SharePoint External Login Access Forms Authentication vs Azure ACS
Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
-
Upload
sharepointradi -
Category
Technology
-
view
6.613 -
download
2
description
Transcript of Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
Radi AtanassovSharePoint MCM & MVPOneBit Software Ltd.
Who’s this guy?• Radi Atanassov
• SharePoint 2010 MCM
• SharePoint Server MVP
• OneBit Software Ltd.
• Web Platform User Group@RadiAtanassov
This talk is about…
• How “apps” work
• The App infrastructure
• App authentication
• Connectivity
SharePoint’s extensibility history• 2001…
• 2003… CAML?!?
• 2007 – The SharePoint OM & UI enhanced…
– Greater complexity & greater flaws
– But still a strong “platform” we all love
• 2010 – Service Applications, Ribbon, Sandbox
• 2013 – Apps & the marketplace, On-Premise Apps
Why is the App Model important to us?• Cost to the business
– We don’t want SP projects to be expensive
– We want more value for the same budget
• SharePoint cannot be “fixed”– Cannot replace the DB schema
– Cannot rewrite the OM
• Microsoft’s preferred approach moving forward– We’ve been doing it for years
• Office now releases every 3 months
What is an “App” anyway?
• The new word for iFrame
• Another way of providing functionality, but keeping custom code outside of SharePoint
• Functionality you can buy from a marketplace
• A huge marketing stunt to drive adoption
• The infrastructure, plumbing, authentication model & framework to do things we did for a while
Why is authentication important to us?
• So we don’t look like we don’t know what we are doing!
• We are moving to the CLOUD…
• We need to integrate with Exchange 2013, Lync 2013 and custom Apps
• We need to understand & design hybrid deployments
• You can’t have “Apps” without authentication
• It matters when you do on-premises or hybrid Apps
APPTECTURESharePoint Apps
Recap - App Hosting Models
SharePoint App Web
SharePoint Host Web
SharePoint-Hosted app
Provisions an isolated sub web on a host web- Use SP artifacts & out-of-box web parts- Use HTML & JavaScript for UI & client-side logic- Use Workflows for middle tier logic
Provider-hosted app
Provide your own hosting environment
- Use server code- Receive SP events- Use OAuth to access SP
Cloud-hosted apps
Your Hosted Site
Autohosted app
Windows Azure + SQL Azure provisioned automatically as apps are installed
Azure
SharePoint Host Web
SharePoint Host Web
Recap - App Shapes
•
Full page
Implement complete app experiences
to satisfy business scenarios
App Parts
Create app parts that can interact
with the SharePoint experience
UI command extensions
Add new commands to the ribbon and item
menus
Recap - App Package.a
pp
Pack
ag
e (O
PC
)
WSP
Azure
App Web (from WSP)
HostWeb
Slide courtesy of Mike Morton
App Manifest<?xml version="1.0" encoding="utf-8" ?><!--Created:cb85b80c-f585-40ff-8bfc-12ff4d0e34a9--><App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"
Name="SharePointApp1“ ProductID="{6a680846-ddff-4a3c-beb6-cb5705289d28}"Version="1.0.0.0“ SharePointMinVersion="15.0.0.0">
<Properties><Title>SharePointApp1</Title><StartPage>~remoteAppUrl/Pages/Default.aspx?{StandardTokens}</StartPage><SupportedLocales>
<SupportedLocale CultureName="en" /><SupportedLocale CultureName="en-AU" /><SupportedLocale CultureName="bg" />
</SupportedLocales></Properties>
<AppPrincipal><RemoteWebApplication ClientId="*" />
</AppPrincipal>
<AppPermissionRequests><AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write" /><AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" />
</AppPermissionRequests>
<AppPrerequisites><AppPrerequisite Type="Capability" ID="A83C8D70-71DE-4260-9FB8-677418EB47F2" />
</AppPrerequisites></App>
The App Domain - *.contosoapps.com
• You should use a unique domain name, not a subdomain• Only one in the farm!• Prevents XSS attacks and script injection into the parent• Prevents cookie information leaking• Separates Apps from SharePoint sites, aka “app isolation”• The reason why AAM’s don’t work with Apps• Use SSL, even on dev environments!• Should use wildcard certificates on a dedicated web application• The app domain should be in the Internet or Restricted sites security zone
in Internet Explorer• Wildcard DNS should point to the load balancer
The App URL - *.contosoapps.com
• https://{appPrefix}-{UID}.{appdomain}/{appName}
• In MT scenarios each tenant has their own {appPrefix}
• {UID} comes from the subscription service
