Kirk EvansPrincipal Premier Field Engineer, Microsoft Corporation3-603
Understanding Authentication and Permissions with Apps for SharePoint and Office
MicrosoftPrincipal Premier Field EngineerMicrosoft Certified Master—SP2010
http://blogs.msdn.com/kaevans
Kirk Evans
Please use Twitter! @kaevans #bldwin
15+ Years of Experience
Expertise
@kaevans
Establishing trust.Types of app authentication.OAuth authentication.App authorization.Dynamic permission requests.
Agenda
Close Shave by SeaDave, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/
Establishing trust
Dr. Garland prepares to fall by genvessel, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/
Contoso photo
Contoso
?
Kirk
Contoso photo
Contoso
View
View, upload, tag, comment,
, upload, tag, comment,delete, change password.
delete, change password.
Kirk
Kirk
Contoso photo
Contoso
View
View
, upload, tag, commentdelete, change password.
App model: past, present, and future
SharePoint
SharePoint 2007
Sandbox
SharePoint 2010
SharePoint
Azure, IIS, LAMP, etc…
_api
SharePoint 2013
Demo: SharePoint connect
Types of app authentication
SharePoint hosted app
SharePoint“Host” web
App Web JavaScript
SharePoint“AppWeb”
Cross domain JavaScript library
SharePoint“Host” web
SharePoint“AppWeb”
JavaScript(cross domain)
Cloud-hosted app
SharePoint“Host” web
SharePoint“AppWeb”
OAuth
AuthenticationUser credentials
provided?Start
End
User only context
App only context
User + app context
Anonymous context
App tokenprovided?
App tokenIncludes user?
Yes
No
No
No
Yes Yes
Call is to an app web?
No
Yes
Demo: basic app authentication
OAuth authentication
ClientResource server
Resource owner
Authorization server
App.comSharePointBrowser
ACS
1
App.comSharePointBrowser
ACS
1) User browses to a SharePoint page with an app part on it.
1
App.comSharePointBrowser
ACS
2) SharePoint requests a context token.
2
1
App.comSharePointBrowser
ACS
3) ACS returns a signed context token.
32
2
1
App.comSharePointBrowser
ACS
4) SharePoint renders page with iframe which will POST the context token to App.com.
3
4
POST https://app.com/…SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e…
2
1
App.comSharePointBrowser
ACS
5) iframe causes browser to request contents from App.com including the context token.
3
4
5
2
1
App.comSharePointBrowser
ACS
6) App.com validates the signature on the context token, extracts the auth code, and uses its credentials to request an access token from ACS.
3
4
5
6
2
App.comSharePointBrowser
ACS
7) Windows Azure Access Control Services (ACS) returns an access token.
3
1
4
5
6 7
2
1
App.comSharePointBrowser
ACS
8) App.com calls SharePoint CSOM or REST API with access token.
3
4
5
6 7
8
2
App.comSharePointBrowser
ACS
9) SharePoint returns data from CSOM or REST API call.
3
1
4
5
6 7
8
9
2
1
App.comSharePointBrowser
ACS
10) App.com returns the iframe contents.
3
4
5
6 7
8
9
10
App.comSharePointBrowser
ACS
5
6 7
8
Context
Refresh
Access
OAuth token summary
Context token format—Base 64 EncodedSPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJhZDY5NmU1NS0zZjMzLTQwNzgtYjM2Ny0yZTdiNzVkNjQ1ZjIvbG9jYWxob3N0OjQ0MzAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImlzcyI6IjAwMDAwMDAxLTAwMDAtMDAwMC1jMDAwLTAwMDAwMDAwMDAwMEAyYzQzOTMzMC02ODVlLTRjMTMtODE3Yi1lMDU3Yjk2MzdhZDAiLCJuYmYiOjEzNTI2NjU2NDUsImV4cCI6MTM1MjcwODg0NSwiYXBwY3R4c2VuZGVyIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImFwcGN0eCI6IntcIkNhY2hlS2V5XCI6XCJCU2lLOFNmQS9lVk5lTU10SUpjVkJPM2xJNUxYY1BjN0p3SUcyWGNqWDR3PVwiLFwiU2VjdXJpdHlUb2tlblNlcnZpY2VVcmlcIjpcImh0dHBzOi8vYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldC90b2tlbnMvT0F1dGgvMlwifSIsInJlZnJlc2h0b2tlbiI6IklBQUFBS0JDb1Bwby1FVm9PZ3dBMGZ3SDVQV3dyY29PR3BGSHdpVW1CMnpBZjRjMXdoeFFzOXlWRlVtcWNqNmYyZ2JTRF9CM3dPakktRXN2b2dWVWVQeXBtMjF5RlQ3VkxFdW5OSW1rT1RxeHFtb1BwSE9SU3F0c2pXaEhOdnUxM0ppVmNGZzh2UEFyMl9HbFFCNjBQVThQdEVUVlpjWXpCcExhY3hzNjNlVVdMajBTY0lQMGwzUW12dENTVEdidlRqUW1hR3RGaVZYQnZwLXhQN1RuZnlkRUJUUG9hTDNDcERoQXA5TVhMNXpsRVIxbUtBdDN6bEEtSXpQSzdRTmxyOVJ5RnVPTnJGZmtSRnhyRHNBTDJMS0hPZ2pkZVM5Y0VHWnpZdG9odkdWRFFiVWptaFlxM3FueHYyM09qX25idm9KNUNJQXBTOTVMUTNXVkwyaFJKQlltUHVIQ1Z3emhjZG12QlJJNURJZVNYb25RR2d5blNVYU9vUUtheUg2b1R6RzcwSWljaUtSNm5FMzJZYnhhaGJzdm1XOGszblpvaTV4TDdfa0JXSUZjQXh0Ny1sMUJxTEFockpoZEliZ0dVa1VpVGk5d3JJVm9KZ0RDTDNxSzZucGNHdm4xbGdRZWNBbFpkeG5qOGltcmdGVmRmNDVGa1EyQTZTOTJEakVjWE1odUZwakE2aHFpSzdHRU85ZnEwM0tER0tjIiwiaXNicm93c2VyaG9zdGVkYXBwIjoidHJ1ZSJ9.c4gAOr-4OsWo-M54t1WRT0OrjVHtl2c7jpK4N5Hbof4
