Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
Handling Cross-Domain calls & authentication in SharePoint 2013
-
Upload
biwug -
Category
Technology
-
view
1.058 -
download
1
description
Transcript of Handling Cross-Domain calls & authentication in SharePoint 2013
Drag picture to placeholder or click icon to add
Handling Cross-Domain calls & authentication in SharePoint 2013Stephane Eyskens
About me • SharePoint Server MVP since 2008
• Blog : http://www.silver-it.com
• @stephaneeyskens
Poll Who has already developed Apps for Customers?
Who has deployed an App to the Office Store?
Who has used CORS in a real-world project?
Take AwayCORS is
your friend
SharePoint X-DOM Libraries do not make X-DOM calls
HTML5 is your friend
too
Everything is a question of HTTP Headers in the end
Cross-Domain Challenges?
Same-Origin Policy
Authentication across domains
isn’t easy
Same-origin Policy reminder
http://intranet.contoso.com
http ://collaboration.contoso.com : 80 /
Protocol HOST Port
Same-Origin Policy Workaround #1
Using a Proxy
PROS
• Works with every browser
CONS
• One more hop
• Must handle scaling
• Not easy to authenticate against target domain
Same-Origin Policy Workaround #2
JSONP
PROS
• None
CONS
• Is a browser hack
• In theory limited to GET unless you hack it even more
Same-Origin Policy Workaround #3
Using a reverse proxy
• Browse requests http://intranet/fakeurl/someservice/
• Reverse-Proxy converts to http://target/someservice/
Same-Origin Policy Workaround #3
Using a reverse proxy
PROS
• Works with every browser
• Possibility to forward authentication credentials using SiteMinder.
• Transparent auth if SSO is available
• No coding effort
CONS
• More an onprem solution
• Enterprise RP usually not available on dev boxes
Demos
Reverse Proxy on a Dev Box
Same-Origin Policy Workaround #4
IFRAMES
PROS
• Super easy
• No more cross domain
• Authentication is handled by the browser
CONS
• IFRAMES are set to same-origin by SP OOTB
• IFRAMES are not a real integration
Demos
IFRAMES
IFRAME Recap • Remove x-frame-options or
allow explicit origins via Reverse Proxy or HTTP Module
• Use <WebPartPages:AllowFraming runat="server" />
Same-Origin Policy Workaround #5
HTML5 PostMessage API
HTML5 PostMessage API
PROS
• Fast as a rocket
• Partially supported by all the browsers
• Authentication is handled by the browser
CONS
• IFRAMES are set to same-origin by SP OOTB
• Security Risks involved
• Hard to maintain
Demos
HTML5 PostMessage API
HTML5 PostMessage API Recap
• Remove x-frame-options or allow explicit origins
• In code, check the origin of the sender
• SharePoint 2013 makes already use of this API in CustomActions & Popup windows
Same-Origin Policy Workaround #6
SharePoint # Domain Libraries
PROS
• OOTB
CONS
• Only usable in Apps
• Only targeting SharePoint OOB endpoints in an authenticated manner. Provider-Hosted Apps cannot do both CSOM & JSOM at the same time
• Non OOTB endpoints must be registered in AppManifest & are called anonymously
Demos
I’m going to get you confused now
Same-Origin Policy Workaround #7
CORS
Same-Origin Policy Workaround #8
CORS
PROS
• Granular control on the server
• Possibility to forward authentication credentials
• Emerging standard (recently enabled on Azure Storage)
CONS
• Requires IE 10+
• Requires configuration efforts on the server
• Currently, not possible to enable CORS on o365
Demo• Consume custom REST
services Hosted inside of SharePoint
CORS Config Recap
• Add the necessary HTTP Response Headers
• Use either a Reverse Proxy, a custom HTTP Module, a rewriter engine to deal with the headers
• Use the Max-Age attribute to cache preflight request.
• When using Access-Control-Allow-Credentials you can’t use * as Allowed Origin
CORS in a Hybrid Architecture
DEMO
How to consume Claims Aware WCF Services hosted outside of SharePoint?
• Make the WCF Claims Aware, create a cert, add it to the WCF bindings, export it
• Trust the cert in SP
• Use the SharePoint API (SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser)
• Not working with Cross-Domain Libs
• Not working with CORS (oops)
• Need to implement a custom proxy
Alternative to CORS
Create your own REST endpoints
PROS
• Accessible from Apps
• Can be used together with SP # domain libraries
• Well integrated to SP
CONS
• OnPrem only
• Hard
Foundation Server
_api/web_api/site_api/lists_api/navigation_api/events_api/contextinfo
_api/search_api/SP.UserProfiles.PeopleManager _api/social.feed_api/social.following_api/publishing….
OOTB REST endpoints
• http://office.microsoft.com/en-us/store/rest-api-demo-WA104068939.aspx
• http://sprest.architectingconnectedsystems.com/
Demo
• Develop custom REST endpoints
Summary
• Cross Domain Libraries are not the only option
• All the other options work with and without Apps
• With Apps, some approaches « bypasses » the App Security Model
• Extending REST endpoints is hard but facilitates authentication aspects
THANK YOU
Stephane [email protected]://www.silver-it.com/@stephaneeyskens