Post on 16-Dec-2015
Developing Hybrid apps for SharePointRob HowardProgram Manager, SharePoint Developer
SPC088
• Review of SharePoint app authentication• Online, on-prem, and hybrid scenarios• Access tokens and issuers• Configuring a hybrid SharePoint
environment• Creating a hybrid SharePoint app
Agenda
App authentication review
(Rob)
Contoso photo
Contoso photo
Contoso
?Contoso photo
Contoso
Contoso photo
Contoso
View
View
Contoso photo
Contoso
View, Upload, Tag, Comment
View, Upload, Tag, Comment
Contoso photo
Contoso
View, Upload, Tag, Comment, Change Password
View, Upload, Tag, Comment, Change Password
Contoso photo
Contoso
View, Upload, Tag, Comment, Change Password
Contoso photo
Contoso
View, Upload, Tag, Comment, Change Password
Contoso photo
Contoso
View, Upload, Tag, Comment, Change Password
Contoso photo
Contoso
View, Upload, Tag, Comment, Change Password
View
Contoso photo
Contoso
View, Upload, Tag, Comment, Change Password
View
Contoso photo
Contoso
SharePoint
SharePoint 2007
Sandbox
SharePoint 2010
SharePoint
Azure, IIS, LAMP, etc…
_api
SharePoint 2013
Cloud App Model: Past and Present
Hybrid app scenarios
• Selling a product built from a single codebase to on-prem customers and O365 customers
• Creating an app that work both online and on-prem for customers with a presence in both
• Connecting an app running in the cloud to SharePoint running on-prem or vice versa
Hybrid Scenarios
App Identity Online and On-PremIn the cloudWindows Azure AD comes with O365Apps use ‘3-legged’ OAuth
Clo
ud
Azure AD
AppOffice 365
App Identity Online and On-PremIn the cloudWindows Azure AD comes with O365Apps use ‘3-legged’ OAuth
On-PremisesCert-based trustOn-prem to on-prem
On-P
rem
Clo
ud
Azure AD
AppOffice 365
AppSharePoi
nt
App Identity Online and On-PremIn the cloudWindows Azure AD comes with O365Apps use ‘3-legged’ OAuth
On-PremisesCert-based trustOn-prem to on-prem
HybridUse O365 Azure AD with on-prem SPSupports marketplace and on-prem apps
Azure AD
AppOffice 365
AppSharePoi
nt
Clo
ud
On-P
rem
• No autohosted apps in on-prem farms• Cross-firewall server-side calls• Azure AD is only available as part of O365
Hybrid app challenges
SharePoint“Host” Web
App Web JavaScript
App Authentication
SharePoint“AppWeb”
Firewall
SharePoint“Host” Web
App Authentication
JavaScript(cross domain)
SharePoint“AppWeb”
Firewall
Demo: SharePoint-hosted apps on-prem and onlineRob Howard
Firewall
SharePoint“Host” Web
App Authentication
OAuth
SharePoint“AppWeb”
Access tokens and issuers
SharePointRemote App
Access Token
Access tokens and issuers
SharePointRemote App
Trusted SecurityToken Issuer
Access Token
OAuth-authenticated requestPOST https://fortworth.sharepoint.com/_vti_bin/client.svc/ProcessQuery HTTP/1.1Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEs…Content-Type: text/xmlHost: fortworth.sharepoint.comContent-Length: 606Expect: 100-continueAccept-Encoding: gzip, deflate
<Request AddExpandoFieldTypeSuffix="true" SchemaVersion="15.0.0.0" LibraryVersion="15.0.0.0"…
Access token
Decoded access token { "typ":JWT "alg":RS256 "x5t":34-64-C5-BD-D2-BE-7F-2B-61-12-E2-F0-8E-9C-00-24-E3-3D-9F-E0 } { "aud":00000003-0000-0ff1-ce00-000000000000/fortworth.sharepoint.com@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-09 16:07:26Z (11/9/2012 8:07:26 AM) - 1352477246 "exp":2012-11-10 04:07:26Z (11/9/2012 8:07:26 PM) - 1352520446 "nameid":10037ffe831d4d4c "actor":e1ec2ca5-301c-4275-add3-f1f7252f3b4b@2c439330-685e-4c13-817b-e057b9637ad0 "identityprovider":urn:federation:microsoftonline }
Thumbprint
Issuer
Decoded access token { "typ":JWT "alg":RS256 "x5t":34-64-C5-BD-D2-BE-7F-2B-61-12-E2-F0-8E-9C-00-24-E3-3D-9F-E0 } { "aud":00000003-0000-0ff1-ce00-000000000000/fortworth.sharepoint.com@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-09 16:07:26Z (11/9/2012 8:07:26 AM) - 1352477246 "exp":2012-11-10 04:07:26Z (11/9/2012 8:07:26 PM) - 1352520446 "nameid":10037ffe831d4d4c "actor":e1ec2ca5-301c-4275-add3-f1f7252f3b4b@2c439330-685e-4c13-817b-e057b9637ad0 "identityprovider":urn:federation:microsoftonline }
