Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (name and password) to access multiple applications. SSO can be used by enterprises, smaller organizations and individuals to ease the management of various usernames and passwords.

Role-based access control (RBAC) restricts network access based on a person’s role within an organization and has become one of the main methods for advanced access control. The roles in RBAC refer to the levels of access that employees have to the network.

In this we are using Python Flask framework and OKTA API’s for backend development.

Features :

  1. Single sign on
    • Easy management : Using SSO synchronises passwords and user information, which makes access to different platforms and resources easier.
    • Security : This authentication system improves network and application security. Single Sign On can uniquely identify a user, and it therefore complies with the most demanding safety standards. Information provided by SSO moves encrypted across the network.
    • Ease of use : SSO solutions improve the user experience by avoiding the interruptions caused by password requests to access their IT tools.The user is authenticated once and the system allows him to access the resources for which he is authorised.
    • Seamless : Access to all applications by the user takes place seamlessly due to sign-in automation.
  2. Role Based Access Control
    • Easy audit : Easily audit user privileges and correct identified issues
    • Easy Modification : Quickly add and change roles, as well as implement them across APIs

Challenges faced :

  • Remember passwords : Remember each application password you need to access . Passwords are a double edged sword while they can protect resources and systems, they are also easy to forget.
  • Time consuming : Its time consuming to type password into each application you need to access.
  • Security : Any user can access sensitive data without role based access control.

Solutions :

  1. Users log in once and get one click access to all the resources they need with help of SSO.
  2. The amount of time saved in this might seem quite small, but all of the time normally spent finding and logging into individual applications adds up. With SSO, users spend more time working.
  3. With hundreds or thousands of employees, security is more easily maintained by limiting unnecessary access to sensitive information based on each user’s established role within the organization with help of role based access control.

Okta Integration with python :

Okta is a free to use API service that stores user accounts, and makes handling user authentication, authorization, social login, password reset, etc.

Okta utilizes open standards like OpenID Connect to make integration seamless.

To get started, you need free Okta developer account: https://developer.okta.com/signup/ . Once you’ve created your account and logged in, follow the steps below configure Okta and then you’ll be ready to write some code!

Setting up OKTA account

Step 1: Store Your Org URL The first thing you need to do is copy down the Org URL from the top-right portion of your Okta dashboard page. This URL will be used to route to your authorization server, communicate with it, and much more. You’ll need this value later, so don’t forget it.

Store your Org. URL

Step 2: Create an OpenID Connect Application

Okta allows you to store and manage users for multiple applications you might be creating. This means that before we can go any further, you need to create a new OpenID Connect application for this project.

Applications in OpenID Connect have a username and password (referred to as a client ID and client secret) that allow your authorization server to recognize which application is talking to it at any given time.

To create a new application browse to the Applications tab and click Add Application.

Create an OpenID Connect Application

Next, click the Web platform option (since this project is a web app).

Settings page

On the settings page, enter the following values:

Name: Simple Flask App

Base URIs: http://localhost:5000 (Base URIs depends on application domain and port)

Login redirect URIs: http://localhost:5000/oidc/callback (Login redirect URIs depends on application domain and port)

You can leave all the other values unchanged.

Now that your application has been created, copy down the Client ID and Client secret values on the following page, you’ll need them later when we start writing code.

Step 3: Create an Authentication Token

Creating authentication token

In order to access the Okta APIs and be able to manage your user accounts with a great deal of granularity, you’ll also need to create an Okta authentication token. This is an API key that will be used later on communicate with the Okta APIs and allows you to do things like:

  • Create, update, and delete users
  • Create, update, and delete groups
  • Manage application settings

To create an authentication token click the API tab at the top of the page followed by the Create Token button. Give your token a name, preferably the same name as your application, then click Create Token. Once your token has been created, copy down the token value as you will need it later.

Creating token

Step 4: Create an OpenID Connect Config File

Create a new file named client_secrets.json in the root of your project folder and insert the following code.

Adding json

Be sure to replace the placeholder variables with your actual Okta information.

  • Replace {{ OKTA_ORG_URL }} with the Org URL on your dashboard page
  • Replace {{ OKTA_CLIENT_ID }}} with the Client ID on your application page
  • Replace {{ OKTA_CLIENT_SECRET }} with the Client secret on your application page

This file will be used by the Flask-OIDC library which we’ll be configuring in a moment. These settings essentially tell the OpenID Connect library what OpenID Connect application you’re using to authenticate against, and what your authorization server API endpoints are.

The URIs above simply point to your newly created Okta resources so that the Flask library will be able to talk to it properly.

Step 5: Configure Flask-OIDC

Configure in app.py

What we’re doing here is configuring the Flask-OIDC library.

  • The OIDC_CLIENT_SECRETS setting tells Flask-OIDC where your OpenID Connect configuration file is located (the one you created in the previous section).
  • The OIDC_COOKIE_SECURE setting allows you to test out user login and registration in development without using SSL. If you were going to run your site publicly, you would remove this option and use SSL on your site.
  • The OIDC_CALLBACK_ROUTE setting tells Flask-OIDC what URL on your site will handle user login. This is a standard part of the OpenID Connect flows. This is out of scope for this article, but if you want to learn more, go read our OpenID Connect primer.
  • The OIDC_SCOPES setting tells Flask-OIDC what data to request about the user when they log in. In this case, we’re requesting basic user information (email, name, etc.).
  • The SECRET_KEY setting should be set to a long, random string. This is used to secure your Flask sessions (cookies) so that nobody can tamper with them. Make sure this variable stays private. It should never be publicly exposed. Finally, after all the configuration is finished, we initialize the Flask-OIDC extension by creating the oidc object.

Make sure you replace {{ OKTA_ORG_URL }} and {{ OKTA_AUTH_TOKEN }} with the values you wrote down in the first section of this tutorial. These two variables are mandatory so the okta library can communicate with the Okta API service.

This function will be executed each time a user makes a request to view a page on the site before the normal view code runs

The code above is where the magic happens. This function will be executed each time a user makes a request to view a page on the site before the normal view code runs. What this function does is:

  • Check to see whether or not a user is logged in via OpenID Connect or not (the oidc.user_loggedin value is provided by the Flask-OIDC library)
  • If a user is logged in, it will grab the user’s unique user ID from the user’s session, then use that ID to fetch the user object from the Okta API

In all cases, there will be a newly created value: g.user. In Flask, you can store request data on the g object, which can be accessed from anywhere: view code, templates, etc. This makes it a convenient place to store something like a user object so it can easily be used later on.

Step 6: Enable User Registration, Login, and Logout

There are only a few things different here:

  • You now have a login view. The view will redirect the user to Okta (the OpenID Connect provider) to register or login. This is powered by the @oidc.require_login decorator which is provided by the Flask-OIDC library. Once the user has been logged in, they’ll be redirected to the dashboard page.
  • The logout view is also present. This simply logs the user out using the oidc.logout() method and then redirects the user to the homepage.

And with that, your application is now fully functional!

Single Sign On :

For sso(single sign on) you need more than 1 application, you have to create second application by following the step 2 to step 6 except authentication token.

Use same authentication token in second application’s app.py file.

Role based access control :

Group information and user information is needed to implement role based access control in application.

Following okta API’s you can use to get group information and user information.

  • Fetch all group information present in our organisation URL :

            api : ‘{{ORG_URL}}/api/v1/groups’

  • Fetch all members of particular group using group id :

            api : ‘{{ORG_URL}}/api/v1/groups/{{group_id}}/users

Reference :

Randall Degges 2018,Anon, accessed 19 May 2020

Leave a Reply