Hello, I want to create an app that exposes an endpoint which receives a username and password, then validates the login and sends back the authentication status, possibly along with a session token in ODC.
This is for a project that consists of two applications: One is the backend, which holds all the database and data; The other is a client app that only reads the data exposed by the backend and performs some small operations like creating and updating records. However, I want the login system to be centralized in the backend and consumed by the client app.
Thank you
Hi Daniel,
Thank you for the clarification regarding your use.
Recommended Solution: Option A – Use Federated Authentication
It's designed to work securely with a centralized Identity Provider (IdP) like Azure AD, Auth0, or others. Here's how you can implement it:
Configure a shared authentication provider (IdP) in both your backend and client applications.
Ensure the user logs in through this common IdP.
After login, the client app will receive a JWT token (access token).
The client app includes this token in API calls to the backend (Authorization: Bearer ).
The backend validates the token and authorizes access accordingly.
This approach ensures that:
Authentication is centralized.
Credentials are never exposed or handled manually.
Tokens can be securely used across apps to authorize access.
Option B (Not Recommended): Manual Login API
Creating a REST API that accepts a username and password requires building a custom Users table, handling password encryption, token generation, and all the related security aspects manually. Since this bypasses the secure authentication model provided by ODC, it is not recommended and could introduce security risks.
Hope Option A will work.
Thanks,
Senthil
Hello @Daniel Borges ,
Create new server action (Login User Action) and Exposed as REST API.
1. Accepts Username and Password via POST request as Input Parameters
2. Validates user credentials against the system (can use built-in Users or custom table)
3. If credentials are valid:
4. If invalid - Returns IsAuthenticated = False with appropriate message
Hope this works.
Hi Senthil Nathan A, thanks for your reply.Actually, this method sounds nice because I want to use the built-in Users. But the question is, how can I validate the credentials that I receive in the server action? There is a dedicated (System) server action that validates it or I need to make a manual validation?Thank you
Hi @Daniel Borges
Thanks for your reply. Please try the below steps.
Use the Built-in Login Action
OutSystems provides a secure and proper way to validate credentials using the built-in Login action.
Steps:
Add a Dependency of Login server action from the Users module:
Use the Login action in your server logic (e.g. in a server action exposed via REST API):
Pass in the Username and Password.
Handle the result:
If the credentials are valid, the user is logged in and a session is created.
If invalid, the Login action throws an exception.
Wrap in Try-Catch:
Catch the exception and return a response like IsAuthenticated = False.
Hi @Senthil Nathan A
Thank you for your reply.
I’ve tried the suggested steps, but the main issue I’m facing is that there is no login server action available. As shown in the screenshots below, the only server action I have is called "StartUserRegistration". However, even this action doesn't receive a password, and the built-in Users table doesn’t contain a password attribute either.Another point to note is that while there is a login action, it’s a client action, which means I can't use it in an API context.
Please keep in mind that this is ODC, not OS11.
Thank you very much!
Create a service action (since server actions are not public in ODC) which is consumable from another application. Inside this service action, we need to consume a server action action (which we need to define in the same application) which should have all the logic for login and it should also return the responses to the consumer.
Now the consumer application can use the service action we recently defined.Cheers,Sant