Building Apps for SharePoint 2013 by Andrew Connell - SPTechCon

www.AndrewConnell.com

@AndrewConnell

Building Apps for SharePoint 2013

Andrew Connell

MVP, SharePoint Server

Andrew Connellwww.AndrewConnell.com [email protected]

@andrewconnell

Independent Consultant, Developer, Speaker, Instructor

Hands-On SharePoint Training Critical Path Training - www.CriticalPathTraining.com

On-Demand SharePoint TrainingPluralsight – www.Pluralsight.com

http://www.andrewconnell.com/

mailto:[email protected]

http://www.criticalpathtraining.com/

http://www.pluralsight.com/


@AndrewConnell

Agenda

SharePoint App ModelApp Model ShapesApp Identity

AuthenticationAuthorizationOAuth


@AndrewConnell

SharePoint 2013 Deployment Options

•Installed 100% on company servers•Access to 100% of SharePoint’s features & capabilities

On-Premises (aka: on-

prem / behind firewall)

•Installed 100% and managed in the cloud•Most common context: Office 365 / SharePoint Online•Some features not available in the cloud

Hosted(aka: Office

365 / SharePoint

Online)


@AndrewConnell

Overview of the SharePoint App Model

SharePoint app model based on these assumptions

Apps supported in Office 365 and in on-premises farms

App code never runs in SharePoint host environment

Apps talk to SharePoint using Web service entry points

App code is authenticated and has established identity

App has permissions independent of user permissions

Apps deployed to catalogs using a publishing scheme

Published apps are easier to find, install and upgrade


@AndrewConnell

App Installation Scopes

Site-Scoped Installation App is installed in a specific site App is launched from same site This site is known as host web

Tenancy-Scoped Installation App installed > app catalog site App available many host webs Host webs access one app instance Centralizes app management


@AndrewConnell

SharePoint App Architecture

SharePoint-Hosted Apps App resources added to SharePoint host Stored in child site known as app web App can have client-side code App cannot have server-side code

Cloud-Hosted Apps App resources deployed on remote server Remote site known as remote web App can have client-side code App can have server-side code


@AndrewConnell

Creating SharePoint Hosted &

Cloud-Hosted Apps


@AndrewConnell

App Web

App web is created during app installationApp web created as child to site where app is installed

SharePoint-Hosted apps must create app webApp must add start page and related resourcesApp can add other SharePoint elements (e.g. lists)

Cloud-Hosted apps can create app webMost cloud-hosted apps will not create an app webCloud-hosted app can create app web if needed


@AndrewConnell

Inspecting the AppWeb


@AndrewConnell

App Shapes

What SharePoint Tells you…SharePoint-Hosted AppsCloud-Hosted Apps

What Visual Studio Forces You to Select…SharePoint-Hosted AppProvider-Hosted AppAuto-Hosted App


@AndrewConnell

App Shapes – What It Really Is

SharePoint-Hosted Apps Everything resides in SharePoint

All Other Types Majority resides external to SharePoint (IIS, Azure, etc.) By default, don’t trigger creation of AppWeb…

Unless they include SharePoint artifacts

Auto-Hosted Apps SharePoint handles deployment of external assets

Azure Web SiteSQL Azure Database


@AndrewConnell

Inspecting App Shapes


@AndrewConnell

Authentication in SharePoint 2013

Authentication Flow in SharePoint 2013 User authentication stays the same with standard sites In calls to app web, app authentication occurs internally Internal authentication occurs in calls to app web External authentication used for calls from remote web Call context can contain both user and app identity

Requirements for establishing app identity Host web application must be a claims-based Incoming calls must target CSOM/REST endpoints

Supported CSOM/REST endpoints not extensible


@AndrewConnell

User vs. App Authentication Flow

call from user SAMLtoken

call from appOAuthtoken

SharePoint Farm

Web Servers


@AndrewConnell

SharePoint 2013 Authentication Flow

startauthentication

SAML Token?

