Configure OAuth2 provider settings for portals

The OAuth 2.0 based external identity providers involve registering an "application" with a third-party service to obtain a "client ID" and "client secret" pair. Often this application requires specifying a redirect URL that allows the identity provider to send users back to the portal (relying party). The client ID and client secret are configured as portal site settings in order to establish a secure connection from relying party to identity provider. The settings are based on the properties of the MicrosoftAccountAuthenticationOptions, TwitterAuthenticationOptions, FacebookAuthenticationOptions, and GoogleOAuth2AuthenticationOptions classes.

The supported providers are:

  • Microsoft Account
  • Twitter
  • Facebook
  • Google
  • LinkedIn
  • Yahoo

Create OAuth applications

In general, if an OAuth provider uses app settings that require a redirect URI value, specify https://portal.contoso.com/or https://portal.contoso.com/signin-\[provider\] depending on how the provider performs redirect URI validation (some providers require the full URL path to be specified along with the domain name). Substitute the name of the provider in place of [provider] in the redirect URI.

Google People API settings

Note

Google+ API is deprecated. We strongly recommend that you migrate to Google People API.

Following these steps to configure your Power Apps portal with [Google's OAuth 2.0 authentication] for user authentication.

  1. Open Google Developers Console.

  2. Create an API project or open an existing project.

  3. Select ENABLE APIS AND SERVICES from dashboard of APIs and Services.

  4. Search and enable API Google People API.

  5. Inside Google APIs, select Credentials on left navigation.

    Note

    If you have consent screen configured already with portals top level domain, you can skip steps 6 through 14 and directly move to step 15. However, go through step 11 before moving to step 15 if your consent screen is configured but portals top level domain is not added.

  6. Select CONFIGURE CONSENT SCREEN.

  7. Select External user type.

  8. Select Create.

  9. Type Application name and upload an image for logo if required.

  10. Select appropriate Support email.

  11. Type powerappsportals.com as the top level domain in Authorized domains. Use microsoftcrmportals.com if you have not updated your Power Apps portal domain name. You can also type a custom domain name if you have configured.

  12. Provide links for home page, privacy policy and terms of service as required.

  13. Select Save.

  14. Select Credentials from left navigation menu.

  15. Select OAuth client ID from the Create credentials drop down menu.

  16. Select application type as Web application.

  17. Type Name for the OAuth Client ID.

  18. Type your Power Apps portal URL in Authorized JavaScript Origins list.

  19. Type Authorized redirect URIs as the Power Apps portal URL followed by /signin-google. For example, if portal URL is https://contoso.powerappsportals.com, authorized redirect URIs field should be https://contoso.powerappsportals.com/signin-google.

  20. Select Create.

  21. Copy client ID and client secret from OAuth client dialog box and configure OAuth2 site settings in Power Apps portals.

Facebook app settings

  1. Open Facebook Developers App Dashboard

  2. Select Add a New App.

  3. Select Website.

  4. Select Skip and Create App ID.

    • Specify a Display Name.
    • Choose a Category.
    • Select Create App ID.
  5. While on the dashboard for the new app, go to Settings >Basic (tab) and add the following details:

  6. Select Save Changes.

  7. Go to Status & Review > Status tab.

  8. Select Yes when prompted to make the app and all its features available to the general public. You must have filled in the valid data in Step 5 above to enable this setting.

Microsoft application settings

  1. Open Microsoft account Developer Center
  2. Select Create application and specify an Application name.
  3. Select I accept to accept Terms and Conditions.
  4. Go to Settings >API settings, and then set the redirect URL as https://portal.contoso.com/signin-microsoft

Twitter apps settings

  1. Open Twitter Application Management.

  2. Select Create New App.

  3. Select Create your Twitter application.

LinkedIn app settings

  1. Open LinkedIn Developer Network.

  2. Select Add New Application.

  3. Select Add Application.

Yahoo! YDN App settings

Note

Due to ongoing compatibility issues between the updated Yahoo YDN OAuth provider endpoint and Power Apps portals, users are temporarily unable to authenticate with Yahoo identity provider.

  1. Open Yahoo! Developer Network.

  2. Select Create an App.

    • Specify an Application Name.
    • Application Type: Web Application.
    • Callback Domain: portal.contoso.com
  3. Select Create App.

Create site settings by using OAuth2

The application dashboard for each provider will display the client ID (app ID, consumer key) and client secret (app secret, consumer secret) for each application. Use these two values to configure the portal site settings.

Note

A standard OAuth2 configuration only requires the following settings (with Facebook as an example):

  • Authentication/OpenAuth/Facebook/ClientId
  • Authentication/OpenAuth/Facebook/ClientSecret

Substitute the [provider] tag in the site setting name with a specific identity provider name: Facebook, Google, Yahoo,Microsoft, LinkedIn, or Twitter.

Site Setting Name Description
Authentication/Registration/ExternalLoginEnabled Enables or disables external account sign-in and registration. Default: true
Authentication/OpenAuth/[provider]/ClientId Required. The client ID value from the provider application. It may also be referred to as an App ID or Consumer Key. The following setting names are allowed for backwards compatibility: Authentication/OpenAuth/Twitter/ConsumerKey
  • Authentication/OpenAuth/Facebook/AppId
  • Authentication/OpenAuth/LinkedIn/ConsumerKey
Authentication/OpenAuth/[provider]/ClientSecret Required. The client secret value from the provider application. It may also be referred to as an App Secret or Consumer Secret. The following setting names are allowed for backwards compatibility: Authentication/OpenAuth/Twitter/ConsumerSecret
  • Authentication/OpenAuth/Facebook/AppSecret
  • Authentication/OpenAuth/LinkedIn/ConsumerSecret
Authentication/OpenAuth/[provider]/AuthenticationType The OWIN authentication middleware type. Example: yahoo. authenticationoptions.authenticationtype.
Authentication/OpenAuth/[provider]/Scope A comma separated list of permissions to request. microsoftaccountauthenticationoptions.scope.
Authentication/OpenAuth/[provider]/Caption The text that the user can display on a sign in user interface. microsoftaccountauthenticationoptions.caption.
Authentication/OpenAuth/[provider]/BackchannelTimeout Timeout value in milliseconds for back channel communications. microsoftaccountauthenticationoptions.backchanneltimeout.
Authentication/OpenAuth/[provider]/CallbackPath The request path within the application's base path where the user-agent will be returned. microsoftaccountauthenticationoptions.callbackpath.
Authentication/OpenAuth/[provider]/SignInAsAuthenticationType The name of another authentication middleware which will be responsible for actually issuing auserClaimsIdentity. microsoftaccountauthenticationoptions.signinasauthenticationtype.
Authentication/OpenAuth/[provider]/AuthenticationMode The OWIN authentication middleware mode. security.authenticationoptions.authenticationmode.

See also

Configure portal authentication
Set authentication identity for a portal
Open ID Connect provider settings for portals
WS-Federation provider settings for portals
SAML 2.0 provider settings for portals