Enterprise-grade OpenID Connect authentication for Magento 2, supporting both customer (frontend) and admin (backend) users with automatic user provisioning and role management.
Modern e-commerce platforms require secure, centralized authentication. This module bridges Magento 2 with your corporate Identity Provider (IdP), eliminating password management overhead while enhancing security.
Key Benefits:
- Unified Identity Management: Single source of truth for user authentication across your organization
- Zero-Touch Provisioning: Automatically create customer and admin accounts on first login
- Enhanced Security: Eliminate password-based attacks, enforce IdP-level MFA, centralize access control
- Seamless Integration: Works with Magento's native authentication—all security events fire correctly
- Rich Attribute Mapping: Map 30+ OIDC claims to Magento fields (address, phone, date of birth, customer groups)
- Compliance Ready: Centralized audit trails, GDPR-compliant identity management
- ✅ Dual Authentication Flows: Separate customer (frontend) and admin (backend) SSO
- ✅ Just-in-Time (JIT) Provisioning: Auto-create users with group/role mapping
- ✅ OIDC Group Mapping: Map IdP groups to Magento admin roles and customer groups
- ✅ Security Enhancements: CAPTCHA bypass, password verification bypass for OIDC users
- ✅ Cross-Origin Session Handling: SameSite=None cookies for IdP redirects
- ✅ JWT Token Verification: RS256/384/512 signatures with JWKS caching
- ✅ Optional OIDC-Only Mode: Disable password logins entirely
- ✅ Comprehensive Debug Logging: Detailed flow logs for troubleshooting
- ✅ Test Configuration UI: Verify OIDC claims before production deployment
- Authelia
- Keycloak
- Auth0
- Okta
- Azure Active Directory (Azure AD)
- Google Workspace
- Any OIDC-compliant Identity Provider
- PHP: 8.2 or higher
- Magento: 2.4.7 or higher
- Identity Provider: OIDC-compliant IdP (OpenID Connect 1.0)
- HTTPS: Required for production (SameSite=None cookies require Secure flag)
composer require miniorange_inc/miniorange-oauth-sso
bin/magento module:enable MiniOrange_OAuth
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento cache:flushIn your IdP's OAuth/OIDC client configuration, register this callback URL:
https://your-magento-site.com/mooauth/actions/ReadAuthorizationResponse
Important: Replace your-magento-site.com with your actual domain. The protocol must be HTTPS in production.
-
Navigate to Stores > Configuration > MiniOrange > OAuth/OIDC
-
Fill in OAuth Settings:
- App Name: Identifier for your IdP (e.g.,
authelia,keycloak) - Client ID: OAuth client ID from your IdP
- Client Secret: OAuth client secret from your IdP
- Authorize Endpoint: Authorization endpoint URL (e.g.,
https://auth.example.com/api/oidc/authorization) - Token Endpoint: Token exchange endpoint URL (e.g.,
https://auth.example.com/api/oidc/token) - User Info Endpoint: User information endpoint URL (e.g.,
https://auth.example.com/api/oidc/userinfo) - Scope: OAuth scopes (typically:
openid profile email groups)
- App Name: Identifier for your IdP (e.g.,
-
Save Config
- Click Test Configuration button in the OAuth Settings page
- You'll be redirected to your IdP for authentication
- On successful return, you'll see all OIDC claims received from your IdP
- Use this to verify claim names for attribute mapping (next step)
-
Navigate to Stores > Configuration > MiniOrange > OAuth/OIDC > Attribute Mapping
-
Map OIDC claims to Magento fields:
- Email Attribute: Claim containing user email (default:
