How to Add Passwordless Authentication to Umbraco Using MojoAuth
Umbraco is a fantastic CMS until you have to deal with authentication.
If you’ve built anything serious on Umbraco — a membership site, a client portal, a dashboard, or even just a custom backoffice — you’ve likely hit that moment where you think:
“Do I seriously need to build an entire password system just to let people log in?”
Developers don’t want to own password storage, MFA, reset flows, brute-force protection, and compliance overhead.
Users don’t want to remember passwords or go through long onboarding.
So instead of fighting with identity… we integrate MojoAuth — a lightweight, passwordless authentication provider that plugs directly into Umbraco using OpenID Connect (OIDC).
The best part? We built a full GitHub example so you don’t have to start from scratch.
GitHub Repo:
https://github.com/MojoAuth/Umbraco-MojoAuth-OpenIdConnect-Example
MojoAuth Documentation:
https://docs.mojoauth.com/cms-integrations/umbraco/
This guide walks you through why passwordless belongs in Umbraco, how MojoAuth fits into the ecosystem, and how to set it up step-by-step — with real-world DX tips.
1. Why Umbraco Needs Passwordless Identity Today
Umbraco’s strength has always been:
- Clean CMS structure
- Flexible .NET architecture
- Customizable editor experience
- Easy content workflows
But authentication?
Still very much “traditional”—usernames, passwords, resets, and lockouts.
That's a problem now because:
- People forget passwords constantly
- Passwords are the #1 cause of account takeovers
- Phishing is at an all-time high
- Password reset emails fail or hit spam
- Users expect passwordless onboarding (OTP, magic links, passkeys)
And from a developer perspective:
- Managing passwords = managing liability
- You inherit a huge security surface area
- Compliance becomes painful
- User tables become sensitive risk points
So instead of building auth yourself, you outsource it to MojoAuth — a modern system that provides everything secure login requires.
2. What MojoAuth Brings to Umbraco (And Why Developers Love It)
MojoAuth is a passwordless authentication platform built specifically for developers who don’t want to manage credentials. It supports:
- Passkeys (WebAuthn) — biometric, device-bound login
- Email OTP
- SMS OTP / WhatsApp OTP
- Magic links
- Social login (optional)
- Custom UI & white labeling
- Full OIDC compliance
And because everything is token-based, Umbraco doesn’t store:
- Passwords
- Sensitive secrets
- MFA codes
- Hashes
- PII beyond basic profile info
This will lowers risk and support overhead.
3. How MojoAuth Works with Umbraco: The Plain-English Flow
Let’s keep this simple.
Here’s what actually happens when a user logs in:
- User clicks Login with MojoAuth
- They’re redirected to MojoAuth
- They verify identity using OTP/passkey
- MojoAuth returns an ID token back to Umbraco
- Umbraco reads claims → signs the user in
- User enters the CMS
- No passwords, no friction
Everything is secure, standards-based, and easy to maintain.
4. The GitHub Example Repo (Your Shortcut to a Working Setup)
Before writing any code, check the full reference implementation:
https://github.com/MojoAuth/Umbraco-MojoAuth-OpenIdConnect-Example
Inside, you’ll find:
- Authentication pipeline setup
- Cookie auth integration
- Proper OIDC challenge + callback flow
- Claim mapping logic
- A real working login button
- Handling of user creation on first login
- Role mapping examples
- Session management
If you copy this project and drop in your Client ID + Client Secret, you’ll get a working MojoAuth login in minutes.
5. Step-by-Step Integration Guide
Let’s walk through the developer workflow.
Step 1 — Create a MojoAuth Application
-
Log in to MojoAuth Dashboard
-
Create a new application
-
Obtain:
- Client ID
- Client Secret
-
Add your redirect URI:
https://your-domain.com/signin-oidc
This is where MojoAuth will send users after verifying identity.
