Seamless Login and Account Creation between Apps

I have a customer-facing app in our organisation, and we are about to start our second application. I would like all the users that have signed up to the first application to be able to use our second application without having to create a new account, and that when they navigate from one app to the other they will already be logged in to the second app without having to enter their username and password again. In the first application when creating an account we use the ForgotPassword module to send an email out to the user to validate their email, and then we create them an Account object with their username (email address) and password. So, presumably I need a deeplink from App1 into App 2 that will perform the following: -Check if the account exists based on their current logged in account. If it exists, performs the login action (from Community Commons?). If the account doesn’t exist then it should create them a new account object with the same username and password, and then log them in as above. Is this the right way to transfer users between apps? There must be a way, right? We can’t expect users to have multiple separate logins, accounts and passwords for each app, can we?
2 answers

Use deeplinks and the autologin method to hand over users. And use webservices in the first app to create the user accounts for the second app. For the autologin part see this blog:




The marketplace module is still there but Mx7:

The link to Matt's blog is no longer working unfortunately.


The typical way to solve this is by using an identity provider that the customer already has, such as AzureAD, Okta or a competing product. Mendix has a platform supported SAML module which takes care of authentication. You can do user provisioning (account creation) through API's: most modern identity providers have a SCIM interface which is pretty easy to implement. 

If the customer doesn't have an IdP solution in place, you need to build something yourself, or convince the customer to buy one. Personally, I would look into sending JWT's (there's an app store module for that as well) to pass along the identity of the user. You can sign these JWT's, so you know that it has come from App1 and you can limit the validity of JWT's to e.g. 1 minute so you reduce the risk even if a token leaks. I would direct the user to a REST API where you read the JWT, create the account if not present, create a session and in the REST API redirect the user to the right page with a 302  response status. This is a fair bit more complicated that following the step by step blog post Ronald directed to though, but at least in this scenario I know how the authenticity of the requests is checked.


If you follow the blog, investigate how it works and you're sure it is secure enough it may serve your purpose.