Building Business Applications with SharePoint 2013 and K2Hennie LaubscherK2

Brian FarnhillIndependent Consultant

OSP226

Meet Hennie and BrianHennie LaubscherManaging DirectorK2 ANZ

Brian FarnhillIndependent ConsultantLocated in CanberraSharePoint Server MVPLecturer for Charles Sturt University

What's covered in this session?• The business case for apps• Hosting of SharePoint apps• K2 and SharePoint• Technologies that enabled apps• OAuth• CSOM and REST• Remote Event Receivers

The business case for apps

What are apps?• A new way to extend SharePoint sites• Designed to be independent from the

platform• Simplified process for users to install and

use

What makes apps so important?• Designed from the ground up

for the cloud• Apps can be built outside of the

.NET ecosystem• Easier to get up to speed on thanks

to wider adoption of open standards

Improved delivery channels• Publicly available app store

now available• Any developer can register

to publish apps• App store directly integrates

in to SharePoint to simplifyinstallation of apps

Build for more devices• Client object models now have

support for REST based access• More devices can now use these

APIs to directly communicatewith SharePoint

• Extensions to the client object models provide more functionalitythan any previous version of SharePoint

Improved upgrade story• Testing and managing customisations

has traditionally been a large partof any SharePoint project

• Apps are now more loosely bound tothe platform, and depend only on thespecific endpoints they consume

• The result is reduced time to test upgrade and less technical risk for customisations

Easier to manage• The new app model has a

new set of configurationoptions to allow IT pros to manage app usage

• Apps can be monitored foruse within a farm

• Permissions to install apps can also be managed

How to host SharePoint apps

SharePoint app hosting types• SharePoint hosted• Auto hosted• Provider hosted

Hosting SharePoint apps

Provider hosted apps

Auto hosted apps

Flexibility and

responsibility

Simple to implement

hosting

SharePoint

App Web

Used for SharePoint hosted apps

Optional for remote apps

Remote

APIs

The App Web component• Can be considered as a regular

SPWeb object• SharePoint forces them to be

viewed through an App URL• This provides isolation and

security of app specific functions

SharePoint hosted appsPros• No need to consider remote hosting

• JavaScript calls from the app web don’t need additional authentication

Cons• No server side code• Limited to the scope of a single web scoped feature

Auto hosted appsPros• Multi-tenancy and trust between the app and SharePoint configured automatically

• Tennant owner is responsible for hosting costs from Azure

Cons• Only available in SharePoint online

• Not currently being accepted to the public app store

Provider hosted appsPros• Complete freedom in regards to all aspects of hosting the application

• Easiest to make updates and changes to post installation

Cons• Multi-tenancy must be managed for all calls to the app

• You are responsible for all configuration, maintenance and health of your app

Selecting the right hosting type• Understanding your own app

will help guide the decision forappropriate hosting

• Factor in the process of managingupdates to your app when decidingon a hosting mechanism

• Understand how the pros and cons of each option will affect your architecture and approach

Updates and provider hosted apps• App updates for the app web aren’t

forced• Updated to your provider hosted

apps can run whenever you want• This means your apps need to be

aware of multiple versions that couldbe calling them

Additional Considerations• Manage expectations around

what data can be crawled bySharePoint Search

• Carefully consider approachesto avoid creating silos offunctionality that doesn’t blockcomponent re-use

• Apps can’t use Kerberos for passing through authentication

Basic provider hosted apps in SharePoint 2013Brian Farnhill

K2 and SharePoint

Forms

Workflow

Data

Reports

K2 and SharePoint

SHAREPOINT 2007/2010/2013 & OFFICE 365

Lists Docs Content Types

BUSINESS APPS

ERP

CRM

How K2 did it in the past• For the last 10 years, K2 had a separate execution

platform that was tightly integrated into SharePoint i.e. K2 always was and will continue to be a “Provider Hosted App” style solution around SharePoint.

• Making it work on SharePoint 2010 posed several tough challenges, most of which K2 has successfully solved over time:• Impersonation and authentication• Providing rich integration through interacting with SharePoint API from

a remote client (K2 Server)• Listening remotely to events raised by SharePoint• Achieving consistency between what’s possible On-Premise vs Cloud

K2 and SharePoint 2013 – Key GoalsEasy• Light Footprint on

SharePoint Box

• Easy to install

• Rapid app development

• Easy to maintain

Powerful• Robust workflow

platform

• Powerful 3rd party data integration

• Feature rich, tightly integrated electronic forms

• Flexible reporting framework

Portable• Build both LOB and

content centric solutions, same platform

• Apps in the cloud or on-premise, surfaceable in any environment, and on any device

• Package and Deployment Tools

Enabling Technologies

Significant Enabling Technologies• SharePoint Apps• OAUTH• CSOM and REST• Remote Event Receivers

K2 App for SharePoint 2013

Hennie Laubscher

OAuth

(Hennie)

?

