Configure OAuth2 provider settings for portals

The OAuth 2.0 based external identity providers involve registering an "application" with a third-party service to obtain a "client ID" and "client secret" pair. Often this application requires specifying a redirect URL that allows the identity provider to send users back to the portal (relying party). The client ID and client secret are configured as portal site settings in order to establish a secure connection from relying party to identity provider. The settings are based on the properties of the MicrosoftAccountAuthenticationOptions, TwitterAuthenticationOptions, FacebookAuthenticationOptions, and GoogleOAuth2AuthenticationOptions classes.

The supported providers are:

  • Microsoft Account
  • Twitter
  • Facebook
  • Google
  • LinkedIn
  • Yahoo

Create OAuth applications

In general, if an OAuth provider uses app settings that require a redirect URI value, specify http://portal.contoso.com/or http://portal.contoso.com/signin-[provider] depending on how the provider performs redirect URI validation (some providers require the full URL path to be specified along with the domain name). Substitute the name of the provider in place of [provider] in the redirect URI.

Google

Google OAuth2 API Credentials Instructions

  1. Open Google Developers Console
  2. Create an API project or open an existing project
  3. Navigate toAPIs & auth >APIs and under Social APIs, clickGoogle+ API, and then clickEnable API
  4. Navigate toAPIs & auth >Consent screen
    • Specify anEmail address
    • Specify a customProduct name
    • ClickSave
  5. Navigate toAPIs & auth >Credentials and create new Client ID

Facebook app settings

  1. Open Facebook Developers App Dashboard
  2. ClickAdd a New App
  3. SelectWebsite
  4. ClickSkip and Create App ID

    • Specify aDisplay Name
    • Select aCategory
    • ClickCreate App ID
  5. While on the Dashboard for the new app, navigate toSettings >Basic (tab) and add following details:

  6. ClickSave Changes

  7. Navigate toStatus & Review >Status tab
  8. SelectYes when prompted to make the app and all its features available to the general public.You must have filled in the valid data in Step 5 above to to enable this setting.

Microsoft application settings

  1. Open Microsoft account Developer Center
  2. ClickCreate application and specify anApplication name
  3. ClickI accept to accept Terms and Conditions
  4. Navigate toSettings >API settings and set redirect URL as http://portal.contoso.com/signin-microsoft

Twitter apps settings

  1. Open Twitter Application Management
  2. ClickCreate New App

  3. ClickCreate your Twitter application.

LinkedIn app settings

  1. Open LinkedIn Developer Network
  2. ClickAdd New Application

  3. ClickAdd Application

Yahoo! YDN App settings

  1. Open Yahoo! Developer Network
  2. ClickCreate an App

    • Specify anApplication Name
    • Application Type:Web Application
    • Callback Domain: portal.contoso.com
  3. ClickCreate App

Create site settings using OAuth2

The application dashboard for each provider will display the client ID (app ID, consumer key) and client secret (app secret, consumer secret) for each application. Use these two values to configure the portal site settings.

Note

A standard OAuth2 configuration only requires the following settings (choosing Facebook as an example):

  • Authentication/OpenAuth/Facebook/ClientId
  • Authentication/OpenAuth/Facebook/ClientSecret

Substitute the [provider] tag in the site setting name with a specific identity provider name: Facebook, Google, Yahoo,Microsoft, LinkedIn, or Twitter.

Site Setting Name Description
Authentication/Registration/ExternalLoginEnabled Enables or disables external account sign-in and registration. Default: true
Authentication/OpenAuth/[provider]/ClientId Required. The client ID value from the provider application. It may also be referred to as an "App ID" or "Consumer Key". The following setting names are allowed for backwards compatibility: Authentication/OpenAuth/Twitter/ConsumerKey
  • Authentication/OpenAuth/Facebook/AppId
  • Authentication/OpenAuth/LinkedIn/ConsumerKey
Authentication/OpenAuth/[provider]/ClientSecret Required. The client secret value from the provider application. It may also be referred to as an "App Secret" or "Consumer Secret". The following setting names are allowed for backwards compatibility: Authentication/OpenAuth/Twitter/ConsumerSecret
  • Authentication/OpenAuth/Facebook/AppSecret
  • Authentication/OpenAuth/LinkedIn/ConsumerSecret
Authentication/OpenAuth/[provider]/AuthenticationType The OWIN authentication middleware type. Example: yahoo. MSDN: authenticationoptions.authenticationtype.
Authentication/OpenAuth/[provider]/Scope A comma separated list of permissions to request. MSDN: microsoftaccountauthenticationoptions.scope.
Authentication/OpenAuth/[provider]/Caption The text that the user can display on a sign in user interface. MSDN: microsoftaccountauthenticationoptions.caption.
Authentication/OpenAuth/[provider]/BackchannelTimeout Timeout value in milliseconds for back channel communications. MSDN: microsoftaccountauthenticationoptions.backchanneltimeout.
Authentication/OpenAuth/[provider]/CallbackPath The request path within the application's base path where the user-agent will be returned. MSDN: microsoftaccountauthenticationoptions.callbackpath.
Authentication/OpenAuth/[provider]/SignInAsAuthenticationType The name of another authentication middleware which will be responsible for actually issuing auserClaimsIdentity. MSDN: microsoftaccountauthenticationoptions.signinasauthenticationtype.
Authentication/OpenAuth/[provider]/AuthenticationMode The OWIN authentication middleware mode. MSDN: security.authenticationoptions.authenticationmode.

See also

Configure Dynamics 365 portal authentication
Set authentication identity for a portal
Open ID Connect provider settings for portals
WS-Federation provider settings for portals
SAML 2.0 provider settings for portals
Facebook App (Page Tab) authentication for portals