email) - Username Attribute: Claim containing username (default:
preferred_username) - First Name Attribute: Claim containing first name (default:
firstNameor split fromname) - Last Name Attribute: Claim containing last name (default:
lastNameor split fromname) - Group Attribute: Claim containing group memberships (default:
groups)
- Email Attribute: Claim containing user email (default:
-
(Optional) Configure address mappings for customer auto-population:
- Billing and shipping address fields (city, state, country, address, phone, zip)
- Date of birth, gender, phone mappings
-
Save Config
-
Navigate to Stores > Configuration > MiniOrange > OAuth/OIDC > Sign In Settings
-
Configure auto-provisioning:
- Auto Create Customers: Enable to automatically create customer accounts on first login
- Auto Create Admin Users: Enable to automatically create admin accounts on first login
- Default Customer Group: Group assigned to new customers if no OIDC group mapping matches
- Default Admin Role: Role assigned to new admins if no OIDC group mapping matches
-
Configure SSO buttons:
- Show Customer SSO Link: Display "Login with SSO" button on customer login page
- Show Admin SSO Link: Display "Login with SSO" button on admin login page
-
(Optional) Enable OIDC-only mode:
- Disable Non-OIDC Admin Logins: Force all admins to use OIDC (
⚠️ create emergency admin via CLI first)
- Disable Non-OIDC Admin Logins: Force all admins to use OIDC (
-
Enable Debug Logging (recommended for initial setup):
- Check Enable debug logging to write detailed flow logs to
var/log/mo_oauth.log
- Check Enable debug logging to write detailed flow logs to
-
Save Config
| Setting | Description | Example |
|---|---|---|
| App Name | Identifier for your IdP | authelia, keycloak |
| Client ID | OAuth client ID from IdP | magento-store |
| Client Secret | OAuth client secret (encrypted in database) | your-secret-here |
| Authorize Endpoint | IdP authorization URL | https://auth.example.com/api/oidc/authorization |
| Token Endpoint | IdP token exchange URL | https://auth.example.com/api/oidc/token |
| User Info Endpoint | IdP user information URL | https://auth.example.com/api/oidc/userinfo |
| Scope | OAuth scopes (space-separated) | openid profile email groups |
| JWKS Endpoint | (Optional) JWT verification keys URL | https://auth.example.com/api/oidc/jwks |
| Logout URL | (Optional) IdP logout URL | https://auth.example.com/api/oidc/logout |
Tip: Most OIDC providers support auto-discovery via .well-known/openid-configuration. Check your IdP's documentation.
Map OIDC claims (from your IdP) to Magento user fields:
- Email Attribute: OIDC claim containing email (required, default:
email) - Username Attribute: OIDC claim containing username (default:
preferred_username) - First Name Attribute: OIDC claim for first name (default:
firstName) - Last Name Attribute: OIDC claim for last name (default:
lastName) - Group Attribute: OIDC claim containing group memberships (default:
groups)
- Date of Birth Attribute: Claim for DOB, format YYYY-MM-DD (default:
birthdate) - Gender Attribute: Claim for gender (default:
gender) - Phone Attribute: Claim for phone number (default:
phone_number)
Map billing and shipping addresses (30+ fields total):
- Billing Address:
billing_city,billing_state,billing_country,billing_address,billing_phone,billing_zip - Shipping Address:
shipping_city,shipping_state,shipping_country,shipping_address,shipping_phone,shipping_zip
Tip: Use Test Configuration to see actual claim names from your IdP. Claim names are case-sensitive.