Tweet

Tweet

Tweet, Follow, Delete

Tweet, Follow, Delete

Tweet, Follow, Delete, Change Password

Tweet, Follow, Delete, Change Password

Tweet, Follow, Delete, Change Password

Tweet, Follow, Delete, Change Password

Tweet

What is OAuth?• OAuth is an open, simple, and secure protocol that enables users to

approve an application to act on their behalf without sharing their user name and password

• Enables users to share their specific private resources or data (contact list, documents, photos, videos and so on) that are stored on one site/application with another site/application

• Enables users to revoke access to resources

• The key is that users don’t have to provide their credentials each time

Who uses OAuth?• AllPlayers.com• Amazon• Basecamp • Bitbucket • bitly• blueKiwi software• ciValidator• cosm• deviantART• Discogs • Dropbox• Evernote • Facebook • Fitbit • Flickr • Formstack • Foursquare• GitHub

• Google• Google App Engine • Groundspeak • Huddle • Instagram• LinkedIn • Microsoft (Hotmail,

Windows Live, Messenger, Xbox)

• Mixi• MySpace• Netflix • OpenLink Data Spaces• OpenTable • PayPal• Plurk• RealPeepz• Reddit• Salesforce.com

• SensioLabs Connect• Sina Weibo• StatusNet • Stripe.com • Tumblr • Twitter • Ubuntu One• Veevop• Viadeo • Vimeo • VK • Xero • XING • Yahoo! • Yammer • Yandex • Yelp • Zendesk

OAuth vs Claims based authentication• OAuth is NOT a replacement for claims-based authentication

• Users will still login via an identity provider (STS) which will issue a SAML token containing the user’s identity claim (Authentication)

• The identity claim is still used to uniquely identify a user in SharePoint and K2

• Claims are still used to determine who can do what in SharePoint and K2 (identity and group claims mapped to security provider) (Authorization)

• An OAuth token is simply a way to provide access to a calling application for an already authenticated and authorized user

How does it work in SharePoint?• OAuth is used in SharePoint in support of the new App Model

• In SharePoint 2007 and 2010 all “Apps” ran inside of SharePoint, including impersonation

• In SharePoint 2013, Apps run outside of SharePoint

• OAuth provides a way for the external App to act on behalf of users

• The App requests the level of permission it requires and can only be granted by someone with those permissions

How does it work for K2 and SharePoint?• K2 for SharePoint is a SharePoint App

• Allows K2 to integrate with SharePoint without any installation on SharePoint

• K2 for SharePoint service brokers use OAuth to act on behalf of the user

Requesting Permissions• We embed our permission request in the K2 App manifest.

• We can also request permissions “on the fly” as required.

Consent

Available App Permissions

NOTE: SharePoint Store Apps cannot request FullControl at any scope.

App Identity• Apps have an identity which is separate from user identity

• User Only

• App + User

• App Only (similar to SYSTEM)

CSOM and REST

Client Side/Remote API History• First added in SharePoint 2010

• Made available through a WCF endpoint called client.svc

• Direct access to this was not supported, developers needed to use client side proxy objects (managed .NET API , SilverLight or JavaScript)

• Managed API was easier than JavaScript (strongly typed objects and compile time checking)

SharePoint 2010 Client Side API

Server

Client

_vti_bin/client.svc

Custom code

.NET Library

Silverlight Library

JavaScript Library

Changes from SharePoint 2010 to 2013• The client.svc service extended with REST

capabilities• client.svc now supports direct access from REST clients• client.svc accepts HTTP GET, PUT, POST requests• Implemented in accordance with OData protocol

• CSOM Extended new APIs• New APIs for SharePoint Server functionality• New API for Windows Phone Applications

JavaScript Library

Silverlight Library

.Net CLR Library

Custom Client Code

Client

Server

_api is new alias for _vti_bin/client.svc

SharePoint 2013 Remote API

RESTODataJSON

CSOM

Covered in the new CSOM/REST APIs

BCSIRM

AnalyticsWorkflow

eDiscoveryPublishing

TaxonomySocial

Sharing

Search

Remote Event Receivers

Remote Event Receivers• SharePoint calls an API service in your app to notify of events• Tokens are passed to allow your app to emulate the user who triggered

the event• Summary of SharePoint interaction with third party application:

• SharePoint Event is raised.• Request a token from ACS (Access Control Service)• Interacts with registered event receiver (custom web service implementing the

IRemoteEventService interface)• The web service can also call back into SharePoint, authenticated via OAuth, to read

and write as needed.• Developing Remote Event receivers is similar to event receivers and only

change will be the receiver will have a url instead of a class and assembly name

Build and Run a solution with K2 and SharePoint 2013Hennie Laubscher

Review of what was covered• The business case for apps• Hosting of SharePoint apps• K2 and SharePoint• Technologies that enabled apps• OAuth• CSOM and REST• Remote Event Receivers

Call to action!• Download the SharePoint and Office 2013

SDK• Explore the app hosting models• Learn about the remote APIs for SharePoint

2013

Contact detailsHennie Laubscher

hennie@k2.com

www.k2.com

Brian Farnhill

brian@brianfarnhill.com

@BrianFarnhillblog.brianfarnhill.com

Developer Network

Resources for Developers

http://msdn.microsoft.com/en-au/

Learning

Virtual Academy

http://www.microsoftvirtualacademy.com/

TechNet

Resources

Sessions on Demand

http://channel9.msdn.com/Events/TechEd/Australia/2013

Resources for IT Professionals

http://technet.microsoft.com/en-au/

Keep Learning1. Keep up to date with all the latest Office 365 information

at http://ignite.office.com

2. Get on top of your pilot using the FastTrack deployment process http://fastTrack.office.com

3. Trial Office 365 http://office.microsoft.com

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.