1 / 52

Understanding Authentication and Permissions with Apps for SharePoint and Office

Understanding Authentication and Permissions with Apps for SharePoint and Office. Kirk Evans Principal Premier Field Engineer, Microsoft Corporation 3-603. Kirk Evans. Expertise. Microsoft Principal Premier Field Engineer Microsoft Certified Master—SP2010 http://blogs.msdn.com/kaevans.

shanon
Download Presentation

Understanding Authentication and Permissions with Apps for SharePoint and Office

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding Authentication and Permissions with Apps for SharePoint and Office • Kirk Evans • Principal Premier Field Engineer, Microsoft Corporation • 3-603

  2. Kirk Evans Expertise • Microsoft • Principal Premier Field Engineer • Microsoft Certified Master—SP2010 • http://blogs.msdn.com/kaevans 15+ Years of Experience @kaevans Please use Twitter! @kaevans #bldwin

  3. Agenda • Establishing trust. • Types of app authentication. • OAuth authentication. • App authorization. • Dynamic permission requests. Close Shave by SeaDave, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/

  4. Establishing trust Dr. Garland prepares to fall by genvessel, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/

  5. ? Contoso photo Contoso Kirk

  6. , upload, tag, comment, View delete, change password. Contoso photo Contoso View , upload, tag, comment, delete, change password. Kirk

  7. View Contoso photo Contoso View , upload, tag, comment delete, change password. Kirk

  8. App model: past, present, and future Azure, IIS, LAMP, etc… SharePoint 2007 SharePoint 2010 SharePoint 2013 SharePoint Sandbox SharePoint _api

  9. Demo: SharePoint connect

  10. Types of app authentication

  11. SharePoint “Host” web SharePoint hosted app App Web JavaScript SharePoint “AppWeb”

  12. SharePoint “Host” web Cross domain JavaScript library JavaScript (cross domain) SharePoint “AppWeb”

  13. SharePoint “Host” web Cloud-hosted app SharePoint “AppWeb” OAuth

  14. Authentication User credentials provided? Call is to an app web? Start User only context Yes No No Yes App token provided? App token Includes user? User + app context Yes Yes No App only context No End Anonymous context

  15. Demo: basic app authentication

  16. OAuth authentication

  17. Authorization server Client Resource owner Resource server

  18. ACS App.com Browser SharePoint

  19. ACS App.com Browser SharePoint 1 1) User browses to a SharePoint page with an app part on it.

  20. ACS App.com Browser 2 SharePoint 1 2) SharePoint requests a context token.

  21. ACS App.com Browser 3 2 SharePoint 1 3) ACS returns a signed context token.

  22. ACS App.com Browser 3 2 SharePoint 1 4 4) SharePoint renders page with iframe which will POST the context token to App.com. POST https://app.com/ … SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e…

  23. ACS App.com Browser 3 2 SharePoint 1 4 5 5) iframe causes browser to request contents from App.com including the context token.

  24. ACS App.com Browser 3 6 2 SharePoint 1 4 5 6) App.com validates the signature on the context token, extracts the auth code, and uses its credentials to request an access token from ACS.