• {appName} - the App name
• https://app-73ff422090f6f4.mcmapps.com/ SharePointApp2
REVIEW APP SETUPDEMO
AUTHENTICATION WITH OFFICE 365SharePoint Apps
SharePoint OAuth & Office 365
OAUTH IN ACTION – OFFICE 365DEMO
OAuth-authenticated request –Context Token
<form id="frmRedirect" action="https://localhost:44301/Pages/Default.aspx?SPHostUrl=...;SPLanguage=en....." method="post">
<input type="hidden" name="SPAppToken" value="eyJ0eXAiOiJKV…CnQ" /><input type="hidden" name="SPSiteUrl" value="https://onebitdev5.sharepoint.com" /><input type="hidden" name="SPSiteTitle" value="OneBit Software Ltd. Team Site" /><input type="hidden" name="SPSiteLogoUrl" value="" /><input type="hidden" name="SPSiteLanguage" value="en-US" /><input type="hidden" name="SPSiteCulture" value="en-US" /><input type="hidden" name="SPRedirectMessage" value="EndpointAuthorityMatches" /><input type="hidden" name="SPErrorCorrelationId" value="" /><input type="hidden" name="SPErrorInfo" value="" />
</form>
Decoded JWT token{
"typ":"JWT",
"alg":"HS256“
}
{
"aud":"ded48005-1c15-416e-a84b-9b1b0fb5a50e/localhost:44301@8822364f-0b55-48a9-88f8-1b1fcc2e5e89",
"iss":"00000001-0000-0000-c000-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89",
"nbf":"1360231739",
"exp":"1360274939",
"appctxsender":"00000003-0000-0ff1-ce00-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89",
"appctx":"{\"CacheKey\":\"jE7itw4EgtsIxnejiJ20ldz4VUVQagnkh5A+tShdjTU=\",\"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\"}","refreshtoken":"IAAAALi3Arn…",
"isbrowserhostedapp":"true“
}
Issuer
Audience
Context Token in POST• POST https://onebitdev5.sharepoint.com/_vti_bin/client.svc/ProcessQuery HTTP/1.1
• Authorization: Bearer eyJ0eXAiOiJKV1QiLC…iKlpA
• Content-Type: text/xml
• Host: onebitdev5.sharepoint.com
• Content-Length: 615
• Expect: 100-continue
• Accept-Encoding: gzip, deflate
• <Request AddExpandoFieldTypeSuffix="true" SchemaV….
Access Token inside
Oauth 2.0 Request{
grant_type=refresh_token
client_id=ded48005-1c15-416e-a84b-9b1b0fb5a50e%408822364f-0b55-48a9-88f8-1b1fcc2e5e89
client_secret=9hU432522%2fupFTP7ogz6pw7IgsbY8JpW1JFjgHCcegs%3d
refresh_token=IAAAALi3…ifDZwbNk
resource=00000003-0000-0ff1-ce00-000000000000%2fonebitdev5.sharepoint.com%408822364f-0b55-48a9-88f8-1b1fcc2e5e89
}
Oauth 2.0 Response{
"token_type":"Bearer",
"access_token":"eyJ0eXAiOiJKV1Q…phfQ",
"expires_in":"43199",
"not_before":"1360233350",
"expires_on":"1360276550",
"resource":00000003-0000-0ff1-ce00-000000000000/onebitdev5.sharepoint.com@8822364f-0b55-48a9-88f8-1b1fcc2e5e89
}
OAUTH IN ACTION – ON-PREMISESSharePoint Apps
Server-to-Server Trust• Trusted connection between app and SharePoint
– Eliminates need for ACS when running apps in on-premises farm
– Trust between servers configured using SSL certificates
– App code requires access to private key of SSL certificate
– Requires creating Security Token Service on SharePoint server(s)
1
2
43
S2S STS
SSL Cert
Public/Private
key pair (.pfx)
Developing High-Trust Apps
http://msdn.microsoft.com/en-us/library/fp179901.aspx
Terminology
• High-Trust• Low-Trust• Full-Trust• Partial-Trust• Server-2-Server Trust (S2S)…. Different from STS • Sandbox Solutions• User Code Solutions
DEMOConfiguring Server-2-Server Trust for App Dev
App security concerns
• A new attack vector, old attack principles
• A provider hosted app can be “upgraded” by the provider. Do you trust your vendor?
• Script injection and in-flight modification
• SSL is important!
• Many more…
References
• Explore the app manifest and the package of an app for SharePoint http://msdn.microsoft.com/en-us/library/fp179918.aspx
• URL strings and tokens in apps for SharePoint http://msdn.microsoft.com/en-us/library/jj163816.aspx
• OAuth authentication and authorization flow for cloud-hosted apps in SharePoint 2013 http://msdn.microsoft.com/en-us/library/fp142382.aspx
• How to: Create high-trust apps for SharePoint 2013 using the server-to-server protocol (advanced topic) http://msdn.microsoft.com/en-us/library/office/apps/fp179901.aspx
• How to: Package and publish high-trust apps for SharePoint 2013 http://msdn.microsoft.com/en-us/library/office/apps/jj860570.aspx
Key takeaways
• You should definitely look into SharePoint Apps!
• Do your best to understand authentication now
• Complex cloud scenario’s will come
Contact me
• @RadiAtanassov
• Facebook: Radi Atanassov
• LinkedIn: http://au.linkedin.com/in/sharepointradi
• www.onebitsoftware.net
• Mobile: +359 878 823 339