Context token format—Decoded JSON{ "aud":ad696e55-3f33-4078-b367-2e7b75d645f2/localhost:44300@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-11 20:27:25Z (11/11/2012 12:27:25 PM) - 1352665645 "exp":2012-11-12 08:27:25Z (11/12/2012 12:27:25 AM) - 1352708845 "appctxsender":00000003-0000-0ff1-ce00-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "appctx":{ "CacheKey":"BSiK8SfA/eVNeMMtIJcVBO3lI5LXcPc7JwIG2XcjX4w=“ "SecurityTokenServiceUri":"https://accounts.accesscontrol.windows.net/tokens/OAuth/2" } "refreshtoken":IAAAAKBCoPpo-EVoOgwA0fwH5PWw… "isbrowserhostedapp":true}
App Authorization
Permission requestsApps request the permissions they require to run:
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"> <Property Name="BaseTemplateId" Value="101"/> </AppPermissionRequest> <AppPermissionRequest Scope="http://sharepoint/social/microfeed" Right="Manage"/> <AppPermissionRequest Scope="http://sharepoint/search" Right="Query"/></AppPermissionRequests>
Permission requests<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/>
ProductPermission ProviderSpecific component Capability
Available app permissionsScope Scope Alias Right
http://sharepoint/content/tenant AllSites Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection Site Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web Web Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web/list List Read;Write;Manage;FullContr
olhttp://sharepoint/bcs/connection None (not currently
supported) Read
http://sharepoint/search Search QueryAsUserIgnoreAppPrincipal
http://sharepoint/projectserver ProjectAdmin Managehttp://sharepoint/projectserver/projects Projects Read;Writehttp://sharepoint/projectserver/projects/project Project Read;Writehttp://sharepoint/projectserver/enterpriseresources ProjectResources Read;Writehttp://sharepoint/projectserver/statusing ProjectStatusing SubmitStatushttp://sharepoint/projectserver/reporting ProjectReporting Readhttp://sharepoint/projectserver/workflow ProjectWorkflow Elevatehttp://sharepoint/social/tenant AllProfiles Read;Write;Manage;FullContr
olhttp://sharepoint/social/core Social Read;Write;Manage;FullContr
olhttp://sharepoint/social/microfeed Microfeed Read;Write;Manage;FullContr
olhttp://sharepoint/taxonomy TermStore Read;Write
Consent
Demo: app permissions
Dynamic app permission requests
App.comSharePointBrowser
ACS
1) User browses to a web page on App.com.
1
App.comSharePointBrowser
ACS
2) Browser is redirected to OAuthAuthorize.aspx
1
2
2
App.comSharePointBrowser
ACS
3) SharePoint looks up the app principal based on the client_id.
1
2
2
/_layouts/15/OAuthAuthorize.aspx?IsDlg=1&client_id=3ca819d1-0ef8-4cbf-aa76-9ae45fd78b14&scope=Web.Write&response_type=code
3 3
App.comSharePointBrowser
ACS
4) User grants permission, browser is redirected to App.com with code.
1
3
2
3
4
24
https://localhost:44301/Default.aspx?code=IAAAACn2TwEi67U76rep34e...S4NLsp4mi2IR2g&IsDlg=1
App.comSharePointBrowser
ACS
5) App.com requests access token using code.
1
3
2
3
4
5
24
App.comSharePointBrowser
ACS
6) Microsoft Azure Access Control Services returns an Access token.
1
3
2
3
4
5 6
24
App.comSharePointBrowser
ACS
7) App.com requests data from SharePoint using access token.
1
3
2
3
4
5 6
7
24
App.comSharePointBrowser
ACS
8) Data is returned from SharePoint and page is rendered.
1
3
2
3
4
5 6
7
8
24
8
Demo: SPLister
Establishing trust.Types of app authentication.OAuth authentication.App authorization.Dynamic permission requests.
Summary
Resourceshttp://dev.office.comhttp://blogs.msdn.com/kaevans
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Top Related