Configure an OpenID Connect provider for portals
OpenID Connect external identity providers are services that conform to the Open ID Connect specification. OpenID Connect introduces the concept of an ID token, which is a security token that allows the client to verify the identity of the user. The ID token also gets basic profile information about users—also known as claims.
This article explains how an identity provider that supports OpenID Connect can be integrated with Power Apps portals. Some of the examples of OpenID Connect providers for portals: Azure Active Directory (Azure AD) B2C, Azure AD, Azure AD with multiple tenants.
Supported and unsupported authentication flows in portals
- Implicit Grant
- This flow is the default authentication method used by portals.
- Authorization Code
- Portals uses the client_secret_post method to communicate with the token endpoint of the identity server.
- Using the private_key_jwt method to authenticate with the token endpoint isn't supported.
- Hybrid (restricted support)
- Portals requires id_token to be present in the response, so having the response_type value as code token isn't supported.
- The Hybrid flow in portals follows the same flow as Implicit Grant, and uses id_token to directly sign in the users.
- Portals doesn't support Proof Key for Code Exchange (PKCE)–based techniques to authenticate users.
Note
Changes to authentication settings might take a few minutes to be reflected on the portal. Restart the portal by using portal actions if you want the changes to be reflected immediately.
Configure the OpenID Connect provider
Similar to all other providers, you have to sign in to Power Apps to configure the OpenID Connect provider.
Select Add provider for your portal.
For Login provider, select Other.
For Protocol, select OpenID Connect.
Enter a provider name.

Select Next.
Create the application, and configure the settings with your identity provider.

Note
The Reply URL is used by the app to redirect users to the portal after the authentication succeeds. If your portal uses a custom domain name, you might have a different URL than the one provided here.
Enter the following site settings for portal configuration.

Note
Be sure to review—and if required, change—the default values.
Name Description Authority The authority (or issuer) URL associated with the identity provider.
Example (Azure AD) :https://login.microsoftonline.com/7e6ea6c7-a751-4b0d-bbb0-8cf17fe85dbb/Client ID The ID of the application created with the identity provider that's to be used with the portal. Redirect URL The location where the identity provider will send the authentication response.
Example:https://contoso-portal.powerappsportals.com/signin-openid_1
Note: If you're using the default portal URL, you can copy and paste the Reply URL as shown in the Create and configure OpenID Connect provider settings step. If you're using a custom domain name, enter the URL manually. Be sure that the value you enter here is exactly the same as the Redirect URI value for the application in the identity provider configuration (such as Azure portal).Metadata address The discovery endpoint for obtaining metadata. Common format: [Authority URL]/.well-known/openid-configuration.
Example (Azure AD) :https://login.microsoftonline.com/7e6ea6c7-a751-4b0d-bbb0-8cf17fe85dbb/v2.0/.well-known/openid-configurationScope A space-separated list of scopes to request via the OpenID Connect scope parameter.
Default value:openid
Example (Azure AD) :openid profile email
More information: Configure additional claims when using OpenID Connect for portals with Azure ADResponse type The value for the OpenID Connect response_type parameter.
Possible values include:-
code -
code id_token -
id_token -
id_token token -
code id_token token
Default value:code id_tokenClient secret The client secret value from the provider application. This might also be referred to as an app secret or consumer secret. This setting is required if the selected response type is code.Response mode The value for the OpenID Connect response_mode parameter. The value should be queryif the selected response type iscode. Default value:form_post.-
Configure settings for signing users out.

Name Description External logout Enables or disables external account sign-out. When enabled, users are redirected to the external sign-out user experience when they sign out from the portal. When disabled, users are only signed out from the portal. Post logout redirect URL The location where the identity provider will redirect a user after external sign-out. This location should be set appropriately in the identity provider configuration. RP initiated logout Enables or disables a sign-out initiated by the relying party. To use this setting, enable External logout first. (Optional) Configure additional settings.

Name Description Issuer filter A wildcard-based filter that matches on all issuers across all tenants.
Example:https://sts.windows.net/*/Validate audience If enabled, the audience is validated during token validation. Valid audiences Comma-separated list of audience URLs. Validate issuers If enabled, the issuer is validated during token validation. Valid issuers Comma-separated list of issuer URLs. Registration claims mapping List of logical name-claim pairs to map claim values returned from the provider during sign-up to the attributes of the contact record.
Format:field_logical_name=jwt_attribute_namewherefield_logical_nameis the logical name of the field in portals, andjwt_attribute_nameis the attribute with the value returned from the identity provider.
Example:firstname=given_name,lastname=family_namewhen using Scope asprofilefor Azure AD. In this example,firstnameandlastnameare the logical names for the profile fields in portals, whereasgiven_nameandfamily_nameare the attributes with the values returned by the identity provider for the respective fields.Login claims mapping List of logical name-claim pairs to map claim values returned from the provider during sign-up to the attributes of the contact record.
Format:field_logical_name=jwt_attribute_namewherefield_logical_nameis the logical name of the field in portals, andjwt_attribute_nameis the attribute with the value returned from the identity provider.
Example:firstname=given_name,lastname=family_namewhen using Scope asprofilefor Azure AD. In this example,firstnameandlastnameare the logical names for the profile fields in portals, whereasgiven_nameandfamily_nameare the attributes with the values returned by the identity provider for the respective fields.Nonce lifetime Lifetime of the nonce value, in minutes. Default: 10 minutes. Use token lifetime Indicates that the authentication session lifetime (such as cookies) should match that of the authentication token. If specified, this value will override the Application Cookie Expire Timespan value in the Authentication/ApplicationCookie/ExpireTimeSpan site setting. Contact mapping with email Specify whether the contacts are mapped to a corresponding email.
When set to On, a unique contact record is associated with a matching email address, assigning the external identity provider to the contact after a successful user sign-in.Note
UI_Locales request parameter will now be sent automatically in the authentication request and will be set to the language selected on the portal.
Edit an OpenID Connect provider
To edit a configured OpenID Connect provider, see Edit a provider.
See also
Configure an OpenID Connect provider for portals with Azure AD
FAQ for using OpenID Connect in portals