OIDC SSO

Content Type: Module
Categories: Authentication

Overview

Use this module to implement single sign-on to your Mendix app using an OpenID Connect (OIDC) compliant identity provider (IDP).  It supports ‘normal’ Mendix apps (i.e. responsive browser-based applications) and doesn’t yet support native or hybrid mobile apps. Supports AWS Cognito, Google, Salesforce, Apple, Okta, Ping, and Microsoft, this module manages the end-to-end SSO workflow when working with an OIDC IDP. The IDP will relieve your app from logging in your end-users and optionally will also decide which roles the user gets assigned in your app, using mechanism from the OAuth protocol.

Simply provide configuration details, decide how you'd like to provision users, and log in! 

You can use this module if your app is on Mendix 9 or later. If your app is using a previous Mendix version, you would have to upgrade your app or use the similar “OpenIDConnect Single Sign-on (OIDC, OAuth2, SSO)” module, which has community support. Both modules have similar but not the same features. Please look at release notes and documentation to make the best choice for your app.

Documentation

Please see OIDC SSO in the Mendix documentation for details.

Releases

Version: 4.2.1
Framework Version: 10.24.0
Release Notes:

This version contains the following enhancements:

 

  • Identifier of named user configured at design time feature has been added, to simplify configurations for accurate user metering
  • MxReflection module dependency has been removed for better developer/upgrade experience
  • UserCommons migration logic has been removed. 
  • Translations have been removed, custom translations is not got overwritten when upgrading the module

 

Various reported problems have been fixed:

 

  • Deserialization of epoch to date time has been fixed in the DecodeAndVerifyJWT  java action (#265791)
  • Java Optional usage for audience check in the DecodeVerifyJWTPlainText java action has been fixed(#266757)
  • Null check for role claim in the AzureRoleParse java action has been fixed, Access Tokens is not required to have roles claim (#266025, #266106)
  • CreateClaimsWithJSON java action has been fixed, it accepts JSON object instead of JWT object(#266512)
  • URL Encoding has been added to the rest query params in the GetNewAccessTokenUsingRefreshToken microflow, preventing refresh token retrieval failure with certain client_secret values (#266047) 

 

For improved maintainability we have refactored some microflows:

  • AuthAttempt clean up logic has been refactored
  • Unlimited entity attributes lengths have been lowered down
  • Admin and User role Token entity access have been revised

 

Library Management:

 

Upgraded:

  • io.netty:netty-codec-http to version 4.2.9.Final
  • com.nimbusds:nimbus-jose-jwt to version 10.5
  • commons-codec: commons-codec to version 1.19.0

 

Version: 4.2.0
Framework Version: 10.21.1
Release Notes:

This version contains the following Fixes/Improvements/Enhancements:

- Easier to upgrade to newer module versions, since the ASU_STARTUP microflow moved under _USE ME folder and the Startup microflow no longer includes the automated user commons migration

- Migration logic for upgrading from versions below v3.0.0 to the latest has been moved to a dedicated microflow, available under _USE ME → Migration

- Token Encryption support has been added for compliance. (Ticket #258462)

- Improved XPath constraint for admin access to persisted tokens. (Ticket #243660)

- Improved implementation of nonce feature

Library Management:

Upgraded:

  • org.apache.velocity:velocity-engine-core to version 2.4.1 
  • com.nimbusds:nimbus-jose-jwt to version 10.4.1
  • org.apache.commons: commons-lang3:3.19.0

Added:

  • io.netty:netty-codec-http:4.2.5.Final

Removed:

  • com.auth0:jwks-rsa
  • com.auth0:java-jwt

 

Recommendation:

After upgrading to the latest version ,there could be a potential issue due to conflicting Java libraries of the old and the new version.Hence it is recommended that you delete all Java libraries used by the old OIDC SSO module from the userlib folder of the project before upgrading to the latest version.

