Understanding Authentication and Permissions with Apps for SharePoint and Office

Kirk EvansPrincipal Premier Field Engineer, Microsoft Corporation3-603

MicrosoftPrincipal Premier Field EngineerMicrosoft Certified Master—SP2010

http://blogs.msdn.com/kaevans

Kirk Evans

Please use Twitter! @kaevans #bldwin

15+ Years of Experience

Expertise

@kaevans

Establishing trust.Types of app authentication.OAuth authentication.App authorization.Dynamic permission requests.

Agenda

Close Shave by SeaDave, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/

Establishing trust

Dr. Garland prepares to fall by genvessel, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/

Contoso photo

Contoso

Contoso photo

Contoso

View, upload, tag, comment,

, upload, tag, comment,delete, change password.

delete, change password.

Contoso photo

Contoso

, upload, tag, commentdelete, change password.

App model: past, present, and future

SharePoint

SharePoint 2007

Sandbox

SharePoint 2010

SharePoint

Azure, IIS, LAMP, etc…

SharePoint 2013

Demo: SharePoint connect

Types of app authentication

SharePoint hosted app

SharePoint“Host” web

App Web JavaScript

SharePoint“AppWeb”

Cross domain JavaScript library

JavaScript(cross domain)

Cloud-hosted app

AuthenticationUser credentials

provided?Start

User only context

App only context

User + app context

Anonymous context

App tokenprovided?

App tokenIncludes user?

Yes Yes

Call is to an app web?

Demo: basic app authentication

OAuth authentication

ClientResource server

Resource owner

Authorization server

App.comSharePointBrowser

1) User browses to a SharePoint page with an app part on it.

2) SharePoint requests a context token.

3) ACS returns a signed context token.

4) SharePoint renders page with iframe which will POST the context token to App.com.

POST https://app.com/…SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e…

5) iframe causes browser to request contents from App.com including the context token.

6) App.com validates the signature on the context token, extracts the auth code, and uses its credentials to request an access token from ACS.

7) Windows Azure Access Control Services (ACS) returns an access token.

8) App.com calls SharePoint CSOM or REST API with access token.

9) SharePoint returns data from CSOM or REST API call.

10) App.com returns the iframe contents.

Context

Refresh

Access

OAuth token summary

Context token format—Base 64 EncodedSPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJhZDY5NmU1NS0zZjMzLTQwNzgtYjM2Ny0yZTdiNzVkNjQ1ZjIvbG9jYWxob3N0OjQ0MzAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImlzcyI6IjAwMDAwMDAxLTAwMDAtMDAwMC1jMDAwLTAwMDAwMDAwMDAwMEAyYzQzOTMzMC02ODVlLTRjMTMtODE3Yi1lMDU3Yjk2MzdhZDAiLCJuYmYiOjEzNTI2NjU2NDUsImV4cCI6MTM1MjcwODg0NSwiYXBwY3R4c2VuZGVyIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImFwcGN0eCI6IntcIkNhY2hlS2V5XCI6XCJCU2lLOFNmQS9lVk5lTU10SUpjVkJPM2xJNUxYY1BjN0p3SUcyWGNqWDR3PVwiLFwiU2VjdXJpdHlUb2tlblNlcnZpY2VVcmlcIjpcImh0dHBzOi8vYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldC90b2tlbnMvT0F1dGgvMlwifSIsInJlZnJlc2h0b2tlbiI6IklBQUFBS0JDb1Bwby1FVm9PZ3dBMGZ3SDVQV3dyY29PR3BGSHdpVW1CMnpBZjRjMXdoeFFzOXlWRlVtcWNqNmYyZ2JTRF9CM3dPakktRXN2b2dWVWVQeXBtMjF5RlQ3VkxFdW5OSW1rT1RxeHFtb1BwSE9SU3F0c2pXaEhOdnUxM0ppVmNGZzh2UEFyMl9HbFFCNjBQVThQdEVUVlpjWXpCcExhY3hzNjNlVVdMajBTY0lQMGwzUW12dENTVEdidlRqUW1hR3RGaVZYQnZwLXhQN1RuZnlkRUJUUG9hTDNDcERoQXA5TVhMNXpsRVIxbUtBdDN6bEEtSXpQSzdRTmxyOVJ5RnVPTnJGZmtSRnhyRHNBTDJMS0hPZ2pkZVM5Y0VHWnpZdG9odkdWRFFiVWptaFlxM3FueHYyM09qX25idm9KNUNJQXBTOTVMUTNXVkwyaFJKQlltUHVIQ1Z3emhjZG12QlJJNURJZVNYb25RR2d5blNVYU9vUUtheUg2b1R6RzcwSWljaUtSNm5FMzJZYnhhaGJzdm1XOGszblpvaTV4TDdfa0JXSUZjQXh0Ny1sMUJxTEFockpoZEliZ0dVa1VpVGk5d3JJVm9KZ0RDTDNxSzZucGNHdm4xbGdRZWNBbFpkeG5qOGltcmdGVmRmNDVGa1EyQTZTOTJEakVjWE1odUZwakE2aHFpSzdHRU85ZnEwM0tER0tjIiwiaXNicm93c2VyaG9zdGVkYXBwIjoidHJ1ZSJ9.c4gAOr-4OsWo-M54t1WRT0OrjVHtl2c7jpK4N5Hbof4

