Your SlideShare is downloading. ×
0
Building SharePoint 2013 Apps - Architecture,           Authentication & Connectivity APIRadi AtanassovSharePoint MCM & MV...
Who’s this guy?• Radi Atanassov• SharePoint 2010 MCM• SharePoint Server MVP• OneBit Software Ltd.• Web Platform User Group...
This talk is about…•   How “apps” work•   The App infrastructure•   App authentication•   Connectivity
SharePoint’s extensibility history• 2001…• 2003… CAML?!?• 2007 – The SharePoint OM & UI enhanced…  – Greater complexity & ...
Why is the App Model important to us?• Cost to the business   – We don’t want SP projects to be expensive   – We want more...
What is an “App” anyway?• The new word for iFrame• Another way of providing functionality, but keeping  custom code outsid...
Why is authentication important to us?• So we don’t look like we don’t know what we are doing!• We are moving to the CLOUD...
SharePoint AppsAPPTECTURE
Recap - App Hosting Models                                           Provider-hosted app                     SharePoint   ...
Recap - App Shapes          Full page          Implement complete app experiences•         to satisfy business scenarios  ...
Recap - App Package                                            Host                                            Web.app Pac...
App Manifest<?xml version="1.0" encoding="utf-8" ?><!--Created:cb85b80c-f585-40ff-8bfc-12ff4d0e34a9--><App xmlns="http://s...
The App Domain - *.contosoapps.com• You should use a unique domain name, not a subdomain• Only one in the farm!• Prevents ...
The App URL - *.contosoapps.com• https://{appPrefix}-{UID}.{appdomain}/{appName}• In MT scenarios each tenant has their ow...
DEMOREVIEW APP SETUP
SharePoint AppsAUTHENTICATION WITH OFFICE 365
SharePoint OAuth & Office 365
DEMOOAUTH IN ACTION – OFFICE 365
OAuth-authenticated request –              Context Token<form id="frmRedirect"action="https://localhost:44301/Pages/Defaul...
Decoded JWT token{"typ":"JWT","alg":"HS256“}                                                                              ...
Context Token in POST•   POST https://onebitdev5.sharepoint.com/_vti_bin/client.svc/ProcessQuery HTTP/1.1•   Authorization...
Oauth 2.0 Request{grant_type=refresh_tokenclient_id=ded48005-1c15-416e-a84b-9b1b0fb5a50e%408822364f-0b55-48a9-88f8-1b1fcc2...
Oauth 2.0 Response{"token_type":"Bearer","access_token":"eyJ0eXAiOiJKV1Q…phfQ","expires_in":"43199","not_before":"13602333...
SharePoint AppsOAUTH IN ACTION – ON-PREMISES
Server-to-Server Trust•   Trusted connection between app and SharePoint    – Eliminates need for ACS when running apps in ...
Developing High-Trust Appshttp://msdn.microsoft.com/en-us/library/fp179901.aspx
Terminology•   High-Trust•   Low-Trust•   Full-Trust•   Partial-Trust•   Server-2-Server Trust (S2S)…. Different from STS ...
Configuring Server-2-Server Trust for App DevDEMO
App security concerns• A new attack vector, old attack principles• A provider hosted app can be “upgraded” by the  provide...
References• Explore the app manifest and the package of an app for SharePoint  http://msdn.microsoft.com/en-us/library/fp1...
Key takeaways• You should definitely look into SharePoint Apps!• Do your best to understand authentication now• Complex cl...
Contact me•   radi@sharepoint.bg•   @RadiAtanassov•   Facebook: Radi Atanassov•   LinkedIn: http://au.linkedin.com/in/shar...
Questions?Please fill out the feedback stuff!E-mail me: radi@sharepoint.bg
THANK YOU!Please fill out the feedback stuff!E-mail me: radi@sharepoint.bg
Upcoming SlideShare
Loading in...5
×

Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API

7,105

Published on

Published in: Technology
3 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total Views
7,105
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
183
Comments
3
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API"

