Umbraco is a fantastic CMS until you have to deal with authentication.

If you’ve built anything serious on Umbraco — a membership site, a client portal, a dashboard, or even just a custom backoffice — you’ve likely hit that moment where you think:

“Do I seriously need to build an entire password system just to let people log in?”

Developers don’t want to own password storage, MFA, reset flows, brute-force protection, and compliance overhead.
Users don’t want to remember passwords or go through long onboarding.

So instead of fighting with identity… we integrate MojoAuth — a lightweight, passwordless authentication provider that plugs directly into Umbraco using OpenID Connect (OIDC).

The best part? We built a full GitHub example so you don’t have to start from scratch.

GitHub Repo:
https://github.com/MojoAuth/Umbraco-MojoAuth-OpenIdConnect-Example

MojoAuth Documentation:
https://docs.mojoauth.com/cms-integrations/umbraco/

This guide walks you through why passwordless belongs in Umbraco, how MojoAuth fits into the ecosystem, and how to set it up step-by-step — with real-world DX tips.

Umbraco’s strength has always been:

• Clean CMS structure
• Flexible .NET architecture
• Customizable editor experience
• Easy content workflows

But authentication?
Still very much “traditional”—usernames, passwords, resets, and lockouts.

That's a problem now because:

• People forget passwords constantly
• Passwords are the #1 cause of account takeovers
• Phishing is at an all-time high
• Password reset emails fail or hit spam
• Users expect passwordless onboarding (OTP, magic links, passkeys)

And from a developer perspective:

• Managing passwords = managing liability
• You inherit a huge security surface area
• Compliance becomes painful
• User tables become sensitive risk points

So instead of building auth yourself, you outsource it to MojoAuth — a modern system that provides everything secure login requires.

MojoAuth is a passwordless authentication platform built specifically for developers who don’t want to manage credentials. It supports:

• Passkeys (WebAuthn) — biometric, device-bound login
• Email OTP
• SMS OTP / WhatsApp OTP
• Magic links
• Social login (optional)
• Custom UI & white labeling
• Full OIDC compliance

And because everything is token-based, Umbraco doesn’t store:

• Passwords
• Sensitive secrets
• MFA codes
• Hashes
• PII beyond basic profile info

This will lowers risk and support overhead.

Let’s keep this simple.

Here’s what actually happens when a user logs in:

1. User clicks Login with MojoAuth
2. They’re redirected to MojoAuth
3. They verify identity using OTP/passkey
4. MojoAuth returns an ID token back to Umbraco
5. Umbraco reads claims → signs the user in
6. User enters the CMS
7. No passwords, no friction

Everything is secure, standards-based, and easy to maintain.

Before writing any code, check the full reference implementation:

https://github.com/MojoAuth/Umbraco-MojoAuth-OpenIdConnect-Example

Inside, you’ll find:

• Authentication pipeline setup
• Cookie auth integration
• Proper OIDC challenge + callback flow
• Claim mapping logic
• A real working login button
• Handling of user creation on first login
• Role mapping examples
• Session management

If you copy this project and drop in your Client ID + Client Secret, you’ll get a working MojoAuth login in minutes.

Let’s walk through the developer workflow.

Step 1 — Create a MojoAuth Application

1. Log in to MojoAuth Dashboard

2. Create a new application

3. Obtain:

   • Client ID
   • Client Secret

4. Add your redirect URI:

   https://your-domain.com/signin-oidc
   

This is where MojoAuth will send users after verifying identity.

Step 2 — Add the OIDC Package

dotnet add package Microsoft.AspNetCore.Authentication.OpenIdConnect

Step 3 — Add MojoAuth Config (appsettings.json)

"Authentication": {
  "MojoAuth": {
    "Authority": "https://api.mojoauth.com",
    "ClientId": "YOUR_CLIENT_ID",
    "ClientSecret": "YOUR_CLIENT_SECRET",
    "CallbackPath": "/signin-oidc"
  }
}

Step 4 — Configure Authentication Pipeline

Add this in Program.cs:

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "MojoAuth";
})
.AddCookie("Cookies")
.AddOpenIdConnect("MojoAuth", options =>
{
    options.Authority = builder.Configuration["Authentication:MojoAuth:Authority"];
    options.ClientId = builder.Configuration["Authentication:MojoAuth:ClientId"];
    options.ClientSecret = builder.Configuration["Authentication:MojoAuth:ClientSecret"];
    options.ResponseType = "code";
    options.CallbackPath = builder.Configuration["Authentication:MojoAuth:CallbackPath"];
});

This connects the dots:

• Cookie auth = session
• OIDC = MojoAuth login
• Callback path = where Umbraco processes the token

Step 5 — Map MojoAuth Claims to Umbraco Identity

MojoAuth returns:

• email
• sub
• name
• Verification status
• Login method used

You map these claims to Umbraco’s identity system (included in repo).

Step 6 — Add the Login Button

Just a small tweak to your login view:

<a href="/umbraco/mojoauth/login" class="btn-login-mojoauth">Login with MojoAuth</a>

That’s it — and users now login without passwords.

Most developers underestimate how much security work it takes to run your own password system.

With MojoAuth:

• You never handle passwords
• Nothing sensitive sits in your Umbraco database
• You inherit MojoAuth’s security posture
• Passkeys make phishing practically impossible
• OTP flows include fraud prevention
• SOC2 + GDPR requirements are already covered

If you're building for enterprise clients, this alone removes months of overhead.

This integration is perfect for projects like:

• SaaS dashboards
• Client/agency portals
• E-learning platforms
• Corporate intranets
• Membership websites
• Multi-tenant Umbraco sites
• Anything that needs simple, secure login

You get enterprise-grade authentication without building enterprise-grade identity architecture.

Before going live:

• ✔️ Test OTP login
• ✔️ Test passkey login
• ✔️ Check ID token claims
• ✔️ Confirm session cookie is created
• ✔️ Make sure logout works
• ✔️ Validate user creation happens cleanly
• ✔️ Check logs in MojoAuth dashboard
• ✔️ Review error logs for token validation

If everything checks out → you're production ready.

These are extremely common in OIDC setups — nothing MojoAuth-specific.

Modern authentication shouldn’t be this hard.
And once you plug MojoAuth into Umbraco, you realize:

• No passwords
• No resets
• No phishable credentials
• No custom identity plumbing
• No security debt
• No expensive enterprise IAM products

Just a clean, secure, passwordless experience that makes Umbraco feel like a 2026-ready CMS.

You focus on building content and features.
MojoAuth handles identity and security.

MojoAuth Umbraco Docs
https://docs.mojoauth.com/cms-integrations/umbraco/

GitHub Example
https://github.com/MojoAuth/Umbraco-MojoAuth-OpenIdConnect-Example

MojoAuth Dashboard
https://mojoauth.com

*** This is a Security Bloggers Network syndicated blog from MojoAuth - Advanced Authentication & Identity Solutions authored by MojoAuth - Advanced Authentication & Identity Solutions. Read the original post at: https://mojoauth.com/blog/how-to-add-passwordless-authentication-to-umbraco-using-mojoauth