Blog Post

Educator Developer Blog
3 MIN READ

Configuring OAuth 2.0 Authentication for Microsoft Power Platform Custom Connectors

Julia_Muiruri's avatar
Julia_Muiruri
Icon for Microsoft rankMicrosoft
Jan 26, 2023

Introduction

Connectors are integration points that help your APIs connect to Microsoft Power Platform. If you have never built a connector before and you enjoy working with APIs, check this article to help you get started. When creating your connector, you are presented with 4 authentication configuration options to ensure successful connection to your API - No Authentication, Basic Authentication, API Key and OAuth 2.0. This article will focus on the configuration of OAuth 2.0 as your authentication type. 

Note: A connector only serves as a proxy for your external service, therefore it must be configured to use the authentication that is implemented by your API.

 

Resources

  1. Troubleshoot OAuth 2.0
  2. Create a custom connector from a Postman collection
  3. OAuth 2.0 Documentation
  4. Google Photos connector 
  5. To create a connector, sign in to https://make.powerapps.com select Dataverse, then go to Custom Connectors

Here is an example of a service using OAuth 2.0 and how you would go about setting up authentication on the connector wizard.

Google Photos API.

 

First step [1]: Before starting a project using any API, it is recommended that you spend some time reading the API documentation to capture all API requirements – supported methods & endpoints, known limitations, troubleshooting guidelines and instructions on configuring authentication. This information will guide you on what your project will be able to achieve or not.

 

To use this API, according to Google Photos API documentation, you need to configure a project on Google API Console to obtain a Client ID and Client Secret, which you will use to grant your project access to the API.

 

Note: Users of your connector will be expected to obtain their own client credentials, so you should not share your Client ID and Secret with anyone.

 

 

Second Step [2]: After obtaining your credentials, head over to the connector wizard and input the following required fields.

Client id & Client secret: Paste in the credentials from your project on Google API Console.

 

Authorization URL: Add the endpoint for the authorization 2.0 server to receive the authorization code from. In other words, this URL will be used to sign in the user and in this case, we will add https://accounts.google.com/o/oauth2/v2/auth

 

Token URL: This field holds the endpoint used to exchange the authorization code after successful authorization for a token that will be added to the authorization header (or any other specified destination as per your API). In this case, we will add https://oauth2.googleapis.com/token

 

Refresh URL: In most cases, the refresh URL is the same as the token URL, which is the endpoint used to refresh your access token for a new one after your current token expires.

 

Scope: Some APIs contain authorization scopes, an implementation of Accessibility in APIs. Scopes grant additional access permissions to endpoints that need them to reach the specified data. For example, to create an album in my google photos account from my project, I must configure either the appendonly or sharing scope.

 

If you need access to more than one scope, add them in the scope field using a space delimiter (separated by an empty space).

 

Redirect URL: This field will be automatically populated once you create the connector. It holds the callback URL, where you will be redirected to after your application has been authenticated successfully. Copy the URL generated by power platform in this field and add it to your client project under ‘Authorized redirect URLs’

 

Third step [3]: With your URLs added correctly and required scopes provided, create your connector and upon testing, your operations should be successful.

Additional Tips: The easiest way to quickly set up your authentication is through testing your endpoints on postman and once everything works as expected, it will practically take you less than 2 minutes to go past the security step. Advantages of creating a custom connector via a postman collection include:

  1. You test all your endpoint and confirm that the correct data is being returned once you make a call.
  2. You add all the required scopes for all your endpoints and directly transfer them to the connector wizard.
  3. Before exporting collection, ensure all the endpoints are properly named to have your actions get proper names and eliminate the need to manually add & rename all the action names.

Important

After creating your connector from a postman collection, confirm the request URLs have been added correctly. Variables on Postman are to URL paths using double curly braces, {{variable_name}} but power platform needs to receive them using single curly braces {variable_name}. If you are passing any variables to your URL, change this before creating the connector.

Updated Jan 23, 2023
Version 1.0
  • ElierH's avatar
    ElierH
    Copper Contributor

    OAuth 2.0 and Api key are no longer in the list of authentication options?

  • My API is hosted in Azure APIM. I have an app registration that exposes the API and requires a role 'MyAPI.Administrator' so that only clients presenting a token with that claim are permitted to call the API. The validation for this is added in the inbound policy for my api where I check that the presented token contains the expected claim using the validate jwt policy template. I also set up a client app registration that has this MyAPI.Administrator permission.

     

    In postman, when I request a token using grant_type client_credentials, client_id the client app registration's client id and secret for the scope of {myapi}/.default and then use that token it to make a request to my API, it works as expected. However, I'm unable to get a custom connector correctly configured to query the api.

     

    From what I can observe when testing the connector in the test tab of the configurator, the token that is sent to the api is an impersonation token (for my account), instead of an application token. Where can I find a sample for this scenario that shows how to configure the security tab of the connector configuration ?