OIDC Provider

Content Type: Service
Categories: Authentication


The OIDC Provider can be used to build a Mendix app that acts as an OpenID provider for other apps, providing a Single Sign-On (SSO) experience for the end-users of those applications. This app could also delegate authentication of end-users to another Identity provider (IdP), causing it to act as an IAM broker.

The module supports responsive browser-based applications and has been tested with applications that use the OIDC SSO module. This module can be used in Mendix version 9.22.0 and above.

The idea is that you set up a single Mendix app which uses the OIDC SSO module to authenticate end-users with your central IdP. The same app also acts as an OIDC provider for your other apps to use as the IdP for OIDC SSO. This means it is working as an IAM (Identity and Access Management) broker for authentication and, optionally, authorization. You can easily add or remove apps from the IAM Broker app within the Mendix ecosystem using an API without each app and relevant user roles having to be added to your central IdP. However, you retain all the benefits of your central IdP in controlling on- and offboarding of users.

If you would like to use the OIDC Provider module, please send an email to jaap.francke@mendix.com


Please see OIDC Provider in the Mendix documentation for details.

If you would like to use the OIDC Provider module, please send an email to jaap.francke@mendix.com



Version: 1.1.1
Framework Version: 9.24.2
Release Notes: This version contains the following fixes/improvements: - Fixed Java dependency issue in migration file for Mendix10 compatibility
Version: 1.1.0
Framework Version: 9.24.2
Release Notes: This version contains the following improvements: - Improved adherence to OIDC specifications for standard claims in the ID-token. ‘Sub’ claim now contains the user’s UUID and not the user’s username as was the case in previous versions. This is more adherent to OIDC specifications, which improves the interoperability of SSO connections. Note that the side effect is that the module is not fully backward compatible: existing implementations with OIDC provider that extract the username from the ‘sub’ claim should migrate the logic to extract the username from ‘username’ claim instead. - We’ve standardised the way userrole (UUID) can be communicated from the OIDC provider to a Mendix app using OIDC SSO module. We advise that the apps you want to connect with OIDC Provider use OIDC SSO version 2.3.0 or higher, since that includes standarised workflows for parsing tokens. - Supports ID-token with custom claims in JSONObject format This version contains the following fixes: - We included a migration file for the Java dependencies for Studio Pro 10 compatibility. - Upgraded to Studio pro v9.24.2 - Fixed Mendix 10 compatibility issue - Fixed issue related to cookies(Ticket#186871, Ticket#186082) - Library Removed: lang3-3.1.0.jar Recommendation: After upgrading to the latest version ,there could be a potential issue due to conflicting Java libraries of the old and the new version. Hence it is recommended that you delete all Java libraries used by the old OIDC Provider module from the userlib folder of the project before upgrading to the latest version.
Version: 1.0.0
Framework Version: 9.22.0
Release Notes: This version supports the following: -Allows registration of Mendix apps via the client registration endpoint -It works/integrates with the platform-supported OIDC SSO module -It supports responsive web applications, using the common OAuth Authorization Code grant. -Your apps can be registered as an OIDC client with the OIDC Provider using the client registration API or client configuration screen -It supports the OIDC ‘nonce’ parameter, PKCE, and multiple client authentication methods ( client_secret_post, client_secret_basic) as security features -It publishes a well-known endpoint to communicate other endpoints and other IdP characteristics to client applications URL: /oidc/.well-known/openid-configuration -Supports Custom claims -Supports “scope” approach to communicate the authorization decision made by the OIDC Provider module.