Skip to main content
Version: 1.27 (Current)

Open ID Connector

Audience: System Administrator, Citizen Developer

Skill Prerequisites: Authentication, Portal Configuration

This module provides OpenId Connect Authentication integration for DNN (DotNetNuke) portals. It enables you to configure OIDC or OAuth2 login providers and manage secure authentication flows for your users.

Typical Use Cases

  • Enable user login/register via an external OIDC-compliant Identity Provider (e.g., Azure AD, Okta, Google).
  • Automatically redirect to external providers on DNN's login page.
  • Map external user claims to DNN user profile properties and manage user creation/matching.
  • Configure custom actions on user authorization and login.
Action NameDescription
User ManagementAllows for management (creation, update, deletion) of user accounts.
Configure System OAuth ProvidersSystem-level action for managing OAuth/OIDC providers.
Apply TokensUseful for working with claim mappings and dynamic login flows.

Input Parameter Reference

ParameterDescriptionSupports TokensDefaultRequired
Enable AuthenticationEnables OIDC authentication on this portalNooffYes
Auto RedirectAutomatically redirects DNN login requests to providerNooffNo
Hide DNN login formHides DNN native login UI, showing only social/external loginsNooffNo
Custom CSSScoped CSS to style the login/register buttonsNoemptyNo
Mobile Login InsecureAllow HTTP for mobile login API (testing)NooffNo
Callback URIs InsecureAllow HTTP for login/logout URIs (testing)NooffNo

For Providers:

ParameterDescriptionSupports TokensDefaultRequired
Enable providerEnables or disables this ProviderNoonYes
Provider NameThe friendly display name (shown on buttons)Non/aYes
Provider TypeOIDC/OAuth2 (protocol implementation)NoOpenIdConnectYes
IssuerProvider's Issuer URI (must match id_token 'iss' claim)Non/aYes
WellKnown EndpointOverride the discovery endpointNoblankNo
ScopesSpace-delimited list of extra scopesNoopenid profile email auto-addedNo
Client IdOAuth client credentialNon/aYes
Client SecretOAuth secretNon/aYes
Token EndpointOAuth2 token endpoint, if not in metadataNoblankOAuth2 only
User Endpoint(OAuth2) endpoint for user infoNoblankOAuth2 only
OAuth2 Claim MappingMap external claim names to OIDC standard claimsNoblankOAuth2 only
Claim MappingAdditional custom claim mappingNoblankNo
Auto Match Existing UsersFind user by email if already in DNNNooffNo
On Authorized ActionsActions after successful login (token access)YesblankNo
On Match Existing User ActionsActions during matching usersYesblankNo
Validate Access TokenAlso validate access token against keysNooffNo
Access Token aud Claim NameCustomizes the "aud" claim keyNoblankNo
Logout LocalOnlyOnly log user out locallyNooffNo
Logout LocalFirstDo local logout before provider logoutNoonNo
Logout URIOverrides metadata end_session_endpointNoblankNo
Logout URI Parameter MappingMap query parameters on logoutNoblankNo
Send Id Token HintPasses id_token_hint in logout queryNoonNo
Send Client IdPasses client_id in logout queryNooffNo
Mobile Login Client IdClient ID override for mobile endpointsNoblankNo

Output Parameters Reference

ParameterDescription
User TokenSuccessful logins set authentication cookie and user context.
Claims TokensAll OIDC/OAuth user claims are provided as tokens ([Claims:claimname]).
Raw Claims JSONToken [Claims] contains raw JSON with all claims.

Security

  • HTTPS Usage: By default, all callbacks and discovery endpoints require HTTPS. Use the "Insecure" settings only for local or development environments.
  • User Account Matching: If "Auto Match" is enabled, make sure user emails are unique and trusted.
  • Token Handling: Custom actions have access to user claims—never store/expose sensitive tokens unless needed.

What happens during authentication?

  1. User lands on Login page — (Optional: auto-redirects to the configured provider).
  2. Authorization Request — OIDC/OAuth flow redirects to the provider for login.
  3. Callback — Provider calls back, code exchanged for tokens.
  4. User Claims — User info claims fetched, mapped, and (if matched or new) a DNN user is authorized/created.
  5. Post-login Actions — "On Authorized" actions are triggered with claim tokens.

Examples

1. Configure a Standard OpenId Connect Provider (e.g. Microsoft Azure AD)

{
"Portal": 0,
"IsEnabled": true,
"Providers": [
{
"IsEnabled": true,
"ProviderName": "Azure AD",
"ProviderType": "OpenIdConnect",
"Issuer": "https://login.microsoftonline.com/{tenantid}/v2.0",
"ClientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"ClientSecret": "SECRET123",
"Scopes": "User.Read",
"OAuth2ClaimMapping_Sub": "oid",
"OAuth2ClaimMapping_Email": "email",
"OAuth2ClaimMapping_GivenName": "given_name",
"OAuth2ClaimMapping_FamilyName": "family_name",
"OnAuthorizedActions": [
{
"ActionType": "SendEmail",
"Parameters": {
"To": "[Claims:email]",
"Subject": "Welcome!",
"Body": "User [Claims:given_name] just logged in."
}
}
]
}
]
}

2. Custom Logout Flow (SSO Sign-Out)

{
"LogoutUri": "https://identity.example.com/logout",
"LogoutUri_SendIdTokenHint": true,
"LogoutUri_SendClientId": true,
"LogoutUriParameterMapping": {
"post_logout_redirect_uri": "https://portal.example.com/?ctl=logoff"
}
}

3. Map Non-standard Claims from OAuth2 Provider

{
"ProviderName": "Custom OAuth2",
"Issuer": "https://sso.corp.example.com",
"ProviderType": "OAuth2",
"Scopes": "",
"OAuth2ClaimMapping_Sub": "user_id",
"OAuth2ClaimMapping_Email": "user_email",
"OAuth2ClaimMapping_GivenName": "first_name",
"OAuth2ClaimMapping_FamilyName": "last_name",
"ClaimMapping": {
"department": "dept"
}
}

See Also

  • OAuth2 / OIDC Specification documentation
  • DNN Platform User Management
  • Apply Tokens
  • Custom Actions Documentation