Log in once, access everything without managing a hundred passwords.
Instead of every app (Slack, GitHub, JIRA) storing and verifying passwords, they delegate trust to a central Identity Provider (IdP) like Okta or Google. The app redirects you to the IdP, you prove who you are, and the IdP sends a cryptographically signed token back to the app saying "This is Alice, I verified her."
SSO relies on HTTP redirects and signed tokens (like JWTs). The app (Service Provider) never sees the user's password.
# App's view of the SSO Flow
@app.route('/login')
def login():
# 1. App redirects user to IdP (e.g. Google)
return redirect("https://idp.com/auth?client_id=MY_APP&redirect_uri=/callback")
@app.route('/callback')
def callback():
# 2. IdP redirects back here with a token in the URL after user logs in
token = request.args.get('token')
# 3. App verifies the token using the IdP's public key
try:
payload = jwt.decode(token, IDP_PUBLIC_KEY, algorithms=["RS256"])
user_email = payload["email"]
session["user"] = user_email
return "Logged in successfully!"
except InvalidSignatureError:
return "Hack attempt detected!"
Implementing SSO (SAML or OpenID Connect) requires managing cryptographic keys and adds a few network redirects to the login latency. However, it massively reduces support costs (no more "forgot password" emails) and security risks.
redirect_uri to point to a phishing site. Apps must strictly validate the callback URL against a hardcoded allowlist.