 

Version: 4.1.2
Framework Version: 10.21.1
Release Notes: This version contains the following enhancements: -Fixed a concurrency issue to prevent inconsistent access to cached keys(Ticket #250510) -Fixed a concurrency issue in singleton initialization for consistent handler access(Ticket #250511) -Fixed an issue with missing key store configuration handling during JWK retrieval(Ticket #250512 ,Ticket #250513)
Version: 4.1.1
Framework Version: 10.21.0
Release Notes: This version contains the following enhancements: - v.4.1.1 version for apps on Mx10.21.0 or higher - Ensures compatibility with Mendix 11 ⚠️ Compatibility Warning for Mendix 10.21.1 Users OIDC SSO module 4.1.0 is the latest version and includes all new features. The module version 4.1.1 is a special release intended only for Mendix version 10.21.0. If you are using Mendix 10.21.1 or above, use the OIDC SSO module 4.1.0
Version: 4.1.0
Framework Version: 10.21.1
Release Notes: This version contains the following enhancements: - v.4.1.0 version for apps on Mx10.21.1 or higher -Added support for Private Key JWT client authentication with configurable signing algorithm and key expiration handling(supports Okta IdP) -Anonymous user access is no longer required as end-users can authenticate via /oauth/v2/login endpoint, with multiple IdPs support This version contains the following fixes/Improvements: -Removed dependency on the Administration module by replacing references to Administration.Account with System.User for improved modularity and compatibility(Ticket #229453) -Improved ASU_OIDC_Startup to auto-create UserProvisioning objects for ClientConfigurations with an empty UserProvisioningFlow(Ticket #238161) -Used RandomStrongPasswordWithLowercase to ensure valid initial passwords when users are created(Ticket #238161) -Fixed ReturnURL length in ClientConfig to 2048 characters to resolve login errors(Ticket #240374) -We fixed CVE-2025-40571. See Siemens Security Advisory SSA-726617 for more information(Ticket #243660)
Version: 4.0.1
Framework Version: 10.12.10
Release Notes: This version contains the following fixes/Improvements: - Removed dependency on the Administration module by replacing references to Administration.Account with System.User for improved modularity and compatibility(Ticket #229453) - Improved ASU_OIDC_Startup to auto-create UserProvisioning objects for ClientConfigurations with an empty UserProvisioningFlow(Ticket #238161) - Used RandomStrongPasswordWithLowercase to ensure valid initial passwords when users are created(Ticket #238161) - Fixed ReturnURL length in ClientConfig to 2048 characters to resolve login errors(Ticket #240374) - We fixed CVE-2025-40571. See Siemens Security Advisory SSA-726617 for more information(Ticket #243660)
Version: 4.0.0
Framework Version: 10.12.10
Release Notes: This version contains the following enhancements: - v.4.0.0 version for apps on Mx10.12.10 or higher - React Ready for apps This version contains the following fixes/Improvements: - Default role assigned to the user, combined with roles parsed from the access token - Improved efficiency during OIDC.ASU_OIDC_Startup in multi-instance environments (Ticket #230410) - Removed the OIDC.ACT_Account_RetrieveAccount microflow from the _USE ME folder.This microflow used to retrieve the user from the Administration module, and now it is handled within the module itself. - Code improvements, making it easier for customers to understand and customize the module if needed
Version: 3.3.1
Framework Version: 9.24.18
Release Notes:

This version contains the following fixes/Improvements/enhancements:

 

  • AuthAttempt clean up logic has been refactored
  • Admin and User role Token entity access have been revised
  • URL Encoding has been added to the rest query params in the GetNewAccessTokenUsingRefreshToken microflow,     preventing refresh token retrieval failure with certain client_secret values (#266047)  
  • Translations have been removed, custom translations is not got overwritten when upgrading the module
  • Unlimited entity attributes lengths have been lowered down
Version: 3.3.0
Framework Version: 9.24.18
Release Notes:

This version contains the following fixes/Improvements/enhancements:

  • Token Encryption support has been added for compliance (Ticket #258462)
  • Improved XPath constraint for admin access to persisted tokens. (Ticket #243660)
  • Improved implementation of nonce features.

 

Library Management:

 

Upgraded:

  • com.nimbusds:nimbus-jose-jwt to version 10.4.1

Added:

  • io.netty:netty-codec-http:4.2.5.Final

 

Recommendation:

 

After upgrading to the latest version ,there could be a potential issue due to conflicting Java libraries of the old and the new version.Hence it is recommended that you delete all Java libraries used by the old OIDC SSO module from the userlib folder of the project before upgrading to the latest version

Version: 3.2.1
Framework Version: 9.24.18
Release Notes: This version contains the following fixes/Improvements: - Improved ASU_OIDC_Startup to auto-create UserProvisioning objects for ClientConfigurations with an empty UserProvisioningFlow(Ticket #238161) - Fixed ReturnURL length in ClientConfig to 2048 characters to resolve login errors(Ticket #240374)