This feature is available with the following pricing plans: Premium, Unlimited, Pay as You Grow
This article explains how to configure OAuth 2.0 as part of your Shared Accounts authentication method.
Note: Some OAuth 2.0 implementations may differ. Contact us at any point in the setup if your implementation differs or if you encounter errors while testing.
OAuth 2.0 Flow
SchoolKeep supports OAuth 2.0 as an SSO integration, specifically the Authorization Code Grant flow. Click here to learn more.
The roles are outlined below. Click here to learn more.
- Client : SchoolKeep
- Resource owner : Learner
- Resource server : You company server
- Authorization server : Your company server
- Learner visits SchoolKeep school website (eg. https://your-school.schoolkeep.com)
- Learner is redirected to the Authorization server “Authorize Endpoint” to authenticate and authorize. This is known as the “Authorization Request” and is described here.
- After successful authentication and authorization, the learner is redirected back to SchoolKeep. This is known as the “Authorization Response” as is described here. As explained, the redirect URL is provided by the “Authorization Request”.
- In step 3), when the learner is redirected back to SchoolKeep, SchoolKeep will use the “authorization code” received in step 3) to obtain an access token from the “Token Endpoint”. This happens behind the scenes, and the learner will not see this happening. This is known as the “Access Token Request” and is described here.
- The “Authorization Server” will return an access token. This is known as the “Access Token Response” and is described here.
- SchoolKeep will then use the access token returned in step 5) to access learner details from the Resource server at the configured “Users API Endpoint”. This is basically an API request for an individual resource. This request is not specified in the OAuth specification (other than utilizing the access token). This is described here.
- SchoolKeep will use the response from step 6) to identify the learner and create a session on SchoolKeep for that learner. The learner will now be logged in to SchoolKeep.
The flow described above is the basic OAuth 2.0 Authorization Code Grant flow. There are details in each step of the flow that can change from implementation to implementation.
- The “redirect_uri” is optional, but SchoolKeep will always provide it.
- The method of client authentication needs to be established. By default, SchoolKeep will use Basic Authentication, uses the “Client Identifier” and “Client Secret”.
User API Endpoint Request
- The method of authentication and format of returned data needs to be established so that SchoolKeep can parse the incoming learner data. By default, SchoolKeep assumes JSON, and a format as follows:
Configuration in SchoolKeep
Click on Account in the top navigation bar and select School Settings.
Click on the Authentication tab.
Review the options in the modal and click Continue.
Select Shared Accounts from the dropdown.
Select OAuth 2.0.
Enter your Client Identifier. This value is provided by Authorization server and is specific to SchoolKeep. Click here to learn more about this value.
Enter your Client Secret. This value is provided by Authorization server and is specific to SchoolKeep. Click here to learn more about this value.
Enter your Authorize Endpoint. This is provided by Authorization server configuration. It should be the same for all of your OAuth integrations. Click here to learn more about this endpoint.
Enter your Token Endpoint. This is provided by Authorization server configuration. It should be the same for all of your OAuth integrations. Click here to learn more about this endpoint.
Enter your Users API Endpoint. This is provided by Resource server configuration. This is not specific to OAuth. It is an API endpoint, that can be used to retrieve information about a single learner with the token received from the Token Endpoint. Click here to learn more about this endpoint.
Enter a URL that you’d like the learner to be redirected to when they click “Log Out” from your school website.
Enter your company website.
Step 14 (Optional)
Choose a default group. If a default group is selected, then all learners who access the school will be added into the default group and gain access to the courses within the default group. Click here to learn more about managing course access.
Get started sharing links to your school. Anyone with an account in your system will be able to authenticate upon visiting your school. Learners will only see the courses that they have been granted access to. Click here to learn more about managing course access.
Learn more about optionally managing group access via your OAuth 2.0 solution or about managing locales via your OAuth 2.0 solution.