Step 2 — Add the OIDC Package
dotnet add package Microsoft.AspNetCore.Authentication.OpenIdConnect
Step 3 — Add MojoAuth Config (appsettings.json)
"Authentication": {
"MojoAuth": {
"Authority": "https://api.mojoauth.com",
"ClientId": "YOUR_CLIENT_ID",
"ClientSecret": "YOUR_CLIENT_SECRET",
"CallbackPath": "/signin-oidc"
}
}
Step 4 — Configure Authentication Pipeline
Add this in Program.cs:
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "MojoAuth";
})
.AddCookie("Cookies")
.AddOpenIdConnect("MojoAuth", options =>
{
options.Authority = builder.Configuration["Authentication:MojoAuth:Authority"];
options.ClientId = builder.Configuration["Authentication:MojoAuth:ClientId"];
options.ClientSecret = builder.Configuration["Authentication:MojoAuth:ClientSecret"];
options.ResponseType = "code";
options.CallbackPath = builder.Configuration["Authentication:MojoAuth:CallbackPath"];
});
This connects the dots:
- Cookie auth = session
- OIDC = MojoAuth login
- Callback path = where Umbraco processes the token
Step 5 — Map MojoAuth Claims to Umbraco Identity
MojoAuth returns:
emailsubname- Verification status
- Login method used
You map these claims to Umbraco’s identity system (included in repo).
Step 6 — Add the Login Button
Just a small tweak to your login view:
<a href="/umbraco/mojoauth/login" class="btn-login-mojoauth">Login with MojoAuth</a>
That’s it — and users now login without passwords.
6. Security & Compliance: What You Get for Free
Most developers underestimate how much security work it takes to run your own password system.
With MojoAuth:
- You never handle passwords
- Nothing sensitive sits in your Umbraco database
- You inherit MojoAuth’s security posture
- Passkeys make phishing practically impossible
- OTP flows include fraud prevention
- SOC2 + GDPR requirements are already covered
If you're building for enterprise clients, this alone removes months of overhead.
7. Real Use Cases Where MojoAuth + Umbraco Shine
This integration is perfect for projects like:
- SaaS dashboards
- Client/agency portals
- E-learning platforms
- Corporate intranets
- Membership websites
- Multi-tenant Umbraco sites
- Anything that needs simple, secure login
You get enterprise-grade authentication without building enterprise-grade identity architecture.
8. Testing Your Integration
Before going live:
- ✔️ Test OTP login
- ✔️ Test passkey login
- ✔️ Check ID token claims
- ✔️ Confirm session cookie is created
- ✔️ Make sure logout works
- ✔️ Validate user creation happens cleanly
- ✔️ Check logs in MojoAuth dashboard
- ✔️ Review error logs for token validation
If everything checks out → you're production ready.
9. Troubleshooting Guide (Real Problems Developers Hit)
| Problem | Cause | Fix |
|---|---|---|
| Redirect URL mismatch | Typo or missing slash | Must match exactly |
| Invalid client secret | Wrong or expired secret | Generate a new one |
| Token validation error | Clock skew | Sync server time |
| Infinite redirect | Incorrect auth scheme | Use correct default scheme |
| User not created | Missing claims | Map email and name claims |
These are extremely common in OIDC setups — nothing MojoAuth-specific.
10. Final Thoughts — This Is the Login Experience Umbraco Should Have Shipped With
Modern authentication shouldn’t be this hard.
And once you plug MojoAuth into Umbraco, you realize:
- No passwords
- No resets
- No phishable credentials
- No custom identity plumbing
- No security debt
- No expensive enterprise IAM products
Just a clean, secure, passwordless experience that makes Umbraco feel like a 2026-ready CMS.
You focus on building content and features.
MojoAuth handles identity and security.
Useful Links
MojoAuth Umbraco Docs
https://docs.mojoauth.com/cms-integrations/umbraco/
GitHub Example
https://github.com/MojoAuth/Umbraco-MojoAuth-OpenIdConnect-Example
MojoAuth Dashboard
https://mojoauth.com
*** This is a Security Bloggers Network syndicated blog from MojoAuth - Advanced Authentication & Identity Solutions authored by MojoAuth - Advanced Authentication & Identity Solutions. Read the original post at: https://mojoauth.com/blog/how-to-add-passwordless-authentication-to-umbraco-using-mojoauth
