SSO | Notion

Single Sign-On with OIDC

User logs in to Identity Provider (Google, …) once
- or via other auth methods like OIDC
IdP creates a server-side session for the user
- Usually stored in memory, database, or Redis

IdP issues session cookie + ID token to user browser

Set-Cookie: idp_session=xyz123; Path=/; Secure; HttpOnly; SameSite=Lax

User Accesses a Relying Party (other app that wants the user logged in like YouTube, …)

Relying Party redirects user to IdP authorization endpoint (like in OAuth/OIDC)

GET <https://idp.com/authorize>?
client_id=RP_CLIENT_ID
&redirect_uri=RP_CALLBACK
&scope=openid profile email
&response_type=code

Browser auto sends session cookie: idp_session=xyz123
IdP sees that the user is already logged in, then issues authorization code immediately
RP exchanges authorization code for:
- ID Token → proves user identity
- Access Token → for API access
- Refresh Token → optional, long-lived
User is logged in to RP
- RP now creates its own session cookie:
```
Set-Cookie:rp_session=abc789;Path=/;Secure;HttpOnly
```
- Browser stores two cookies:
  1. idp_session → IdP login session
  2. rp_session → RP session