The OAuth 2.0 based external identity providers involve registering an "application" with a third-party service to obtain a "client ID" and "client secret" pair. Often this application requires specifying a redirect URL that allows the identity provider to send users back to the portal (relying party). The client ID and client secret are configured as portal site settings in order to establish a secure connection from relying party to identity provider. The settings are based on the properties of the MicrosoftAccountAuthenticationOptions, TwitterAuthenticationOptions, FacebookAuthenticationOptions, and GoogleOAuth2AuthenticationOptions classes.
The supported providers are:
- Microsoft Account
Create OAuth applications
In general, if an OAuth provider uses app settings that require a redirect URI value, specify http://portal.contoso.com/or http://portal.contoso.com/signin-[provider] depending on how the provider performs redirect URI validation (some providers require the full URL path to be specified along with the domain name). Substitute the name of the provider in place of [provider] in the redirect URI.
- Open Google Developers Console
- Create an API project or open an existing project
- Go toAPIs & auth >APIs, and under Social APIs, selectGoogle+ API, and then selectEnable API
- Go toAPIs & auth >Consent screen.
- Specify anEmail address.
- Specify a customProduct name.
- Go toAPIs & auth >Credentials and create a new client ID.
Facebook app settings
- Open Facebook Developers App Dashboard
- Select Add a New App.
- Select Website.
Select Skip and Create App ID.
- Specify a Display Name.
- Choose a Category.
- Select Create App ID.
While on the dashboard for the new app, go to Settings >Basic (tab) and add the following details:
Select Save Changes.
- Go to Status & Review > Status tab.
- Select Yes when prompted to make the app and all its features available to the general public. You must have filled in the valid data in Step 5 above to to enable this setting.
Microsoft application settings
- Open Microsoft account Developer Center
- Select Create application and specify an Application name.
- Select I accept to accept Terms and Conditions.
- Go to Settings >API settings, and then set the redirect URL as http://portal.contoso.com/signin-microsoft
Twitter apps settings
- Open Twitter Application Management.
Select Create New App.
Select Create your Twitter application.
LinkedIn app settings
- Open LinkedIn Developer Network.
Select Add New Application.
Select Add Application.
Yahoo! YDN App settings
- Open Yahoo! Developer Network.
Select Create an App.
- Specify an Application Name.
- Application Type: Web Application.
- Callback Domain: portal.contoso.com
Select Create App.
Create site settings by using OAuth2
The application dashboard for each provider will display the client ID (app ID, consumer key) and client secret (app secret, consumer secret) for each application. Use these two values to configure the portal site settings.
A standard OAuth2 configuration only requires the following settings (with Facebook as an example):
[provider] tag in the site setting name with a specific identity provider name: Facebook, Google, Yahoo,Microsoft, LinkedIn, or Twitter.
|Site Setting Name||Description|
|Authentication/Registration/ExternalLoginEnabled||Enables or disables external account sign-in and registration. Default: true|
|Authentication/OpenAuth/[provider]/ClientId||Required. The client ID value from the provider application. It may also be referred to as an "App ID" or "Consumer Key". The following setting names are allowed for backwards compatibility: Authentication/OpenAuth/Twitter/ConsumerKey
|Authentication/OpenAuth/[provider]/ClientSecret||Required. The client secret value from the provider application. It may also be referred to as an "App Secret" or "Consumer Secret". The following setting names are allowed for backwards compatibility: Authentication/OpenAuth/Twitter/ConsumerSecret
|Authentication/OpenAuth/[provider]/AuthenticationType||The OWIN authentication middleware type. Example: yahoo. authenticationoptions.authenticationtype.|
|Authentication/OpenAuth/[provider]/Scope||A comma separated list of permissions to request. microsoftaccountauthenticationoptions.scope.|
|Authentication/OpenAuth/[provider]/Caption||The text that the user can display on a sign in user interface. microsoftaccountauthenticationoptions.caption.|
|Authentication/OpenAuth/[provider]/BackchannelTimeout||Timeout value in milliseconds for back channel communications. microsoftaccountauthenticationoptions.backchanneltimeout.|
|Authentication/OpenAuth/[provider]/CallbackPath||The request path within the application's base path where the user-agent will be returned. microsoftaccountauthenticationoptions.callbackpath.|
|Authentication/OpenAuth/[provider]/SignInAsAuthenticationType||The name of another authentication middleware which will be responsible for actually issuing auserClaimsIdentity. microsoftaccountauthenticationoptions.signinasauthenticationtype.|
|Authentication/OpenAuth/[provider]/AuthenticationMode||The OWIN authentication middleware mode. security.authenticationoptions.authenticationmode.|
Configure Dynamics 365 portal authentication
Set authentication identity for a portal
Open ID Connect provider settings for portals
WS-Federation provider settings for portals
SAML 2.0 provider settings for portals
Facebook App (Page Tab) authentication for portals