Skip to main content
In this guide, you’ll learn how to configure your suite of OIDC applications to log in and perform actions on behalf of your users with your Stytch-powered app using our API. If you prefer to use pre-built UI components, see how to build wtih our frontend SDK here. This enables users of your Stytch app to use their in-house tools, external integrations, desktop apps, AI agents, any OIDC-compatible app to use your Stytch application as an Authorization Server, reducing user information duplication and simplifying the process of integrating Connected Apps with your app.
To begin the login flow, the Connected App will make a request to an Authorization URL in your Stytch-powered application. This page will need to implement a mechanism which assists carrying out the flow — it can be something as simple as a backend endpoint which handles the calls, or as complex as a dedicated frontend component. The entry point should parse out some URL parameters to supply to the Stytch OAuth Authorization flow, which you can see here. This page will need to initiate a call to start OAuth authorization, which will return information about which scopes the user should be prompted to consent to. The result of this call should be used to prompt a user for consent. Once the user confirms, the authorization flow can be finalized by calling the submit OAuth authorize endpoint. Upon a successful submission Stytch will respond with a redirect_uri and a code for the Connected App to complete the flow on its backend.
For this flow to succeed, the user must be identified, provided via either the member_id + organization_id, session_jwt, or session_id. Prior to executing the authorization call, you’ll want to check for a valid session and redirect to the login page with a return_to parameter if the user is not authenticated.

Prerequisites

In order to complete this guide, you’ll need:
  • A Stytch project. If you don’t have one already, or would like to create a new one, in the Dashboard, click on your existing project name in the top left corner of the Dashboard, click Create Project, and then select B2B Authentication or Consumer Authentication.
  • An application using either the Stytch frontend SDKs or the Stytch backend APIs.
  • A Relying Party app (the Connected App) that wishes to receive user information from your application.

Integration steps

1

Implement an Entry Point

Initiate a call to start OAuth authorization.
import os
from flask import Flask, request, make_response
from stytch import B2BClient

app = Flask(__name__)

client = B2BClient(
    project_id=os.getenv("STYTCH_PROJECT_ID"),
    secret=os.getenv("STYTCH_SECRET"),
)

def perform_authorize(
    consent_granted,
    client_id,
    redirect_uri,
    response_type,
    scopes,
    state,
    code_challenge,
    code_challenge_method,
    session_jwt,
):
    return client.idp.oauth.authorize(
        consent_granted=consent_granted,
        client_id=client_id,
        redirect_uri=redirect_uri,
        response_type=response_type,
        scopes=scopes,
        state=state,
        code_challenge=code_challenge,
        code_challenge_method=code_challenge_method,
        session_jwt=session_jwt,
    )

@app.get("/oauth/authorize")
def oauth_authorize():
    response_type = request.args.get("response_type", "code")
    scope_str = request.args.get("scope", "")
    client_id = request.args.get("client_id")
    redirect_uri = request.args.get("redirect_uri")
    state = request.args.get("state")
    code_challenge = request.args.get("code_challenge")
    code_challenge_method = request.args.get("code_challenge_method")

    scopes = [s for s in scope_str.split(" ") if s]
    session_jwt = request.cookies.get("stytch_session_jwt")

    base_params = {
        "client_id": client_id,
        "redirect_uri": redirect_uri,
        "response_type": response_type,
        "scopes": scopes,
        "state": state,
        "code_challenge": code_challenge,
        "code_challenge_method": code_challenge_method,
        "session_jwt": session_jwt,
    }

    start_resp = client.idp.oauth.authorize_start(**base_params)

    if start_resp.consent_required:
        # See Step 2: Render consent screen
        return make_response("Consent required", 200)

    auth_resp = perform_authorize(consent_granted=True, **base_params)

    resp = make_response("", 307)
    resp.headers["Location"] = auth_resp.redirect_uri
    return resp

if __name__ == "__main__":
    app.run(port=3000)
2

Render consent page

If consent is required, we need to render a page informing what scopes are requested. Otherwise, skip ahead to Step 3.
def render_consent_html(scopes, hidden):
    return f"""
<html>
  <body>
    <h1>Consent required</h1>
    <p>This app is requesting access to:</p>
    <ul>
      {''.join([f'<li>{s}</li>' for s in scopes])}
    </ul>
    <form method=\"post\" action=\"/oauth/authorize/submit\">{''.join([f'<input type=\"hidden\" name=\"{k}\" value=\"{v}\" />' for k, v in hidden.items()])}<button type=\"submit\">Continue</button></form>
  </body>
</html>
"""
3

Complete authorization request

Once the authorization request is submitted, authorization is complete.
from flask import request, make_response

@app.route("/oauth/authorize/submit", methods=["POST", "GET"])
def oauth_authorize_submit():
    response_type = request.values.get("response_type", "code")
    scope_str = request.values.get("scope", "")
    client_id = request.values.get("client_id")
    redirect_uri = request.values.get("redirect_uri")
    state = request.values.get("state")
    code_challenge = request.values.get("code_challenge")
    code_challenge_method = request.values.get("code_challenge_method")
    consent_granted = (request.values.get("consent_granted", "false").lower() == "true")

    scopes = [s for s in scope_str.split(" ") if s]
    session_jwt = request.cookies.get("stytch_session_jwt")

    auth_resp = perform_authorize(
        consent_granted=consent_granted,
        client_id=client_id,
        redirect_uri=redirect_uri,
        response_type=response_type,
        scopes=scopes,
        state=state,
        code_challenge=code_challenge,
        code_challenge_method=code_challenge_method,
        session_jwt=session_jwt,
    )

    resp = make_response("", 307)
    resp.headers["Location"] = auth_resp.redirect_uri
    return resp
4

Configure Stytch for the component

Enter the URL where the component is mounted into the Authorization URL field in the Connected Apps section of the Stytch Dashboard.Authorization Url Pn
5

Create a new Connected App in the dashboard

After Stytch handles verification of the user and the application’s ability to access the user’s information, Stytch will issue a redirect. To set this up, each Connected App is also configured in the Connected Apps section of the Dashboard.
This redirect is intended to go to a callback URL which should be supplied by the Connected App. The redirect will pass an authorization code - a short-lived credential that the Connected App will use to complete the authorization flow.
Create a new Connected App and specify what type of user consent and OIDC flow the Connected App should expect. Stytch supports connecting a few types of client apps which vary based on how much user consent is appropriate and specifics of the OIDC flow.Create New App PnSelect Client Type Pn
6

Configure the Connected App

Continue to configure the Connected App. Make sure to take a note of the “Client ID” and the “Client secret” (for confidential apps); these will be needed by the Connecting App to complete the Authorization Code Flow.App Details PnThe Connected App will also supply a Redirect URL for receiving the login information from Stytch after the initial login is complete. This should be entered into the “Redirect URLs” field.At this point, off-the-shelf software should be prepared to authorize as a Connected App with Stytch. If implementing your own Connected App, see this guide to learn more.Integrate With Ai Agents Redirect Urls Pn