From 17bd570b42d4e2fcc54ef395395af0e13026d4ec Mon Sep 17 00:00:00 2001 From: Karuna Vengurlekar Date: Mon, 19 Jan 2026 13:21:58 +0530 Subject: [PATCH 1/4] add X. 509 Certificate info --- .../platform-supported-content/modules/oidc.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md index caed56ab635..a3942395d84 100644 --- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md +++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md @@ -333,13 +333,18 @@ In this case, the OIDC client is the app you are making. The options are: * `client_secret_basic`: Your app will use the HTTP Basic Authentication scheme to authenticate itself at your IdP. This is the default. The `client_secret_basic` makes use of the `client-id` and `client-secret`. * `client_secret_post`: Your app will authenticate itself by including its `client_id` and `client_secret` in the payload of token requests. (Older versions of the OIDC SSO module used this method.) - * `private_key_jwt`: This method, introduced in version 4.1.0, uses asymmetric key cryptography (algorithm) for authentication. This is the best option for security. When you select the `private key` option, you can configure the following fields: - * **Key Pair Expiration Days**: (default `90`) - * **JWT ALG(Signing Algorithm)**: (default `RS256`) + * `private_key_jwt`: This method introduced in version 4.1.0, uses asymmetric key cryptography (algorithm) for authentication. This is the best option for security. It has the following Private Key Source options: + * JWKS URI: When you select the **JWKS URI** from the **Private Key Source**, you can configure the following fields: + * Key Pair Expiration Days: (default 90) + * JWT (Signing Algorithm): (default RS256) - {{% alert color="info" %}}`private_key_jwt` is not yet supported with Entra ID due to the specific way of Microsoft's implementation, which requires enhancements to the OIDC SSO module.{{% /alert %}} - - Once you **Save** the configuration, a key pair is automatically generated. Before you set up the private key authentication in your Mendix App, complete the JWKS configuration at your IdP. Check the documentation of your IdP for details. If you are using Okta, you can refer to the [Configuring JWKS at Your IdP (Okta)](#jwks-okta) section. + Once you **Save** the configuration, a key pair is automatically generated. Before you set up the private key authentication in your Mendix App, complete the JWKS configuration at your IdP. Check the documentation of your IdP for details. If you are using Okta, you can refer to the [Configuring JWKS at Your IdP (Okta)](#jwks-okta) section. + + * X. 509 Certificate: This is a certificate-based authentication. Once the configuration is ready, download the certificate in the `pre`, `cer`, or `cer` format. You can also download it by editing the configuration and clicking **Download**. It is supported from version x.x.x of the OIDC module. Configure the following fields: + * Key Pair Expiration Days: (default 90) + * JWT (Signing Algorithm): (default RS256) + + {{% alert color="info" %}}If you regenerate the key pair for your existing configuration, make sure to download the updated certificate from the configuration edit page and upload it to the Azure portal to ensure successful authentication. {{% /alert %}} {{% alert color="info" %}}After a key renewal, some SSO requests may fail if your IdP does not immediately refresh its key cache. {{% /alert %}} From 19bf61c1ba7f6b65a11169a108f1daf481560300 Mon Sep 17 00:00:00 2001 From: Karuna Vengurlekar Date: Mon, 19 Jan 2026 13:36:23 +0530 Subject: [PATCH 2/4] alert box --- .../docs/marketplace/platform-supported-content/modules/oidc.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md index a3942395d84..cea7332723c 100644 --- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md +++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md @@ -344,6 +344,8 @@ In this case, the OIDC client is the app you are making. * Key Pair Expiration Days: (default 90) * JWT (Signing Algorithm): (default RS256) + {{% alert color="info" %}}X. 509 Certificate supports only the RS256 Signing Algorithm. {{% /alert %}} + {{% alert color="info" %}}If you regenerate the key pair for your existing configuration, make sure to download the updated certificate from the configuration edit page and upload it to the Azure portal to ensure successful authentication. {{% /alert %}} {{% alert color="info" %}}After a key renewal, some SSO requests may fail if your IdP does not immediately refresh its key cache. {{% /alert %}} From f6bbc670a2696ec838932f6c1f6a6e5014524eb5 Mon Sep 17 00:00:00 2001 From: Karuna Vengurlekar Date: Mon, 19 Jan 2026 16:50:36 +0530 Subject: [PATCH 3/4] missing anchor --- .../docs/marketplace/platform-supported-content/modules/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md index cea7332723c..db72dc850b4 100644 --- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md +++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md @@ -444,7 +444,7 @@ In this configuration, you have several options to customize the Identity Provid In this non-default configuration method, users have the flexibility to introduce your own constants by creating custom IdP configurations. -##### Deploy-Time IdP Configuration for SSO and API Security +##### Deploy-Time IdP Configuration for SSO and API Security {##deploy-time-idps-for-sso-and-api-security-configuration} {{% alert color="info" %}} **IdPs for SSO and API security** configuration supports both Authorization code and Client Credential grant type. From 4ba5bd76a9369f79f36c2e5374d6ff422cafe7bc Mon Sep 17 00:00:00 2001 From: Karuna Vengurlekar Date: Mon, 19 Jan 2026 16:52:46 +0530 Subject: [PATCH 4/4] correction --- .../docs/marketplace/platform-supported-content/modules/oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md index db72dc850b4..b394323850d 100644 --- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md +++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md @@ -444,7 +444,7 @@ In this configuration, you have several options to customize the Identity Provid In this non-default configuration method, users have the flexibility to introduce your own constants by creating custom IdP configurations. -##### Deploy-Time IdP Configuration for SSO and API Security {##deploy-time-idps-for-sso-and-api-security-configuration} +##### Deploy-Time IdP Configuration for SSO and API Security {#deploy-time-idps-for-sso-and-api-security-configuration} {{% alert color="info" %}} **IdPs for SSO and API security** configuration supports both Authorization code and Client Credential grant type.