Custom authentication providers

Power Pages (formerly Power Apps Portals) allows users to create custom authentication providers to handle authentication and user login. This can be beneficial when you need to integrate a portal with a specific identity provider (IdP) or if your authentication needs go beyond the standard out-of-the-box options provided by Power Pages, such as Azure Active Directory or Microsoft Account.

By setting up Custom Authentication Providers, you can extend Power Pages’ security model to accommodate a wide range of authentication schemes, including integration with third-party identity providers.

This guide walks through the steps and considerations to set up and use custom authentication providers in Power Pages.

---

Step 1: Understand Authentication Flow in Power Pages

Before diving into custom authentication, it’s essential to understand the basic authentication flow in Power Pages. There are three common types of authentication that are available out of the box:

1. Local Authentication: Uses portal credentials stored directly within Power Pages.
2. External Authentication: Uses external identity providers (e.g., Azure AD B2C, Google, or Facebook).
3. Windows Authentication: Used for internal users within an enterprise network, usually integrated with Active Directory.

For custom authentication, you would typically configure External Authentication or use an API to link to your custom authentication provider.

---

Step 2: Configure Authentication Settings in Power Pages

Power Pages has a section where you can configure authentication settings. Custom authentication can be enabled through the Portal Management App.

1. Navigate to Portal Management:
   • Go to Power Apps → Portal Management.
   • Find Authentication Settings under the configuration section.
2. Enable External Authentication:
   • In the Authentication Settings, ensure that external authentication is enabled.
   • You’ll typically find options for integrating with OAuth 2.0 or OpenID Connect, which are the most common standards for custom authentication providers.

---

Step 3: Register Your Custom Authentication Provider

To integrate your custom authentication provider, you’ll need to set up the provider itself. This usually involves registering your application with the external identity provider you plan to use, such as Google, a custom OAuth provider, or your enterprise’s identity system.

1. Obtain API Credentials:
   For most third-party authentication providers (e.g., OAuth or OpenID Connect providers), you’ll need to obtain Client ID, Client Secret, Authorization URL, and Token URL to configure the integration.
2. Register the Provider in Power Pages:
   • Navigate to Authentication Settings in Portal Management and create a new External Authentication Provider.
   • Add the Client ID, Client Secret, and other relevant details for your identity provider.
   • Configure the Callback URL, which should match the URL specified by the authentication provider (e.g., your portal’s login URL).
3. Configure Scopes (if applicable):
   • Some authentication providers require specifying scopes for access permissions (e.g., email, profile).
   • These scopes control what information you’re requesting from the identity provider.

---

Step 4: Modify Portal Login Page

Once the custom authentication provider is registered, you may need to modify the login page or workflow of the portal to direct users to the custom authentication flow.

1. Redirect Users to the Custom Authentication:
   • You can configure the Login page in Power Pages to include an option for users to authenticate via your custom provider.
   • This can be done by modifying the login page template to include a button or a link that triggers the OAuth or OpenID Connect flow.
2. Configure Success/Failure Redirects:
   • Configure where the user should be redirected after successful login or failure.
   • This might involve redirecting them to a home page or a specific post-login page within the portal.

---

Step 5: Implement Token Validation and Session Management

Once the user logs in through the custom provider, Power Pages will need to validate the token received from the authentication provider.

1. Token Validation:
   • In the case of OAuth or OpenID Connect, you must validate the received token. This may involve using external APIs to verify the token and ensure its validity.
   • You can implement token validation either through Power Pages’ built-in capabilities (if available) or through custom JavaScript or a Power Automate flow.
2. Session Management:
   • After successful validation, manage the user’s session by storing session data, such as user roles and permissions.
   • Power Pages uses Web Roles to manage user access, so ensure the external provider sends necessary claims (e.g., user roles) to map them to portal web roles.

---

Step 6: Handle User Profile Data

After the user has authenticated via the custom provider, you may want to sync their profile data (such as name, email, or profile picture) with Power Pages.

1. Map Claims to Power Pages Entities:
   • Use the information returned by the custom authentication provider to populate user profile data in Power Pages.
   • You can use Power Automate to update user profiles in the Dataverse tables or use Liquid Templates to display this information on the portal.
2. Profile Management:
   • You can enable users to update their profile details directly from the portal, such as changing their password or updating their email.
   • These updates can be synced with your custom authentication provider if it supports such features.

---

Step 7: Test Your Custom Authentication Provider

After all configurations are completed, thoroughly test the authentication process:

1. Test Login:
   • Ensure that users are successfully redirected to your custom provider’s login page and that they can log in with the credentials.
   • Verify that the token is correctly processed and that the user is authenticated.
2. Check Permissions:
   • Test that user roles and permissions are correctly mapped and that users have the appropriate access to portal pages and data based on their login credentials.
3. Error Handling:
   • Ensure that error handling works correctly. For example, if the authentication provider fails to respond or the token is invalid, users should receive an informative error message.

---

Step 8: Maintain and Monitor the Custom Authentication Integration

Once your custom authentication provider is in use, ensure ongoing maintenance:

1. Monitor Login Activity:
   • Use monitoring tools to track login activity, successful logins, and potential issues with the custom provider integration.
2. Update Tokens and Credentials:
   • Regularly update any credentials, client secrets, or tokens needed for the custom authentication provider.
3. Handle API Changes:
   • If your custom authentication provider makes any changes to its API or token structure, be sure to update your integration accordingly to prevent any disruptions.

---

Use Cases for Custom Authentication Providers

1. Corporate SSO (Single Sign-On): Integrate with a company’s internal identity provider (e.g., Azure AD, LDAP, or another corporate SSO system).
2. Third-Party Authentication: Enable users to log in using third-party services such as Google, Facebook, or other OAuth 2.0/OpenID Connect providers.
3. Custom User Management: If you need to manage users through a custom-built identity provider, you can configure Power Pages to work with your system.