- Auto Create Customers: Automatically create Magento customer accounts on first OIDC login
- Auto Create Admin Users: Automatically create Magento admin accounts on first OIDC login
- Default Customer Group: Fallback group if no OIDC group mapping matches
- Default Admin Role: Fallback role if no OIDC group mapping matches
Admin Role Mapping:
- Set Group Attribute Name to the OIDC claim containing groups (e.g.,
groups,roles,memberOf) - Add mappings: OIDC Group → Magento Admin Role
- Example:
Engineering→Content Editors - Example:
Finance→Sales - Matching is case-insensitive
- Example:
Customer Group Mapping:
- Similar to admin role mapping, maps OIDC groups to Magento customer groups
- Example:
VIP→VIP Customer Group(with special pricing)
- Show Customer SSO Link: Display "Login with SSO" button on customer login page
- Show Admin SSO Link: Display "Login with SSO" button on admin login page
- Disable Non-OIDC Admin Logins: Force all admins to use OIDC authentication
⚠️ Warning: Create an emergency admin via CLI before enabling this:bin/magento admin:user:create
- Enable debug logging: Writes detailed flow logs to
var/log/mo_oauth.log - Auto-expires: Logs older than 7 days are automatically deleted
- Privacy: Contains user emails and OIDC claims — handle securely
- Customer clicks "Login with SSO" on frontend login page
- Magento redirects to IdP authorization endpoint
- Customer authenticates at IdP (username/password, MFA if configured)
- IdP redirects back to Magento callback URL with authorization code
- Magento exchanges authorization code for access token and ID token
- Magento extracts user information from tokens (email, name, groups, etc.)
- Magento creates or matches customer account:
- If email exists: logs in existing customer
- If email doesn't exist and auto-create enabled: creates new customer with mapped attributes
- Customer session established, redirected to original page (shopping cart, checkout preserved)
- Admin navigates to
/adminand clicks "Login with SSO" - Magento redirects to IdP (same as customer flow)
- Admin authenticates at IdP
- IdP redirects back to Magento callback URL
- Magento exchanges authorization code for tokens
- Magento checks if email exists in
admin_usertable:- If exists: proceeds to admin login
- If doesn't exist and auto-create enabled: creates admin user with role mapping
- Magento calls native
Auth::login()with OIDC marker - Security plugins activate:
- CAPTCHA automatically bypassed (user already authenticated at IdP)
- All standard Magento authentication events fire correctly
- Admin session established, redirected to admin dashboard
Add an SSO button to your custom theme:
Layout XML (app/design/frontend/YourVendor/YourTheme/Magento_Customer/layout/customer_account_login.xml):
<referenceBlock name="customer_form_login">
<arguments>
<argument name="oauth_helper" xsi:type="object">MiniOrange\OAuth\Helper\OAuthUtility</argument>
</arguments>
</referenceBlock>Template (.phtml file):
<?php
/** @var \MiniOrange\OAuth\Helper\OAuthUtility $oauthHelper */
$oauthHelper = $block->getData('oauth_helper');
$customerLoginUrl = $oauthHelper->getSPInitiatedUrl();
?>
<div class="sso-login-button">
<a href="<?= $escaper->escapeUrl($customerLoginUrl) ?>"
class="action primary">
<span><?= $escaper->escapeHtml(__('Login with SSO')) ?></span>
</a>
</div>Symptom: After IdP authentication, you see an error about callback URL mismatch.
Cause: Callback URL registered in IdP doesn't match the URL Magento is sending.
Solution:
- Verify callback URL in IdP configuration matches exactly:
https://your-magento-site.com/mooauth/actions/ReadAuthorizationResponse - Check protocol (HTTP vs HTTPS)—must use HTTPS in production
- Check for trailing slashes (some IdPs are strict about this)
- If behind a load balancer, verify
X-Forwarded-Protoheader handled correctly
Symptom: User logs in successfully but profile fields are empty, or you see "attribute not found" errors.
Cause: OIDC claim names from IdP don't match your attribute mapping configuration.
Solution:
- Enable debug logging: Stores > Configuration > MiniOrange > OAuth/OIDC > Sign In Settings > Enable debug logging
- Click Test Configuration to see actual claim names from your IdP
- Check
var/log/mo_oauth.logfor lines like:Received OIDC claims: {"email": "[email protected]", "preferred_username": "user", ...} - Update Attribute Mapping to match actual claim names (case-sensitive)
- Common mismatches:
emailvsEmailfirstNamevsgiven_namevsnamegroupsvsrolesvsmemberOf
Symptom: OIDC authentication succeeds but admin account not created, error "Admin account not found".