Context token format—Decoded JSON{ "aud":ad696e55-3f33-4078-b367-2e7b75d645f2/localhost:44300@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-11 20:27:25Z (11/11/2012 12:27:25 PM) - 1352665645 "exp":2012-11-12 08:27:25Z (11/12/2012 12:27:25 AM) - 1352708845 "appctxsender":00000003-0000-0ff1-ce00-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "appctx":{ "CacheKey":"BSiK8SfA/eVNeMMtIJcVBO3lI5LXcPc7JwIG2XcjX4w=“ "SecurityTokenServiceUri":"https://accounts.accesscontrol.windows.net/tokens/OAuth/2" } "refreshtoken":IAAAAKBCoPpo-EVoOgwA0fwH5PWw… "isbrowserhostedapp":true}

App Authorization

Permission requestsApps request the permissions they require to run:

Permission requests<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/>

ProductPermission ProviderSpecific component Capability

Available app permissionsScope Scope Alias Right

http://sharepoint/content/tenant AllSites Read;Write;Manage;FullControl

http://sharepoint/content/sitecollection Site Read;Write;Manage;FullControl

http://sharepoint/content/sitecollection/web Web Read;Write;Manage;FullControl

http://sharepoint/content/sitecollection/web/list List Read;Write;Manage;FullContr

olhttp://sharepoint/bcs/connection None (not currently

supported) Read

http://sharepoint/search Search QueryAsUserIgnoreAppPrincipal

http://sharepoint/projectserver ProjectAdmin Managehttp://sharepoint/projectserver/projects Projects Read;Writehttp://sharepoint/projectserver/projects/project Project Read;Writehttp://sharepoint/projectserver/enterpriseresources ProjectResources Read;Writehttp://sharepoint/projectserver/statusing ProjectStatusing SubmitStatushttp://sharepoint/projectserver/reporting ProjectReporting Readhttp://sharepoint/projectserver/workflow ProjectWorkflow Elevatehttp://sharepoint/social/tenant AllProfiles Read;Write;Manage;FullContr

olhttp://sharepoint/social/core Social Read;Write;Manage;FullContr

olhttp://sharepoint/social/microfeed Microfeed Read;Write;Manage;FullContr

olhttp://sharepoint/taxonomy TermStore Read;Write

Consent

Demo: app permissions

Dynamic app permission requests

1) User browses to a web page on App.com.

2) Browser is redirected to OAuthAuthorize.aspx

3) SharePoint looks up the app principal based on the client_id.

/_layouts/15/OAuthAuthorize.aspx?IsDlg=1&client_id=3ca819d1-0ef8-4cbf-aa76-9ae45fd78b14&scope=Web.Write&response_type=code

4) User grants permission, browser is redirected to App.com with code.

https://localhost:44301/Default.aspx?code=IAAAACn2TwEi67U76rep34e...S4NLsp4mi2IR2g&IsDlg=1

5) App.com requests access token using code.

6) Microsoft Azure Access Control Services returns an Access token.

7) App.com requests data from SharePoint using access token.

8) Data is returned from SharePoint and page is rendered.

Demo: SPLister

Establishing trust.Types of app authentication.OAuth authentication.App authorization.Dynamic permission requests.

Summary

Resourceshttp://dev.office.comhttp://blogs.msdn.com/kaevans

Evaluate this session

Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Understanding Authentication and Permissions with Apps for SharePoint and Office

Documents

Transcript of Understanding Authentication and Permissions with Apps for SharePoint and Office

SharePoint 2013. Service Applications The Application Management Service manages licenses and permissions for SharePoint apps SharePoint Translation Services.

SharePoint 2010 Extranets & Authentication · SharePoint 2010 Security • SharePoint 2010 changes authentication • Uses classic mode and claims based authentication • Classic

SharePoint Authentication and Authorization

DocAve 6 Administrator User GuideDocAve 6: Administrator for SharePoint 2. SharePoint Permissions: These permissions must be manually configured prior to using DocAve 6 Administrator;

Electronic Forms and Alternative SharePoint App Approaches Electronic Forms … · WebAPI Authentication Can be anonymous Very useful for anonymous form submits Simplifies permissions

SharePoint 2010 Custom Authentication Providers

SharePoint Permissions - SPDocKit

Microsoft ® Official Course Managing Identity and Permissions Microsoft SharePoint 2013 SharePoint Practice.

Test Lab Guide: Demonstrate Permissions with SharePoint Server 2013

SharePoint Permissions 101 (text)

Managing permissions in SharePoint

SHAREPOINT PERMISSIONS NIGHTMARE · Users imported from AD 33 permissions Site, List, DocLib, Item… Site Permissions (18) List Permissions (12) Personal Permissions ( 3) Sites Lists

SharePoint 2013 Governance - Managing Permissions

Claims based authentication in SharePoint 2010 - SharePoint Saturday Vietnam

SharePoint 2013 REST API & Remote Authentication

DocAve 6 SharePoint Migrator User Guide · Forms Based Authentication Permissions ... Supported and Unsupported Form Controls for Nintex Form in SharePoint 2010 to SharePoint Online

Test Lab Guide: Demonstrate Permissions with SharePoint ... · Test Lab Guide: Demonstrate Permissions with SharePoint Server 2013 This document is provided “as-is”. Information

Guide to SharePoint Permissions - TekReach · SharePoint Permissions Guide Subscribe for more SharePoint E-books TekReach.com | Share this eBook Before SharePoint’s time company

SharePoint Saturday Houston: SharePoint 2010 Extranets & Claims Authentication

Sharepoint permissions management with SPDocKit