## Add external login providers
Optimizely <<product-name>> supports Google and Facebook login out of the box for versions 4.1+. Additional login providers could likely be added by adding the relevant OWIN middleware to the ConfigureIdentityProviders method within Startup.Auth.cs. Additional providers can be found at the following links:
<https://identityserver.github.io/Documentation/docsv2/resources/externalAuthentication.html>
<https://github.com/RockstarLabs/OwinOAuthProviders>
### Configure Google/Facebook logins
These logins are enabled by setting the following Application Settings. Changes to these settings will not take place until after the application pool has been recycled.
**Application Setting** | **Value Type** | **Description** |
ExternalProvider_Facebook_AppId | string | The app id identified by your Facebook application used for Facebook login. |
ExternalProvider_Facebook_AppSecret | string | The app secret identified by your Facebook application used for Facebook login. |
ExternalProvider_Facebook_Enabled | true/false | If true, a Facebook button will appear on the sign in page. |
ExternalProvider_Google_ClientId | string | The client id identified by your Google application used for Google login. |
ExternalProvider_Google_ClientSecret | string | The client secret identified by your Google application used for Google login. |
ExternalProvider_Google_Enabled | true/false | If true, a Google button will appear on the sign in page. |
### Set a Google application to generate a ClientId and ClientSecret
In a browser go to <https://console.developers.google.com> (log in if you are not logged in already).
Go to **API Manager** \> **Credentials.**
Click **New credentials** and select **OAuth 2.0 client ID.**
Select **Web Application.**
Name the application (This will be displayed when users are redirected to Google to login. Once they log in, it will prompt the users and say "{application name} would like to access your profile" or something like that).
Set the Authorized JavaScript origins to the website URL.
Set the redirect URLs to the following, replacing the mywebsite part: <https://www.mywebsite.com/identity/externalcallback>
Click **Create.**
You should now have the clientid and clientsecret.
Go to the **Overview** tab.
In the **Social APIs** section click **Google+ Api** and enable it.
Enter clientid and clientsecret within the Google External Provider Application Settings.
### Set a Facebook application to generate an AppId and AppSecret
In a browser go to <https://developers.facebook.com/> (login if you are not logged in already).
Select **My Apps** in the header and select **Add an app.**
Select **WWW.**
Name the application (This will be displayed when users are redirected to Google to login. Once they log in, it will prompt the users and say "{application name} would like to access your profile" or something like that).
Select a category and create the app.
Enter your website and click **Next.**
Refresh the page.
In the header select **My Apps** and the app you just created.
Click **Settings** to see your app id and app secret.
Under **Settings** set the contact email.
Under the **Status and Review** section, set your app to be **Live.**
Then in the same section, enable the email and public_profile items.
Verify on the Dashboard that the API version is 2.5, if it is not, you may need to modify some code in Startup.Auth.cs.
After everything is configured, restart the IIS App Pool to enable the new configuration.
## Configure IssuerUri for IndentityServer on Webfarms
The purpose of the IssuerUri option on the IdentityServer is to create tokens and generate the TokenValidationParameters. On token generation, the values for token audience and the issuer is set from the IssuerUri option. On token validation audienceUri is created from the IssuerUri. It doesn't have to be a valid URI, it can be something unique to your company.
A common implementation mistake is made when setting the IdentityServerUrl. If it is set in the app.config to the IP address of the server, then each server would have a unique issuer uri on the access token. If the request is then redirected to a server where the access token doesn't exist, a token error is generated. To correct this, configure the issuerUri with the same values on each server across the webfarm.
For Insite, the issuerUri is set in the startup.auth.cs file. Update the following line of the startup.auth.cs file to a unique URL:
IssuerUri = ConfigurationManager.AppSettings\["IdentityServerUrl"\], to IssuerUri = "<https://youwebsiteuniqueurl.com>"