Cause: Role mapping failed—no suitable Magento admin role found for user's OIDC groups.
Solution:
- Check logs:
var/log/mo_oauth.logwill show:AdminUserCreator: No suitable role found for user. Creation aborted. - Verify Group Attribute Name configured correctly (e.g.,
groups,roles) - Verify user's IdP profile includes group information in that claim
- Check Admin Role Mapping:
- At least one mapping should match user's groups
- Or set a Default Admin Role as fallback
- Test with Test Configuration to see if groups claim present
Example configuration:
- IdP sends:
{"groups": ["Engineering", "Developers"]} - Attribute Mapping: Group Attribute Name =
groups - Role Mapping:
Engineering→Content Editorsrole
Symptom: After IdP authentication, you're redirected back to Magento but see "session expired" or login page again.
Cause: Cross-origin cookie issues—session cookie not preserved across IdP redirect.
Solution:
- Verify HTTPS enabled—SameSite=None cookies require Secure flag (HTTPS only)
- Check browser console for cookie warnings:
Cookie "PHPSESSID" has been rejected because it is in a cross-site context and its "SameSite" is "Lax" or "Strict" - Module automatically sets
SameSite=None; Secure; HttpOnlyon all cookies - If behind a load balancer, verify SSL termination configured correctly
- Test in different browser (some browsers block third-party cookies by default)
Symptom: Password-based admin logins no longer work, only OIDC login accepted.
Cause: "Disable non-OIDC admin logins" setting enabled.
Solution:
- Check setting: Stores > Configuration > MiniOrange > OAuth/OIDC > Sign In Settings > Disable Non-OIDC Admin Logins
- If enabled and you need password login:
- Temporarily disable via database:
UPDATE miniorange_oauth_client_apps SET disableNonOidcAdminLogin = 0;
- Or create emergency admin via CLI:
bin/magento admin:user:create
- Temporarily disable via database:
- Safety net: If "Show Admin SSO Link" is disabled, password logins automatically allowed (prevents lockout)
-
Check logs:
var/log/mo_oauth.log— OIDC flow details (enable debug logging first)var/log/system.log— General Magento system logsvar/log/exception.log— PHP exceptions and errors
-
Enable debug logging:
- Stores > Configuration > MiniOrange > OAuth/OIDC > Sign In Settings > Enable debug logging
- Logs auto-expire after 7 days
-
Test Configuration:
- Click Test Configuration in OAuth Settings to verify IdP connectivity and claim structure
-
Review documentation:
- TECHNICAL_DOCUMENTATION.md — Detailed API reference and architecture
- CLAUDE.md — Developer guidance for code modifications
-
Contact support:
- GitHub Issues: (repository URL)
- Commercial Support: MiniOrange support portal
OAuth/OIDC requires HTTPS in production:
- IdP callback URLs must use HTTPS protocol
- SameSite=None cookies (required for cross-origin flows) only work with Secure flag
- Unencrypted HTTP will fail with most IdPs
Development exception: Some IdPs allow HTTP for localhost testing only.
- Access tokens and ID tokens stored in PHP session only, never in database
- Session lifetime: Standard Magento session timeout (default: 86400 seconds = 24 hours)
- Refresh tokens: Not currently stored (logout requires re-authentication at IdP)
Module validates JWT tokens using:
- Signature verification: RS256/384/512 algorithms with JWKS keys from IdP
- Expiration validation: Rejects expired tokens
- Issuer validation: Verifies token issued by configured IdP
- Audience validation: Ensures token intended for this Magento instance
OAuth state parameter includes session ID to prevent CSRF attacks:
- State format:
encodedRelayState|sessionId|encodedAppName|loginType - Session ID validated on callback—rejects requests with mismatched session
Before enabling OIDC-only mode:
- Create emergency admin account via CLI:
bin/magento admin:user:create
- Test OIDC login flow thoroughly
- Document emergency access procedure
During IdP outage:
- Emergency admin account can still log in via password (if OIDC-only mode not enabled)
- Or temporarily disable OIDC-only via database query
Module inherits IdP's security policies:
- MFA: Configure at IdP level (TOTP, SMS, push, biometric)
- Conditional Access: IdP can enforce device trust, location-based access, etc.