  25. ACS App.com Browser 3 7 2 6 SharePoint 1 4 5 7) Windows Azure Access Control Services (ACS) returns an access token.

  26. ACS App.com Browser 3 7 2 6 SharePoint 8 1 4 5 8) App.com calls SharePoint CSOM or REST API with access token.

  27. ACS App.com Browser 3 7 2 6 SharePoint 8 1 9 4 5 9) SharePoint returns data from CSOM or REST API call.

  28. ACS App.com Browser 3 7 2 6 SharePoint 8 1 9 4 5 10 10) App.com returns the iframe contents.

  29. OAuth token summary ACS Refresh App.com Browser 7 6 SharePoint 8 Access 5 Context

  30. Context token format—Base 64 Encoded SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJhZDY5NmU1NS0zZjMzLTQwNzgtYjM2Ny0yZTdiNzVkNjQ1ZjIvbG9jYWxob3N0OjQ0MzAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImlzcyI6IjAwMDAwMDAxLTAwMDAtMDAwMC1jMDAwLTAwMDAwMDAwMDAwMEAyYzQzOTMzMC02ODVlLTRjMTMtODE3Yi1lMDU3Yjk2MzdhZDAiLCJuYmYiOjEzNTI2NjU2NDUsImV4cCI6MTM1MjcwODg0NSwiYXBwY3R4c2VuZGVyIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImFwcGN0eCI6IntcIkNhY2hlS2V5XCI6XCJCU2lLOFNmQS9lVk5lTU10SUpjVkJPM2xJNUxYY1BjN0p3SUcyWGNqWDR3PVwiLFwiU2VjdXJpdHlUb2tlblNlcnZpY2VVcmlcIjpcImh0dHBzOi8vYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldC90b2tlbnMvT0F1dGgvMlwifSIsInJlZnJlc2h0b2tlbiI6IklBQUFBS0JDb1Bwby1FVm9PZ3dBMGZ3SDVQV3dyY29PR3BGSHdpVW1CMnpBZjRjMXdoeFFzOXlWRlVtcWNqNmYyZ2JTRF9CM3dPakktRXN2b2dWVWVQeXBtMjF5RlQ3VkxFdW5OSW1rT1RxeHFtb1BwSE9SU3F0c2pXaEhOdnUxM0ppVmNGZzh2UEFyMl9HbFFCNjBQVThQdEVUVlpjWXpCcExhY3hzNjNlVVdMajBTY0lQMGwzUW12dENTVEdidlRqUW1hR3RGaVZYQnZwLXhQN1RuZnlkRUJUUG9hTDNDcERoQXA5TVhMNXpsRVIxbUtBdDN6bEEtSXpQSzdRTmxyOVJ5RnVPTnJGZmtSRnhyRHNBTDJMS0hPZ2pkZVM5Y0VHWnpZdG9odkdWRFFiVWptaFlxM3FueHYyM09qX25idm9KNUNJQXBTOTVMUTNXVkwyaFJKQlltUHVIQ1Z3emhjZG12QlJJNURJZVNYb25RR2d5blNVYU9vUUtheUg2b1R6RzcwSWljaUtSNm5FMzJZYnhhaGJzdm1XOGszblpvaTV4TDdfa0JXSUZjQXh0Ny1sMUJxTEFockpoZEliZ0dVa1VpVGk5d3JJVm9KZ0RDTDNxSzZucGNHdm4xbGdRZWNBbFpkeG5qOGltcmdGVmRmNDVGa1EyQTZTOTJEakVjWE1odUZwakE2aHFpSzdHRU85ZnEwM0tER0tjIiwiaXNicm93c2VyaG9zdGVkYXBwIjoidHJ1ZSJ9.c4gAOr-4OsWo-M54t1WRT0OrjVHtl2c7jpK4N5Hbof4

  31. Context token format—Decoded JSON { "aud":ad696e55-3f33-4078-b367-2e7b75d645f2/localhost:44300@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-11 20:27:25Z (11/11/2012 12:27:25 PM) - 1352665645 "exp":2012-11-12 08:27:25Z (11/12/2012 12:27:25 AM) - 1352708845 "appctxsender":00000003-0000-0ff1-ce00-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "appctx":{ "CacheKey":"BSiK8SfA/eVNeMMtIJcVBO3lI5LXcPc7JwIG2XcjX4w=“ "SecurityTokenServiceUri":"https://accounts.accesscontrol.windows.net/tokens/OAuth/2" } "refreshtoken":IAAAAKBCoPpo-EVoOgwA0fwH5PWw… "isbrowserhostedapp":true }

  32. App Authorization

  33. Permission requests Apps request the permissions they require to run: <AppPermissionRequestsAllowAppOnlyPolicy="true"> <AppPermissionRequestScope="http://sharepoint/content/sitecollection"Right="Read"/> <AppPermissionRequestScope="http://sharepoint/content/sitecollection/web/list"Right="Write"> <PropertyName="BaseTemplateId"Value="101"/> </AppPermissionRequest> <AppPermissionRequestScope="http://sharepoint/social/microfeed"Right="Manage"/> <AppPermissionRequestScope="http://sharepoint/search"Right="Query"/> </AppPermissionRequests>

  34. Permission requests <AppPermissionRequestScope="http://sharepoint/content/sitecollection"Right="Read"/> Capability Product Permission Provider Specific component

  35. Available app permissions

  36. Consent

  37. Demo: app permissions

  38. Dynamic app permission requests

  39. ACS App.com Browser SharePoint 1 1) User browses to a web page on App.com.

  40. ACS App.com Browser SharePoint 2 1 2 2) Browser is redirected to OAuthAuthorize.aspx

  41. ACS App.com Browser 3 3 SharePoint 2 1 2 3) SharePoint looks up the app principal based on the client_id. /_layouts/15/OAuthAuthorize.aspx? IsDlg=1 &client_id=3ca819d1-0ef8-4cbf-aa76-9ae45fd78b14 &scope=Web.Write &response_type=code

  42. ACS App.com Browser 3 3 SharePoint 2 https://localhost:44301/Default.aspx? code=IAAAACn2TwEi67U76rep34e...S4NLsp4mi2IR2g&IsDlg=1 4 1 2 4 4) User grants permission, browser is redirected to App.com with code.

  43. ACS App.com Browser 3 3 5 SharePoint 2 4 1 2 4 5) App.com requests access token using code.

  44. ACS App.com Browser 3 6 3 5 SharePoint 2 4 1 2 4 6) Microsoft Azure Access Control Services returns an Access token.

  45. ACS App.com Browser 3 6 3 5 SharePoint 7 2 4 1 2 4 7) App.com requests data from SharePoint using access token.

  46. ACS App.com Browser 3 6 3 5 SharePoint 7 2 8 4 1 2 4 8 8) Data is returned from SharePoint and page is rendered.

  47. Demo: SPLister

  48. Summary • Establishing trust. • Types of app authentication. • OAuth authentication. • App authorization. • Dynamic permission requests.

  49. Resources • http://dev.office.com • http://blogs.msdn.com/kaevans

More Related