  1. 1. Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity APIRadi AtanassovSharePoint MCM & MVPOneBit Software Ltd.
  2. 2. Who’s this guy?• Radi Atanassov• SharePoint 2010 MCM• SharePoint Server MVP• OneBit Software Ltd.• Web Platform User Group @RadiAtanassov
  3. 3. This talk is about…• How “apps” work• The App infrastructure• App authentication• Connectivity
  4. 4. SharePoint’s extensibility history• 2001…• 2003… CAML?!?• 2007 – The SharePoint OM & UI enhanced… – Greater complexity & greater flaws – But still a strong “platform” we all love• 2010 – Service Applications, Ribbon, Sandbox• 2013 – Apps & the marketplace, On-Premise Apps
  5. 5. Why is the App Model important to us?• Cost to the business – We don’t want SP projects to be expensive – We want more value for the same budget• SharePoint cannot be “fixed” – Cannot replace the DB schema – Cannot rewrite the OM• Microsoft’s preferred approach moving forward – We’ve been doing it for years• Office now releases every 3 months
  6. 6. What is an “App” anyway?• The new word for iFrame• Another way of providing functionality, but keeping custom code outside of SharePoint• Functionality you can buy from a marketplace• A huge marketing stunt to drive adoption• The infrastructure, plumbing, authentication model & framework to do things we did for a while
  7. 7. Why is authentication important to us?• So we don’t look like we don’t know what we are doing!• We are moving to the CLOUD…• We need to integrate with Exchange 2013, Lync 2013 and custom Apps• We need to understand & design hybrid deployments• You can’t have “Apps” without authentication• It matters when you do on-premises or hybrid Apps
  8. 8. SharePoint AppsAPPTECTURE
  9. 9. Recap - App Hosting Models Provider-hosted app SharePoint Host Web Your Hosted Site Provide your own hosting environmentCloud-hosted apps- Use server code- Receive SP events- Use OAuth to access SP Autohosted app SharePoint Host Web Windows Azure + SQL Azure provisioned Azure automatically as apps are installed SharePoint-Hosted app SharePoint Host Web Provisions an isolated sub web on a host web - Use SP artifacts & out-of-box web parts SharePoint App - Use HTML & JavaScript for UI & client-side logic Web - Use Workflows for middle tier logic
  10. 10. Recap - App Shapes Full page Implement complete app experiences• to satisfy business scenarios App Parts Create app parts that can interact with the SharePoint experience UI command extensions Add new commands to the ribbon and item menus
  11. 11. Recap - App Package Host Web.app Package (OPC) App Web WSP (from WSP) Azure Slide courtesy of Mike Morton
  12. 12. App Manifest<?xml version="1.0" encoding="utf-8" ?><!--Created:cb85b80c-f585-40ff-8bfc-12ff4d0e34a9--><App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest" Name="SharePointApp1“ ProductID="{6a680846-ddff-4a3c-beb6-cb5705289d28}" Version="1.0.0.0“ SharePointMinVersion="15.0.0.0"> <Properties> <Title>SharePointApp1</Title> <StartPage>~remoteAppUrl/Pages/Default.aspx?{StandardTokens}</StartPage> <SupportedLocales> <SupportedLocale CultureName="en" /> <SupportedLocale CultureName="en-AU" /> <SupportedLocale CultureName="bg" /> </SupportedLocales> </Properties> <AppPrincipal> <RemoteWebApplication ClientId="*" /> </AppPrincipal> <AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write" /> <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" /> </AppPermissionRequests> <AppPrerequisites> <AppPrerequisite Type="Capability" ID="A83C8D70-71DE-4260-9FB8-677418EB47F2" /> </AppPrerequisites></App>
  13. 13. The App Domain - *.contosoapps.com• You should use a unique domain name, not a subdomain• Only one in the farm!• Prevents XSS attacks and script injection into the parent• Prevents cookie information leaking• Separates Apps from SharePoint sites, aka “app isolation”• The reason why AAM’s don’t work with Apps• Use SSL, even on dev environments!• Should use wildcard certificates on a dedicated web application• The app domain should be in the Internet or Restricted sites security zone in Internet Explorer• Wildcard DNS should point to the load balancer
  14. 14. The App URL - *.contosoapps.com• https://{appPrefix}-{UID}.{appdomain}/{appName}• In MT scenarios each tenant has their own {appPrefix}• {UID} comes from the subscription service• {appName} - the App name • https://app-73ff422090f6f4.mcmapps.com/ SharePointApp2
  15. 15. DEMOREVIEW APP SETUP
  16. 16. SharePoint AppsAUTHENTICATION WITH OFFICE 365
  17. 17. SharePoint OAuth & Office 365
  18. 18. DEMOOAUTH IN ACTION – OFFICE 365