- Audit Logs: IdP maintains authentication audit trail
- Access Revocation: Disable user at IdP—immediately affects all integrated systems
- Module supports one OIDC provider per Magento store
- Database limitation: single row in
miniorange_oauth_client_appstable - Workaround: Separate store views with separate database configurations (requires customization)
- Future enhancement: Native multi-provider support planned (see TECHNICAL_DOCUMENTATION.md)
- Module supports SP-initiated SSO only (user starts at Magento, redirects to IdP)
- IdP-initiated flow (user starts at IdP, receives SAML-style POST assertion) not implemented
- Workaround: IdP can deep-link to Magento SSO URL, but still technically SP-initiated
- Logout redirects to IdP logout URL (
post_logout_url) but no back-channel logout - Magento session cleared locally, but IdP may not clear other integrated systems' sessions
- Workaround: Users must log out at IdP separately for complete session termination
- Future enhancement: OpenID Connect RP-Initiated Logout spec implementation planned
- Attribute mappings are 1:1 only (OIDC claim → Magento field)
- No conditional logic (e.g., "if group = X, then map attribute Y differently")
- Workaround: Configure claim transformations at IdP level before sending to Magento
- Custom logic requires plugin on
CheckAttributeMappingAction::execute()method
- Module rewrites all cookies globally with
SameSite=None(required for cross-origin OIDC flows) - May affect other modules' cookie behavior
- Future enhancement: Scope to OIDC routes only (see TECHNICAL_DOCUMENTATION.md)
Scenario: Map IdP group "Engineering" to Magento admin role "Content Editors".
Steps:
- Navigate to Stores > Configuration > MiniOrange > OAuth/OIDC > Attribute Mapping
- Set Group Attribute Name to
groups(or your IdP's group claim name) - Click Add Role Mapping:
- OIDC Group:
Engineering - Magento Admin Role: Select "Content Editors" from dropdown
- OIDC Group:
- (Optional) Set Default Admin Role to "Administrators" as fallback
- Enable Auto Create Admin users while SSO
- Save Config
- Test login with a user who has "Engineering" group in IdP
Result: User automatically created as admin with "Content Editors" role on first login.
To map custom OIDC claims to Magento customer attributes:
- Add database column to customer entity (or create EAV attribute)
- Modify
Model/Service/CustomerUserCreator.phpto map the claim - Add UI field in
view/adminhtml/templates/attrsettings.phtml - Run
bin/magento setup:upgrade && bin/magento setup:di:compile
See CLAUDE.md for detailed developer instructions.
OIDC-Only Mode forces all users to authenticate via OIDC, blocking password logins entirely.
Enable:
- Create emergency admin via CLI first:
bin/magento admin:user:create
- Stores > Configuration > MiniOrange > OAuth/OIDC > Sign In Settings
- Enable Disable non-OIDC admin logins
- Save Config
Warning: If IdP is unavailable, you'll need the emergency admin or database access to restore password login.
Safety net: If "Show Admin SSO Link" is disabled, password logins automatically allowed (prevents accidental lockout).
- Technical Reference: TECHNICAL_DOCUMENTATION.md — API reference, architecture, implementation details
- Developer Guide: CLAUDE.md — Developer commands, common modifications, testing checklist
- GitHub Issues: Report bugs or request features (repository URL)
- Module Version: 4.3.0
- Package:
miniorange_inc/miniorange-oauth-sso - License: Proprietary (check
composer.jsonfor details) - Minimum Requirements: PHP 8.1+, Magento 2.4.7+
For detailed technical documentation and API reference, see TECHNICAL_DOCUMENTATION.md.