I’m using Python 3.11.x and the Litestar (https://litestar.dev/) framework. Litestar is somewhat like FastAPI, but they are different enough that the supplied examples do not work and the Flask examples seem to be made for Python 2.x
Without using any OKTA endpoints or libraries I am have Bearer Token working.
I would like to enable SSO using OKTA.
Can I simply do a HTTP POST with a username, password, and secret to the OKTA server and get a Token?
I did find this endpoint {server}/oauth2/default/.well-known/oauth-authorization-server which displays this information plus a lot of other stuff.
“issuer”: “oauth2/default”,
“authorization_endpoint”: “oauth2/default/v1/authorize”,
“token_endpoint”: “oauth2/default/v1/token”,
“registration_endpoint”: “oauth2/v1/clients”,
“jwks_uri”: “oauth2/default/v1/keys”,
I’m open to using any of the four methods (SAML, OpenID, etc), maybe even all of them although currently my company uses SAML and the documentation that I read stated the OpenID should be used.
Can you point me to the documentation or examples that I should follow so that I can get SSO working?
As Okta supports the OpenID Connect and SAML standards, I would mostly recommend looking into open source libraries that are compatible with litestar that will help you implement either of those standards.
Redirect Model
If you are all right with redirecting to the Okta login page to let users authenticate with their username, password, and any other MFA/authenticators, you should be set in a good place to get started with the library you choose.
Widget front-end, Python backend
If you instead want a more customized login experience and want an embedded/native login page, you could look to use our Widget (use this doc if you are in an Okta Identity Engine org, and this one if you’re in a Classic org) on the front end of your application to handle the primary authentication flow and kick off the /authorize request (we’re pretty big fans of OIDC over here, so most of our samples, libraries, and guides are focused on how to implement OIDC in integrations). Your Python backend would then handle the rest of the flow to exchange the code returned for tokens and manage the users session and all that.
SPA front-end, Python API
I’ll also toss out that, since litestar sounds to be used for building APIs, that you could have a separate SPA application to handle the primary authentication and OIDC flow (we have Angular, React, and Vue SDKs for this) and then take the access token returned to the SPA and send it to your litestar API as the Authorization for the request. This is the same strategy we’ve implemented for the Flask Resource Server example we have.
If you go this way, or if you generally want your litestar integration to handle only the authorization portion and not the authentication (into Okta, into the client side application), your Python integration would just need to handle Access Token validation, for which we have a Python JWT verifier library that will hopefully/in theory play well with litestar
Let me know if I’ve gone too far in depth or if I can clarify any of the options you have (there might be some mixing and matching possible, depending on your needs)