Audience
Decoded access token { "typ":JWT "alg":RS256 "x5t":34-64-C5-BD-D2-BE-7F-2B-61-12-E2-F0-8E-9C-00-24-E3-3D-9F-E0 } { "aud":00000003-0000-0ff1-ce00-000000000000/fortworth.sharepoint.com@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-09 16:07:26Z (11/9/2012 8:07:26 AM) - 1352477246 "exp":2012-11-10 04:07:26Z (11/9/2012 8:07:26 PM) - 1352520446 "nameid":10037ffe831d4d4c "actor":e1ec2ca5-301c-4275-add3-f1f7252f3b4b@2c439330-685e-4c13-817b-e057b9637ad0 "identityprovider":urn:federation:microsoftonline }
Decoded access token { "typ":JWT "alg":RS256 "x5t":34-64-C5-BD-D2-BE-7F-2B-61-12-E2-F0-8E-9C-00-24-E3-3D-9F-E0 } { "aud":00000003-0000-0ff1-ce00-000000000000/fortworth.sharepoint.com@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-09 16:07:26Z (11/9/2012 8:07:26 AM) - 1352477246 "exp":2012-11-10 04:07:26Z (11/9/2012 8:07:26 PM) - 1352520446 "nameid":10037ffe831d4d4c "actor":e1ec2ca5-301c-4275-add3-f1f7252f3b4b@2c439330-685e-4c13-817b-e057b9637ad0 "identityprovider":urn:federation:microsoftonline }
Decoded access token { "typ":JWT "alg":RS256 "x5t":34-64-C5-BD-D2-BE-7F-2B-61-12-E2-F0-8E-9C-00-24-E3-3D-9F-E0 } { "aud":00000003-0000-0ff1-ce00-000000000000/fortworth.sharepoint.com@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-09 16:07:26Z (11/9/2012 8:07:26 AM) - 1352477246 "exp":2012-11-10 04:07:26Z (11/9/2012 8:07:26 PM) - 1352520446 "nameid":10037ffe831d4d4c "actor":e1ec2ca5-301c-4275-add3-f1f7252f3b4b@2c439330-685e-4c13-817b-e057b9637ad0 "identityprovider":urn:federation:microsoftonline }
Decoded access token { "typ":JWT "alg":RS256 "x5t":34-64-C5-BD-D2-BE-7F-2B-61-12-E2-F0-8E-9C-00-24-E3-3D-9F-E0 } { "aud":00000003-0000-0ff1-ce00-000000000000/fortworth.sharepoint.com@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-09 16:07:26Z (11/9/2012 8:07:26 AM) - 1352477246 "exp":2012-11-10 04:07:26Z (11/9/2012 8:07:26 PM) - 1352520446 "nameid":10037ffe831d4d4c "actor":e1ec2ca5-301c-4275-add3-f1f7252f3b4b@2c439330-685e-4c13-817b-e057b9637ad0 "identityprovider":urn:federation:microsoftonline }
Access tokens and issuers
SharePointRemote App
Trusted SecurityToken Issuer
Access Token
Access tokens and issuers (Online)
SharePoint Online
Remote App
Trusted SecurityToken Issuer (ACS)
Access Token
Azure AD
ACS Proxy
Access tokens and issuers (On-Prem)
SharePoint On-Prem
Remote App
Trusted SecurityToken Issuer (ACS)
Access Token
Azure AD
ACS Proxy
Demo: Building a high-trust app on-premRob Howard
Access tokens and issuers (On-Prem)
SharePointRemote App
Trusted SecurityToken Issuer
Access Token
Access tokens and issuers (Hybrid)
SharePoint On-Prem
Remote App
Trusted SecurityToken Issuer (ACS)
Access Token
Azure AD
ACS Proxy
Demo: Configuring ACS as a trusted issuer on-premRob Howard
Access tokens and issuers (On-Prem)
SharePointRemote App
Trusted SecurityToken Issuer
Access Token
Access tokens and issuers (Online)
SharePointRemote App
Trusted SecurityToken Issuer (ACS)
Access Token
Azure AD
ACS Proxy
Azure AD
Creating a hybrid app
SharePointRemote App
Trusted SecurityToken Issuer (ACS)
SharePoint
Trusted SecurityToken Issuer
Demo: Apps that use both high-trust and 3-legged OAuthRob Howard
Remote App
Remote App
Azure AD
Access tokens and issuers (Hybrid)
SharePoint Online
Remote App
Trusted SecurityToken Issuer (ACS)
SharePoint On-prem
Trusted SecurityToken Issuer
• The new cloud app model is designed to work both on-prem and in the cloud
• Use high-trust (S2S) in pure on-prem environments
• Use a hybrid configuration to connect on-prem SharePoint farms to apps in the cloud
• Build hybrid apps that can work in on-prem and online environments with a single codebase
Takeaways
Evaluate this session now on MySPC using your laptop or mobile device: http://myspc.sharepointconference.com
MySPC
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.