Configuring OAuth 2.0 Authentication for Microsoft Power Platform Custom Connectors

Introduction

Connectors are integration points that help your APIs connect to Microsoft Power Platform. If you have never built a connector before and you enjoy working with APIs, check this article to help you get started. When creating your connector, you are presented with 4 authentication configuration options to ensure successful connection to your API - No Authentication, Basic Authentication, API Key and OAuth 2.0. This article will focus on the configuration of OAuth 2.0 as your authentication type. 

Note: A connector only serves as a proxy for your external service, therefore it must be configured to use the authentication that is implemented by your API.

Resources

1. Troubleshoot OAuth 2.0
2. Create a custom connector from a Postman collection
3. OAuth 2.0 Documentation
4. Google Photos connector 
5. To create a connector, sign in to https://make.powerapps.com select Dataverse, then go to Custom Connectors

Here is an example of a service using OAuth 2.0 and how you would go about setting up authentication on the connector wizard.

Google Photos API.

First step [1]: Before starting a project using any API, it is recommended that you spend some time reading the API documentation to capture all API requirements – supported methods & endpoints, known limitations, troubleshooting guidelines and instructions on configuring authentication. This information will guide you on what your project will be able to achieve or not.

To use this API, according to Google Photos API documentation, you need to configure a project on Google API Console to obtain a Client ID and Client Secret, which you will use to grant your project access to the API.

Note: Users of your connector will be expected to obtain their own client credentials, so you should not share your Client ID and Secret with anyone.

Second Step [2]: After obtaining your credentials, head over to the connector wizard and input the following required fields.

Client id & Client secret: Paste in the credentials from your project on Google API Console.

Authorization URL: Add the endpoint for the authorization 2.0 server to receive the authorization code from. In other words, this URL will be used to sign in the user and in this case, we will add https://accounts.google.com/o/oauth2/v2/auth

Token URL: This field holds the endpoint used to exchange the authorization code after successful authorization for a token that will be added to the authorization header (or any other specified destination as per your API). In this case, we will add https://oauth2.googleapis.com/token

Refresh URL: In most cases, the refresh URL is the same as the token URL, which is the endpoint used to refresh your access token for a new one after your current token expires.

Scope: Some APIs contain authorization scopes, an implementation of Accessibility in APIs. Scopes grant additional access permissions to endpoints that need them to reach the specified data. For example, to create an album in my google photos account from my project, I must configure either the appendonly or sharing scope.

If you need access to more than one scope, add them in the scope field using a space delimiter (separated by an empty space).

Redirect URL: This field will be automatically populated once you create the connector. It holds the callback URL, where you will be redirected to after your application has been authenticated successfully. Copy the URL generated by power platform in this field and add it to your client project under ‘Authorized redirect URLs’

Third step [3]: With your URLs added correctly and required scopes provided, create your connector and upon testing, your operations should be successful.

Additional Tips: The easiest way to quickly set up your authentication is through testing your endpoints on postman and once everything works as expected, it will practically take you less than 2 minutes to go past the security step. Advantages of creating a custom connector via a postman collection include:

1. You test all your endpoint and confirm that the correct data is being returned once you make a call.
2. You add all the required scopes for all your endpoints and directly transfer them to the connector wizard.
3. Before exporting collection, ensure all the endpoints are properly named to have your actions get proper names and eliminate the need to manually add & rename all the action names.

Important

After creating your connector from a postman collection, confirm the request URLs have been added correctly. Variables on Postman are to URL paths using double curly braces, {{variable_name}} but power platform needs to receive them using single curly braces {variable_name}. If you are passing any variables to your URL, change this before creating the connector.