In the article we looked at aspects of Portal Authentication in the following section explains use of third-party identity providers for Portal Authentication.
External authentication using third-party identity providers use OAuth 2.0 protocol to grant access. First we briefly look at underlying concepts of OAuth 2.0.
OAuth 2.0 is a protocol that provides a user with limited access to resources on site. Access Tokens in string format hold the permissions granted to a user to access the resource. The access tokens are generated in JSON Web Token (JWT) format the three parts of JWT include:
- Header: Containing metadata about token and cryptographic algorithm
- Payload: Set of claims, expiration time
- Signature: Used for token validation
More information about OAuth 2.0 can be obtained from here. In the context of Dynamics 365 CE portals (power apps portals) the supported Identity Providers (IDP’s) that use OAuth 2.0 are listed here
For demonstration the portal url that will be used is https://spaceflight.powerappsportals.com this is portal provisioned on Dynamics 365 CE Instance.
Consider we want to use Google as third-party identity provider the high level the steps are:
- Register application
- Obtain “Client ID” and “Client Secret” pair after registration
- Configure Client ID and Client Secret in portal site settings to establish secure connection
Logon on GoogleDeveloperConsole here and create a new project
Once the project is successfully created click on “Create Credentials” and choose OAuth client ID as we require “Client ID” & “Client Secret” that are to be used in portal settings
You will be prompted to set a product name on consent screen
In the OAuth consent screen enter the application details
After OAuth consent details are set (this step is kind of similar to what one would do while setting up ADFS Relying Party Trust) select Application Type > Web application
At this stage Client ID and Client Secret will be generated
The above two can always be retrieved from:
There is an option to download the settings as a JSON file.
After the preceding steps above we have essentially set up our portal as a Relying Party and got a reference to Client ID and Client Secret that OAuth 2.0 generates and these now need to be referenced in Portal settings.
The existing OAuth 2.0 providers will be listed as per below
For Google to be used as identity provider add the following OpenIdConnect settings more information can be found here
As a final step Restart the portal from PowerApps Portals admin center
Once restart is complete accessing the portal should display Google as the external identity provider
In the next article we will register a external user and login into portal using Google as identity provider.