OAuth token?

request toapp web

CSOM/RESTendpoint?

user infoin token?

endauthentication

set up call context with user identity

set up call context with user identity and app identity

set up call context with app identity

set up call context with no identity

(anonymous access)

YES NO

YESNO

NO

YES YES YES

NO

NO


@AndrewConnell

Provider-Hosted Apps & App Identity

OAuth (via Azure ACS)

High-Trust (via S2S Trust & certificates)

• Apps can obtain an identity using one of two methods:


@AndrewConnell

OAuth 2.0 Primer

What is OAuth?Internet protocol for creating and managing app identityA cross-platform mechanism for authenticating appsInternet standard used by Facebook, Google

and Twitter

SharePoint 2013 use OAuth to establish app identitySharePoint integration with OAuth based on Azure ACSOAuth authentication used in Office 365 but not on-premises farms


@AndrewConnell

Windows Azure ACS

Windows Azure Access Control Service (ACS)Required to use OAuth with SharePoint 2013ACS server acts as authentication serverACS server must be trusted by content serverACS server must be trusted by client app

How is ACS configured as authentication server?It's configured automatically in Office 365 tenanciesNot supported in on-prem farms in SharePoint 2013


@AndrewConnell

What is a Server-to-Server (S2S) Trust

Trusted connection between client app and SharePoint Eliminates need for ACS when running apps in on-premises farm

Trust between servers configured using SSL certificates

App code requires access to private key of SSL certificate

Requires creating Security Token Service on SharePoint server(s)


@AndrewConnell

Developing Apps that use S2S Trusts

What are the developer responsibilities with an S2S app? Expose an endpoint to SharePoint to

discover service metadata Authenticate the user (can use Windows Auth, FBA, etc.) Create security tokens to send to SharePoint server

Details of creating the S2S security token S2S token like OAuth token but differs from

OAuth specification Security token must contain app identity Security token can optionally include user identity Security token must be signed using certificate’s private key


@AndrewConnell

OAuth & S2S Trusts

OAuth Enabled Apps Before deployment marketplace, app must be registered with Azure ACS Apps obtain their identity / token from Azure ACS When calling SharePoint, app includes OAuth token SharePoint trusts Azure ACS

On-Prem deployments will typically use S2S Before deployment, app must be

registered with SharePoint Developer registers a certificate with SharePoint & associates app with

certificate App creates token using private key of certificate SharePoint trusts this token because it was signed with the private key


@AndrewConnell

What You Might Not Be Aware Of: #1

OAuth is only supported in Office 365No support in On-Prem deployments at RTMWhy?

Possible update to this story after RTMExtra steps?Hotfix?Cumulative Update?Service Pack?Next Version?


@AndrewConnell

Creating Apps with Identities & Permissions


@AndrewConnell

What You Might Not Be Aware Of: #2

Office 365 Azure

•“Private Cloud”•Azure Web Sites•SQL Azure DBs•Access Control Service

Windows Azure

•www.azure.com•Cloud services•Web Sites•Virtual Machines•Storage (blob / queue / table)•Service Bus•SQL Azure•Access Control Service•…

Office 365 Azure != Windows Azure

http://www.azure.com/


@AndrewConnell

The Sandbox Isn’t Dead

Where you build sandbox solutions, try to replace them with SharePoint Apps

There are many scenarios where Apps can’t replace sandbox solutions

Some things are ONLY possible with sandboxed solutions in a hosted deployment

Remember, they are deprecated, not dead!


@AndrewConnell

App Model Parting Thoughts

SharePoint ALM has always been hard .NET ALM > SharePoint ALM

More tools, more mature, more documentation & support No longer limited to what SharePoint supports

Latest version of the .NET Framework New “toys” (MVC, Entity Framework, etc) Not limited to any technology stack / infrastructure

Working with service layer vs. server side API More community tools & libraries to choose from Can follow more “standards”

Don’t have to scale SharePoint, can now just scale the app


@AndrewConnell

Questions? Want to Learn More?

SharePoint Courses for Everyone SharePoint 2007, 2010 & 2013 Developers, Administrators & End Users

Get Training How You Like it Hands-On (classroom with hands-on

labs) Online (live webcast with take-away labs)

Private Classes Available for Large Groups

SharePoint Courses for Everyone SharePoint 2007, 2010 & 2013 Developers, Administrators & End Users

Individual, Small Business & Enterprise Plans Monthly or Annual Subscriptions Watch Online & Offline

Subscribers Have Access to Entire Catalog

www.CriticalPathTraining.com

Hands-On & Virtual Training

www.Pluralsight.com

On-Demand Training

[email protected]



http://www.pluralsight.com/

Building Apps for SharePoint 2013 by Andrew Connell - SPTechCon

Documents

Transcript of Building Apps for SharePoint 2013 by Andrew Connell - SPTechCon