The OAuth 2.0 based external identity providers involve registering an "application" with a 3rd party service to obtain a "client ID" and "client secret" pair. Often this application requires specifying a redirect URL that allows the identity provider to send users back to the portal (relying party). The client ID and client secret are configured as portal site settings in order to establish a secure connection from relying party to identity provider. The settings are based on the properties of the MicrosoftAccountAuthenticationOptionsTwitterAuthenticationOptionsFacebookAuthenticationOptions, and GoogleOAuth2AuthenticationOptions classes.

The providers supported are:

  • Microsoft Account
  • Twitter
  • Facebook
  • Google
  • LinkedIn
  • Yammer
  • Yahoo

Create OAuth Applications

In general, if an OAuth provider uses app settings that require a redirect URI value, specify http://portal.contoso.com/or http://portal.contoso.com/signin-[provider]  depending on how the provider performs redirect URI validation (some providers require the full URL path to be specified along with the domain name). Substitute the name of the provider in place of [provider] in the redirect URI.

Instructions for creating specific provider applications

Google OAuth2 API Credentials - Instructions

  • Open Google Developers Console
  • Create an API project or open an existing project
  • Navigate to APIs & auth > APIs
    • Under Social APIs, click Google+ API then click Enable API
  • Navigate to APIs & auth > Consent screen
    • Specify an Email address
    • Specify a custom Product name
    • Click Save
  • Navigate to APIs & auth > Credentials
    • Create new Client ID
      • Application Type: Web application
      • Authorized JavaScript Origins: http://portal.contoso.com
      • Authorized Redirect URIs: http://portal.contoso.com/signin-google
      • Click Create Client ID

Facebook App Settings

  • Open Facebook Developers App Dashboard
  • Click Add a New App
  • Select Website
  • Click Skip and Create App ID
    • Specify a Display Name
    • Select a Category
    • Click Create App ID
  • While on the Dashboard for the new app, navigate to Settings > Basic (tab)
    • (Optional) App Domains: portal.contoso.com 
    • Contact Email: <email address of your choice>
    • Click Add Platform and select Website
    • Site URL: http://portal.contoso.com/ or http://portal.contoso.com/signin-facebook
    • Click Save Changes
  • Navigate to Status & Review > Status (tab)
    • Do you want to make this app an all its features available to the general public? YES
      • The Contact Email field is required to enable this setting

Microsoft Application Settings

  • Open Microsoft account Developer Center
  • Click Create application
    • Specify an Application name
    • Click I accept
  • Navigate to Settings > API Settings
    • Redirect URLs: http://portal.contoso.com/signin-microsoft

Yammer Application Settings

  • Open Registered applications
  • Click Register New App
  • Specify an Application Name, Organization, Support e-mail
    • Website: http://portal.contoso.com
    • Redirect URI: http://portal.contoso.com or http://portal.contoso.com/signin-yammer
    • Click Continue
  • To return to the app settings for future changes, navigate to My Apps > [App Name] > Basic Info

Twitter Apps Settings

  • Open Twitter Application Management
  • Click Create New App
    • Specify a Name and Description
    • Website: http://portal.contoso.com
    • Callback URLhttp://portal.contoso.com or http://portal.contoso.com/signin-twitter
    • Click Create your Twitter application

LinkedIn Application Settings

  • Open LinkedIn Developer Network
  • Click Add New Application
    • Specify an Application Name, Description, etc.
    • Website URL: http://portal.contoso.com
    • OAuth User Agreement/Default Scope: r_basicprofie and r_emailaddress
    • OAuth 2.0 Redirect Urls: http://portal.contoso.com/signin-linkedin
    • Click Add Application

Yahoo! YDN App Settings

  • Open Yahoo! Developer Network
  • Click Create an App
    • Specify an Application Name
    • Application Type: Web Application
    • Callback Domain: portal.contoso.com
  • Click Create App

Create Site Settings

The application dashboard for each provider will display the client ID (app ID, consumer key) and client secret (app secret, consumer secret) for each application. Use these two values to configure the portal site settings.

A standard OAuth2 configuration only requires the following settings (choosing Facebook as an example):

  • Authentication/OpenAuth/Facebook/ClientId
  • Authentication/OpenAuth/Facebook/ClientSecret

Substitute the [provider] tag in the site setting name with a specific identity provider name: Facebook, Google, Yahoo,Microsoft, LinkedInYammer, or Twitter.

Site Setting Name Description
Authentication/Registration/ExternalLoginEnabled

Enables or disables external account sign-in and registration. Default:true

Authentication/OpenAuth/[provider]/ClientId

Required. The client ID value from the provider application. It may also be referred to as an "App ID" or "Consumer Key".

The following setting names are allowed for backwards compatibility:

  • Authentication/OpenAuth/Twitter/ConsumerKey
  • Authentication/OpenAuth/Facebook/AppId
  • Authentication/OpenAuth/LinkedIn/ConsumerKey
Authentication/OpenAuth/[provider]/ClientSecret

Required. The client secret value from the provider application. It may also be referred to as an "App Secret" or "Consumer Secret".

The following setting names are allowed for backwards compatibility:

  • Authentication/OpenAuth/Twitter/ConsumerSecret
  • Authentication/OpenAuth/Facebook/AppSecret
  • Authentication/OpenAuth/LinkedIn/ConsumerSecret
Authentication/OpenAuth/[provider]/AuthenticationType The OWIN authentication middleware type. Example:yahooMSDN.
Authentication/OpenAuth/[provider]/Scope A comma separated list of permissions to request. MSDN.
Authentication/OpenAuth/[provider]/Caption The text that the user can display on a sign in user interface. MSDN.
Authentication/OpenAuth/[provider]/BackchannelTimeout Timeout value in milliseconds for back channel communications. MSDN.
Authentication/OpenAuth/[provider]/CallbackPath The request path within the application's base path where the user-agent will be returned. MSDN.
Authentication/OpenAuth/[provider]/SignInAsAuthenticationType The name of another authentication middleware which will be responsible for actually issuing a userClaimsIdentityMSDN.
Authentication/OpenAuth/[provider]/AuthenticationMode The OWIN authentication middleware modeMSDN.
Authentication/OpenAuth/Yammer/AcceptedNetworks Only allow logins from users belonging to one of these networks. Applies to Yammer only.