A Flask application demonstrating OAuth 2.0 authentication with Okta, featuring PKCE (Proof Key for Code Exchange) for Secure Identity handling and flow, group management, user profile handling, and OpenAI ChatGPT integration for AI interactions.
Okta is an Identity Provider (IdP) that manages user authentication and authorization. It implements OAuth 2.0 and OpenID Connect protocols to provide secure access to applications without handling passwords directly. This demo showcases integrating Okta's authentication services with a Python Flask application and securing AI interactions using OpenAI's ChatGPT.
PKCE is an extension to the OAuth 2.0 authorization framework that helps prevent certain types of attacks, such as code injection attacks, in authorization code grant flow. Here is a brief overview of the flow using PKCE:
- The client application initiates the authentication request, including a code challenge and code challenge method in the request.
- The authorization server validates the code challenge and code challenge method, and issues an authorization code to the client.
- The client then exchanges the authorization code for an access token by providing the authorization code along with the original code verifier used to generate the code challenge.
- The authorization server verifies the code verifier and exchanges it for an access token, allowing the client to access protected resources on behalf of the user.
-
Initial Request
- User attempts to access protected route
- Application checks for valid session
- Redirects to Okta login if no valid session exists
-
PKCE Authentication
- Application generates code verifier and challenge
- Redirects to Okta with challenge
- Okta authenticates user credentials
- Returns authorization code
-
Token Exchange
- Application exchanges code for tokens using verifier
- Receives access token, ID token, and refresh token
- Establishes session with tokens
-
Authorization
- Application uses access token for API requests
- Retrieves user profile and group memberships
- Enforces group-based access control
-
ChatGPT Access
- Secure API key management
- GPT-3.5-turbo model integration
- Real-time response handling
-
AI Features
- Interactive chat interface
- Natural language processing
- Context-aware responses
- Secure access control
-
OAuth 2.0 with PKCE Flow
- Secure authentication implementation
- Token management (5-minute expiration)
- CSRF protection
-
User Management
- Group membership display
- Profile information
- Session handling
-
Security Features
- HTTPOnly cookies
- Secure session storage
- API token protection
- OpenAI Features
- ChatGPT interaction
- Real-time responses
- Natural language interface
- Secure API access
- Token visualization
- Session tracking
- Group management display
- Debug information panel
- Clone repository:
git clone [repository-url]
cd okta-flask-demo- Create virtual environment:
python -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -r requirements.txt- Configure environment variables:
cp .env.template .envEdit .env:
OKTA_DOMAIN=your-domain.okta.com
OKTA_CLIENT_ID=your-client-id
OKTA_CLIENT_SECRET=your-client-secret
OKTA_REDIRECT_URI=http://localhost:5000/callback
OKTA_ISSUER=https://your-domain.okta.com/oauth2/default
OKTA_API_TOKEN=your-api-token
OPENAI_API_KEY=your-openai-api-key
SECRET_KEY=your-secret-key
- Run application:
python app.py-
Create Application
- Okta Developer Console β Applications β Create App Integration
- Select OIDC - OpenID Connect
- Choose Web Application
- Configure redirect URIs:
- Sign-in: http://localhost:5000/callback
- Sign-out: http://localhost:5000/login
- Grant type: Authorization Code
-
API Token
- Security β API β Tokens
- Create Token
- Save token securely
- Add to .env file
-
Configure Groups
- Directory β Groups
- Create test groups
- Assign users to groups
-
Create API Key
- OpenAI dashboard β API keys
- Generate new key
- Add to .env file
-
Model Configuration
- Default: gpt-3.5-turbo
- Temperature: 0.7
- Max tokens: configurable
- Code verifier generation
- SHA256 challenge creation
- State parameter validation
- 5-minute access token expiration
- Secure token storage
- Auto re-authentication
- HTTPOnly cookies
- Secure cookie option
- SameSite protection
- Session file storage
- Enable HTTPS
- Update .env configuration
- Set secure cookie options
- Configure production logging
- Set API rate limits
- Add production URLs
- Update API token settings
- Configure trusted origins
- Set OpenAI API restrictions
-
Token Expiration
- Check debug information
- Verify token validity
- Clear session if needed
-
Group Access
- Verify API token permissions
- Check group assignments
- Review API response logs
-
Session Issues
- Clear browser cookies
- Check session configuration
- Verify HTTPS settings
-
AI Integration
- Verify API key validity
- Check rate limits
- Monitor response times
/: Main application page (protected)/login: Initiates OAuth flow/callback: OAuth callback handling/logout: Session termination/chat: OpenAI interaction endpoint
login_required: Authentication decoratorget_user_info: Fetches user data and groupsbefore_request: Request middlewarechat: Handles AI interactions
This project is licensed under the MIT License - see the LICENSE file for details.
Developed by Lindsay Hiebert
- GitHub: lhiebert01
- LinkedIn: lindsayhiebert
- Okta for authentication services
- OpenAI for ChatGPT API
- Flask team for the web framework
- Python-jose for JWT handling