Configure OAuth2 provider settings for portals
The OAuth 2.0 based external identity providers involve registering an "application" with a third-party service to obtain a "client ID" and "client secret" pair. Often this application requires specifying a redirect URL that allows the identity provider to send users back to the portal (relying party). The client ID and client secret are configured as portal site settings in order to establish a secure connection from relying party to identity provider. The settings are based on the properties of the MicrosoftAccountAuthenticationOptions, TwitterAuthenticationOptions, FacebookAuthenticationOptions, and GoogleOAuth2AuthenticationOptions classes.
The supported providers are:
- Microsoft Account
Create OAuth applications
In general, if an OAuth provider uses app settings that require a redirect URI value, specify https://portal.contoso.com/or https://portal.contoso.com/signin-\[provider\] depending on how the provider performs redirect URI validation (some providers require the full URL path to be specified along with the domain name). Substitute the name of the provider in place of [provider] in the redirect URI.
Google People API settings
Following these steps to configure your Power Apps portal with [Google's OAuth 2.0 authentication] for user authentication.
Create an API project or open an existing project.
Select ENABLE APIS AND SERVICES from dashboard of APIs and Services.
Search and enable API Google People API.
Inside Google APIs, select Credentials on left navigation.
If you have consent screen configured already with portals top level domain, you can skip steps 6 through 14 and directly move to step 15. However, go through step 11 before moving to step 15 if your consent screen is configured but portals top level domain is not added.
Select CONFIGURE CONSENT SCREEN.
Select External user type.
Type Application name and upload an image for logo if required.
Select appropriate Support email.
Type powerappsportals.com as the top level domain in Authorized domains. Use microsoftcrmportals.com if you have not updated your Power Apps portal domain name. You can also type a custom domain name if you have configured.
Select Credentials from left navigation menu.
Select OAuth client ID from the Create credentials drop down menu.
Select application type as Web application.
Type Name for the OAuth Client ID.
Type Authorized redirect URIs as the Power Apps portal URL followed by /signin-google. For example, if portal URL is https://contoso.powerappsportals.com, authorized redirect URIs field should be https://contoso.powerappsportals.com/signin-google.
Copy client ID and client secret from OAuth client dialog box and configure OAuth2 site settings in Power Apps portals.
Facebook app settings
Select Add a New App.
Select Skip and Create App ID.
- Specify a Display Name.
- Choose a Category.
- Select Create App ID.
While on the dashboard for the new app, go to Settings >Basic (tab) and add the following details:
Select Save Changes.
Go to Status & Review > Status tab.
Select Yes when prompted to make the app and all its features available to the general public. You must have filled in the valid data in Step 5 above to enable this setting.
Microsoft application settings
- Open Microsoft account Developer Center
- Select Create application and specify an Application name.
- Select I accept to accept Terms and Conditions.
- Go to Settings >API settings, and then set the redirect URL as https://portal.contoso.com/signin-microsoft
Twitter apps settings
Select Create New App.
Select Create your Twitter application.
LinkedIn app settings
Select Add New Application.
Select Add Application.
Yahoo! YDN App settings
Due to ongoing compatibility issues between the updated Yahoo YDN OAuth provider endpoint and Power Apps portals, users are temporarily unable to authenticate with Yahoo identity provider.
Open Yahoo! Developer Network.
Select Create an App.
- Specify an Application Name.
- Application Type: Web Application.
- Callback Domain: portal.contoso.com
Select Create App.
Create site settings by using OAuth2
The application dashboard for each provider will display the client ID (app ID, consumer key) and client secret (app secret, consumer secret) for each application. Use these two values to configure the portal site settings.
A standard OAuth2 configuration only requires the following settings (with Facebook as an example):
[provider] tag in the site setting name with a specific identity provider name: Facebook, Google, Yahoo,Microsoft, LinkedIn, or Twitter.
|Site Setting Name||Description|
|Authentication/Registration/ExternalLoginEnabled||Enables or disables external account sign-in and registration. Default: true|
|Authentication/OpenAuth/[provider]/ClientId||Required. The client ID value from the provider application. It may also be referred to as an App ID or Consumer Key. The following setting names are allowed for backwards compatibility: Authentication/OpenAuth/Twitter/ConsumerKey
|Authentication/OpenAuth/[provider]/ClientSecret||Required. The client secret value from the provider application. It may also be referred to as an App Secret or Consumer Secret. The following setting names are allowed for backwards compatibility: Authentication/OpenAuth/Twitter/ConsumerSecret
|Authentication/OpenAuth/[provider]/AuthenticationType||The OWIN authentication middleware type. Example: yahoo. authenticationoptions.authenticationtype.|
|Authentication/OpenAuth/[provider]/Scope||A comma separated list of permissions to request. microsoftaccountauthenticationoptions.scope.|
|Authentication/OpenAuth/[provider]/Caption||The text that the user can display on a sign in user interface. microsoftaccountauthenticationoptions.caption.|
|Authentication/OpenAuth/[provider]/BackchannelTimeout||Timeout value in milliseconds for back channel communications. microsoftaccountauthenticationoptions.backchanneltimeout.|
|Authentication/OpenAuth/[provider]/CallbackPath||The request path within the application's base path where the user-agent will be returned. microsoftaccountauthenticationoptions.callbackpath.|
|Authentication/OpenAuth/[provider]/SignInAsAuthenticationType||The name of another authentication middleware which will be responsible for actually issuing auserClaimsIdentity. microsoftaccountauthenticationoptions.signinasauthenticationtype.|
|Authentication/OpenAuth/[provider]/AuthenticationMode||The OWIN authentication middleware mode. security.authenticationoptions.authenticationmode.|
Configure portal authentication
Set authentication identity for a portal
Open ID Connect provider settings for portals
WS-Federation provider settings for portals
SAML 2.0 provider settings for portals