Python Flask Quickstart Sample Code for Integrating with Okta using the Redirect Model

This repository contains a sample of integrating with Okta for authentication using the redirect model in a Python Flask app.

Read more about getting started with Okta and authentication best practices on the Okta Developer Portal.

This code sample demonstrates

• Configuring Okta
• Sign-in and sign-out
• Protecting routes
• Displaying user profile information from the ID Token

Prerequisites

Before running this sample, you will need an Okta Integrator Free Plan account. To get one, sign up for an Integrator account. Once you have an account, sign in to your Integrator account. Next, in the Admin Console:

1. Go to Applications > Applications
2. Click Create App Integration
3. Select OIDC - OpenID Connect as the sign-in method
4. Select Web Application as the application type, then click Next
5. Enter an app integration name
6. Configure the redirect URIs:

• Accept the default redirect URI values:
• Sign-in redirect URIs: http://localhost:5000/authorization-code/callback
• Sign-out redirect URIs: http://localhost:5000

7. In the Controlled access section, select the appropriate access level
8. Click Save

Creating an OIDC Web App manually in the Admin Console configures your Okta Org with the application settings. You may also need to configure trusted origins for http://localhost:5000 in Security > API > Trusted Origins.

Get the Code

git clone https://github.com/okta-samples/okta-flask-sample.git
cd okta-flask-sample

Update your .okta.env file with the values from your application's configuration:

ORG_URL=https://dev-133337.okta.com
CLIENT_ID=0oab8eb55Kb9jdMIr5d6
CLIENT_SECRET=NEVER-SHOW-SECRETS

Where are my new app's credentials?

After creating the app, you can find the configuration details on the app’s General tab:

• Client ID: Found in the Client Credentials section
• Client Secret: Click Show in the Client Credentials section to reveal
• Org URL: Found in the Issuer URI field for the authorization server that appears by selecting Security > API from the navigation pane.

Enable Refresh Token

Sign into your Okta Developer Edition account to add a required setting to your Flask Okta app to avoid third-party cookies. Navigate to Applications > Applications and select "okta-flask-sample" application to edit. Find the General Settings and press Edit. Enable Refresh Token in the Grant type section. Save your changes.

Run the Example

To run this application, install its dependencies:

pip3 install -r requirements.txt

With variables set, start your app:

python3 -m flask run --port=5000

Navigate to http://127.0.0.1:5000 in your browser.

If you see a home page that prompts you to login, then things are working! Clicking the Log in button will redirect you to the Okta hosted sign-in page.

You can sign in with the same account that you created when signing up for your Developer Org, or you can use a known username and password from your Okta Directory.

Note: If you are currently using your Developer Console, you already have a Single Sign-On (SSO) session for your Org. You will be automatically logged into your application as the same user that is using the Developer Console. You may want to use an incognito tab to test the flow from a blank slate.

Helpful resources

• Learn about Authentication, OAuth 2.0, and OpenID Connect
• Get started with Flask

Help

Please visit our Okta Developer Forums.