Hey everyone! đź‘‹
I'm working with OutSystems Developer Cloud (ODC) and checking out the built-in User entity. I noticed it has fields like Id, Name, Email, PhotoUrl, and Username (as shown in the attached image), which is all great.
However, I'm a bit confused because I don't see a dedicated Password attribute like we might be used to in traditional OutSystems (or just general database modeling).
My question is:
Why is there no Password field directly on the ODC User entity? Is it hidden, automatically managed, or handled completely outside this entity?
How do we handle traditional username/password authentication (like the User_Login actions in traditional OutSystems) in ODC applications? I need to let users log in with a username and password.
Any insights on how ODC manages user credentials and authentication would be super helpful! Am I missing something fundamental about the ODC security model?
Thanks in advance for clarifying! 🙏
In OutSystems Developer Cloud (ODC), the absence of the "Password" field in the built-in "User" entity is an intentional design choice. ODC employs modern authentication practices where user authentication is handled by the underlying identity management system or an integrated external Identity Provider (IdP) that supports OpenID Connect, rather than storing and managing passwords directly within the platform. This approach enhances security by shifting the responsibility of password storage and management to dedicated authentication systems.
When using an external IdP, users authenticate through the IdP rather than directly in ODC. Once authenticated, the IdP exchanges claims with ODC, such as the user's email or username, which are then used for authorization and application access. ODC automatically registers the user upon their first successful login through the IdP, and there is no need to store passwords in the built-in User entity Managing authorization and authentication for members (IT-users).
For applications built in ODC, authentication features such as login, change password, and password recovery are provided via pre-built screens. These screens perform authentication operations using system actions and external Identity Providers, ensuring that the sensitive data, such as passwords, are securely managed by dedicated authentication services Custom authentication flows.
Hello @jesu verso,
Based on my understanding, in OutSystems 11, the platform provides a built-in authentication and authorization mechanism that’s fully managed by OutSystems itself. That’s why the Password attribute is exposed it’s needed for local authentication, such as when you want to update or reset a user’s password within your own environment.
However, in ODC, OutSystems no longer includes this built-in mechanism. Instead, it relies on external Identity Providers (IdPs) to handle authentication. You can think of the IdP as the new built-in system it manages all authentication logic, including password handling, while your application only consumes the authenticated user’s information. Of course, you can still use your own external Identity Provider, such as Active Directory or SAML 2.0, if you prefer to manage authentication externally.
This is why the Password attribute is no longer needed or available in ODC passwords cannot be changed within the environment itself, and the application only receives user details such as UserId, Name, and Email (excluding the password).
Also refer to these links for more details: