On this page
Sign users in to your web app using the redirect model
Add a user sign-in flow to a server-side web app with Okta's redirect model (opens new window).
Learning outcomes
- Implement a simple redirect to an Okta-hosted sign-in page.
- Configure a server-side web app to use Okta.
- Test that users can sign in and sign out.
- Define which parts of an app require authentication and which don't.
What you need
Sample code
Overview
The easiest and most secure way to add a user sign-in flow to your server-side web app is to use an Okta-hosted Sign-In Widget. When a user attempts to sign in, the app redirects them to the widget hosted on an Okta web page. After they've signed in successfully, Okta redirects them back to the app. This is known as the redirect authentication deployment model.
Note: To use the redirect model in a single-page application (SPA), see Sign users in to your SPA using the redirect model. To use the redirect model in a mobile app, see Sign users in to your mobile app using the redirect model.
In this quickstart, you:
- Create an app integration in the Admin Console.
- Create and configure a new web app to use Okta.
- Test that a user can sign in and sign out.
- Configure different levels of access for specific areas of the site.
Tip: You need your Okta org domain to follow this tutorial. It looks like
dev-123456.okta.com
. See Find your Okta domain. Where you see{yourOktaDomain}
in this guide, replace it with your Okta domain.
Create an app integration in the Admin Console
An app integration represents your app in your Okta org. Use it to configure how your app connects with Okta services.
To create an app integration for your app:
Open the Admin Console for your org.
- Sign in to your Okta organization (opens new window) with your administrator account.
- Click Admin in the upper-right corner of the page.
Go to Applications > Applications to view the current app integrations.
Click Create App Integration.
Select OIDC - OpenID Connect as the Sign-in method.
Select Web Application as the Application type, then click Next.
Note: You can break the sign-in or sign-out flows for your app if you choose the wrong app type.
Enter an App integration name. For example, My first web application.
Enter the callback URLs for the local development of your app.
- Enter
- Enter
Note: The values suggested here are those used in the sample app.
- Enter
Select Allow everyone in your organization to access for Controlled access.
Click Save to create the app integration.
The configuration page for the new app integration appears. Keep this page open.
Note: For a complete guide to all the options not explained in this guide, see Create OIDC app integrations (opens new window).
Note your client ID and client secret
Make a note of two values that you use to configure your web app. Both are in the configuration pane for the app integration that you've created:
- Client ID: Found on the General tab in the Client Credentials section.
- Client Secret: Found on the General tab in the Client Credentials section.
Moving on, where you see {clientId}
and {clientSecret}
in this guide, replace them with your client ID and client secret.
Create and configure a new web app to use Okta
Now that you have created the app integration and noted the configuration settings, complete the following steps:
- Create a web app.
- Add the required packages to your app
- Configure your app to use Okta
- Add the pages and logic for a user to sign in and sign out
Create a web app
Add the required packages to your app
Configure your app to use Okta
Earlier you noted the client ID and client secret values generated for your app integration. Add these and your Okta domain to your app's configuration.
Add the pages and logic for a user to sign in and sign out
A user can start the sign-in process by:
- Clicking a sign-in link or button
- Trying to access a protected page, such as their profile page.
In both cases, the app redirects the browser to the Okta-hosted sign-in page. See Redirect to the sign-in page.
After the user signs in, Okta redirects the browser to the sign-in redirect URI that you entered earlier. Similarly, after a user signs out, Okta redirects the browser to the sign-out redirect URI. Both sign-in and sign-out redirect URIs are called callback routes. Users don't see callback routes, and they aren't the user's final destination. However, your app does need to implement them. See Define a callback route.
After the user signs in, Okta returns some of their profile information to your app. The default profile items (called claims) returned by Okta include the user's email address, name, and preferred username. These are sent in an ID token (opens new window) as part of the redirect to the sign-in redirect URL. See Get the user's information.
Redirect to the sign-in page
Note: To customize the Okta sign-in form, see Style the Okta-hosted Sign-In Widget.
Define a callback route
Get the user's information
After a user signs in, the application has ID and access tokens from Okta in session storage. In this section, you create a simple profile page that uses an access token to query for and display a user's basic information.
Create templates/profile.html.
Add the code to display the user's name after the user signs in:
<div> <h2>My Profile</h2> <p>Hello, <span>{{ user.name }}</span>.</p> </div>
Create user.py.
Add the code for a custom user model to store information about the signed-in user:
from flask_login import UserMixin # Simulate user database USERS_DB = {} class User(UserMixin): """Custom User class.""" def __init__(self, id_, name, email): self.id = id_ self.name = name self.email = email def claims(self): """Use this method to render all assigned claims on profile page.""" return {'name': self.name, 'email': self.email}.items() @staticmethod def get(user_id): return USERS_DB.get(user_id) @staticmethod def create(user_id, name, email): USERS_DB[user_id] = User(user_id, name, email)
Open
app.py
.Add a route handler for
/profile
to the end of the file:@app.route("/profile") def profile(): return render_template("profile.html", user=current_user)
Import the user model into the
app.py
file by adding the following code immediately above the route handler for/
:from user import User @login_manager.user_loader def load_user(user_id): return User.get(user_id)
Note: The claims that you see may differ depending on the scopes requested by your app. See Configure your app to use Okta and Scopes (opens new window).
Test that a user can sign in and sign out
Your site now has enough content to sign a user in with Okta, prove they've signed in, and sign them out. Test it by starting your server and signing a user in.
Start your app with the Flask server:
flask run
Open a browser and go to
http://localhost:5000
.Click Sign In. The browser redirects you to Okta to sign in using the Sign-In Widget.
After you've signed in, click Profile. The profile page displays the user information returned by Okta.
Click Sign Out. The browser returns you to the home page.
Configure different levels of access for specific areas of the site
Your app can require authentication for the entire site or just for specific routes. Routes that don't require authentication are accessible without signing in, which is also called anonymous access.
Require authentication for everything
Some apps require user authentication for all routes, for example a company intranet.
You can use a middleware function or the @before_request
decorator to protect every endpoint so that only authenticated users have access. For example:
@app.before_request
def check_valid_signin():
endpoint_group = ('/profile', '/signout')
if request.endpoint in endpoint_group and not is_authenticated():
return render_template('signin.html', next=request.endpoint)
Require authentication for a specific route
Your website may have a protected portion that is only available to authenticated users.
You can use the @login_required
decorator to achieve this. For example:
@app.route("/profile")
@login_required
def profile():
return render_template("profile.html", user=current_user)
Allow anonymous access
Your website may enable anonymous access for some content but require a user to sign in for other content or to take some other action. For example, an ecommerce site might allow a user to browse anonymously and add items to a cart, but require a user to sign in for checkout and payment.
Any routes you don't explicitly protect have anonymous access:
- Remove the
@before_request
decorator block fromapp.py
to stop all pages and resources requiring authentication before they can be accessed. - Add the
@login_required
decorator just to the specific routes that require authentication, as seen in the previous section. Any other routes have anonymous access.
Next steps
- Protect your API endpoints.
- Custom domain and email address
- Style the Okta-hosted Sign-In Widget.
- Sign users in to your mobile app using the redirect model
- Multi-tenant solutions
Okta Developer Blog:
- Flask Tutorial: Simple User Registration and Login (opens new window)
- Build a Simple CRUD App with Flask and Python (opens new window)
- How to Write a Secure Python Serverless App on AWS Lambda (opens new window)
- Build a CRUD App with Python, Flask, and Angular (opens new window)
- Build a Simple CRUD App with Python, Flask, and React (opens new window)