PowerQuery for getting that information based on the user.

If you do use email, I would suggest leaving the entry for email in attribute_transformers that returns the email address in a lowercase format. This way, it doesn't matter how the format it came to our application as it will be normalized in our own database.

The attribute_transformers classes only need to have an __invoke() magic method that accepts the original value as the argument.

Example data

Here are examples of the attribute exchange from PowerSchool:

OpenID 2.0:

OpenID Connect:

License

MIT


All versions of laravel-powerschool-auth with dependencies

PHP Build Version
Package Version
Requires php Version ^8.1
ext-curl Version *
ext-json Version *
ext-libxml Version *
grantholle/pear-openid Version ^2.0
illuminate/support Version ^8.0|^9.0|^10.0|^11.0
illuminate/http Version ^8.0|^9.0|^10.0|^11.0
spatie/url Version ^2.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package grantholle/laravel-powerschool-auth contains the following files

Loading the files please wait ....