I have a Django application using the out-of-the-box Django authentication system. I need to make an integration with another web app. The users in the other web app will click a button that should take them to my web application and give them access. The other web app will send me the user's email and other data. I should create the user if it doesn't exist without asking for any credentials.
I'm not sure what approach I should take. I want something simple but not too insecure. Is SSO or OAuth the way to go? I think this is generally used to sign in with Google or Facebook, etc, but in this case, we don't want to depend on Google/Facebook accounts, the users use business emails.
I'm thinking of having the third-party app use a secret key to encrypt an API Token, when the user clicks the button on their app, they will send a redirect to my app with the user data and the encrypted token. I will use the secret key to validate the Token and give the user access.
I want guidance on what approach is more convenient, the responsibilities of each app, and how to implement it.