  19. 19. OAuth-authenticated request – Context Token<form id="frmRedirect"action="https://localhost:44301/Pages/Default.aspx?SPHostUrl=...;SPLanguage=en....."method="post"> <input type="hidden" name="SPAppToken" value="eyJ0eXAiOiJKV…CnQ" /> <input type="hidden" name="SPSiteUrl" value="https://onebitdev5.sharepoint.com" /> <input type="hidden" name="SPSiteTitle" value="OneBit Software Ltd. Team Site" /> <input type="hidden" name="SPSiteLogoUrl" value="" /> <input type="hidden" name="SPSiteLanguage" value="en-US" /> <input type="hidden" name="SPSiteCulture" value="en-US" /> <input type="hidden" name="SPRedirectMessage" value="EndpointAuthorityMatches" /> <input type="hidden" name="SPErrorCorrelationId" value="" /> <input type="hidden" name="SPErrorInfo" value="" /></form>
  20. 20. Decoded JWT token{"typ":"JWT","alg":"HS256“} Audience{"aud":"ded48005-1c15-416e-a84b-9b1b0fb5a50e/localhost:44301@8822364f-0b55-48a9-88f8-1b1fcc2e5e89","iss":"00000001-0000-0000-c000-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89","nbf":"1360231739", Issuer"exp":"1360274939","appctxsender":"00000003-0000-0ff1-ce00-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89","appctx":"{"CacheKey":"jE7itw4EgtsIxnejiJ20ldz4VUVQagnkh5A+tShdjTU=","SecurityTokenServiceUri":"https://accounts.accesscontrol.windows.net/tokens/OAuth/2"}","refreshtoken":"IAAAALi3Arn…","isbrowserhostedapp":"true“}
  21. 21. Context Token in POST• POST https://onebitdev5.sharepoint.com/_vti_bin/client.svc/ProcessQuery HTTP/1.1• Authorization: Bearer eyJ0eXAiOiJKV1QiLC…iKlpA• Content-Type: text/xml Access Token inside• Host: onebitdev5.sharepoint.com• Content-Length: 615• Expect: 100-continue• Accept-Encoding: gzip, deflate• <Request AddExpandoFieldTypeSuffix="true" SchemaV….
  22. 22. Oauth 2.0 Request{grant_type=refresh_tokenclient_id=ded48005-1c15-416e-a84b-9b1b0fb5a50e%408822364f-0b55-48a9-88f8-1b1fcc2e5e89client_secret=9hU432522%2fupFTP7ogz6pw7IgsbY8JpW1JFjgHCcegs%3drefresh_token=IAAAALi3…ifDZwbNkresource=00000003-0000-0ff1-ce00-000000000000%2fonebitdev5.sharepoint.com%408822364f-0b55-48a9-88f8-1b1fcc2e5e89}
  23. 23. Oauth 2.0 Response{"token_type":"Bearer","access_token":"eyJ0eXAiOiJKV1Q…phfQ","expires_in":"43199","not_before":"1360233350","expires_on":"1360276550","resource":00000003-0000-0ff1-ce00-000000000000/onebitdev5.sharepoint.com@8822364f-0b55-48a9-88f8-1b1fcc2e5e89}
  24. 24. SharePoint AppsOAUTH IN ACTION – ON-PREMISES
  25. 25. Server-to-Server Trust• Trusted connection between app and SharePoint – Eliminates need for ACS when running apps in on-premises farm – Trust between servers configured using SSL certificates – App code requires access to private key of SSL certificate – Requires creating Security Token Service on SharePoint server(s) S2S STS 1 3 4 2 SSL Cert Public/Private key pair (.pfx)
  26. 26. Developing High-Trust Appshttp://msdn.microsoft.com/en-us/library/fp179901.aspx
  27. 27. Terminology• High-Trust• Low-Trust• Full-Trust• Partial-Trust• Server-2-Server Trust (S2S)…. Different from STS • Sandbox Solutions• User Code Solutions 
  28. 28. Configuring Server-2-Server Trust for App DevDEMO
  29. 29. App security concerns• A new attack vector, old attack principles• A provider hosted app can be “upgraded” by the provider. Do you trust your vendor?• Script injection and in-flight modification• SSL is important!• Many more…
  30. 30. References• Explore the app manifest and the package of an app for SharePoint http://msdn.microsoft.com/en-us/library/fp179918.aspx• URL strings and tokens in apps for SharePoint http://msdn.microsoft.com/en-us/library/jj163816.aspx• OAuth authentication and authorization flow for cloud-hosted apps in SharePoint 2013 http://msdn.microsoft.com/en-us/library/fp142382.aspx• How to: Create high-trust apps for SharePoint 2013 using the server-to- server protocol (advanced topic) http://msdn.microsoft.com/en-us/library/office/apps/fp179901.aspx• How to: Package and publish high-trust apps for SharePoint 2013 http://msdn.microsoft.com/en-us/library/office/apps/jj860570.aspx
  31. 31. Key takeaways• You should definitely look into SharePoint Apps!• Do your best to understand authentication now• Complex cloud scenario’s will come
  32. 32. Contact me• radi@sharepoint.bg• @RadiAtanassov• Facebook: Radi Atanassov• LinkedIn: http://au.linkedin.com/in/sharepointradi• www.onebitsoftware.net• Mobile: +359 878 823 339
  33. 33. Questions?Please fill out the feedback stuff!E-mail me: radi@sharepoint.bg
  34. 34. THANK YOU!Please fill out the feedback stuff!E-mail me: radi@sharepoint.bg
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×