Hi guys,
We are integrating a new application on ODC that uses Okta as the external identity provider. We have set it up following OutSystems' documentation here: https://success.outsystems.com/documentation/outsystems_developer_cloud/user_management/configure_authentication_with_external_identity_providers/use_external_identity_providers_in_an_app/, and here: https://success.outsystems.com/documentation/outsystems_developer_cloud/user_management/configure_authentication_with_external_identity_providers/add_okta_for_use_as_an_external_identity_provider/
This application will then need to call a separate API and we wanted to use Okta for authentication in accessing this API as well. Is there any way available to retrieve the access token from Okta after logging in to our ODC application? As far as I am able to tell so far, after Okta authentication is completed, ODC creates and only maintains its own identity and access tokens.
Hi Quentin,
Sadly this is currently not possible.Some new User functionality is currently on the roadmap.
Hopefully this includes access to received tokens or possibility to build your own external IDP integration (as currently you have no option to login or logout a user server side).
Kind regards
Hi Dieter,
Thanks for sharing this information.
Can you share how you know about this? Did you submit a support ticket and get this response or perhaps discuss this with a personal contact within OutSystems?
I did notice ODC has limited access to user functions compared to O11. Did you have requirements that needed to make use of these, and if so, could you share what you approach you ended up taking?
I am also facing a similar issue with Auth0. It's been a while, and I wonder if Outsystems can now support this issue. This issue is very critical for my project.
Hi,
Sadly the newly released User Management API's aren't linked to the IDP part, only providing services on top of the User table.
Currently there is no way to retrieve any extra information or interact with the ODC IDP outside of the default way.
If any deviation is needed, you will need to build your own IDP broker to exist between the ODC IDP and your target IDP. Connecting the ODC one to your broker, and your broker to the target. This is technically possible but required deep knowledge of OpenID workings
Hi OS Community,
There is a need to call userinfo endpoint on IDP to retrieve additional information about the user. The endpoint requires access token. As far as I can see there is no way to get access token from the IDP connector. Is there a way to achieve this? We are trying to do this on ODC.
Hi Gadar,OutSystems recently released new features for this purpose. Allowing you to retreive the Access token trough an API in ODC. https://success.outsystems.com/documentation/outsystems_developer_cloud/odc_rest_apis/api_authentication_and_authorization/get_access_token/
Thank you for your reply. But the link you provided serves a different purpose, to authenticate against ODC to invoke ODC APIs. The question is still on how to call the endpoint on external identity provider, a common use case is to retrieve additional information about the user from the identity provider.
Hi Gadar,
Indeed, my apologies, the provided documentation doesn't cover the described requirement.
During the Lisbon One Conference 2025, it was announced that functionality would be added to retrieve the logged in User access token. But I haven't seen it deployed or documented.Kind regards
That's good news though.
I saw your reply earlier about building a custom broker between ODC IDP and target IDP, that sounds like a deep one. I can't imagine user being redirected to broker, then target IDP then back to ODC.
Do you think it is possible to build our own IDP directly on ODC and use it? We tried to explore but unlike O11, ODC does not allow user login with just userid.
Hi Gadar,It's good news. But for now, it is only scheduled for Q3 2026 on the roadmap.Yes, it's feasible. I have seen a custom build broker on ODC working, OutSystems professional services has build one themselves. So it's possible, but no easy feat. A good knowledge of the targeted Authentication flow/pattern is needed