• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • we have an issue with multiple prompt authentication for each app on the given page,, why not to reuse the same claims of the current user??
    Are you sure you want to
    Your message goes here
  • Nice balanced post. Great overview
    Are you sure you want to
    Your message goes here
  • Nice. Here is the post explaining sharepoint 2013 app permissions

    http://sureshpydi.blogspot.in/2013/03/share-point-2013-app-permissions.html
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
5,958
On Slideshare
0
From Embeds
0
Number of Embeds
10

Actions

Shares
Downloads
117
Comments
3
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity APIRadi AtanassovSharePoint MCM & MVPOneBit Software Ltd.
  • 2. Who’s this guy?• Radi Atanassov• SharePoint 2010 MCM• SharePoint Server MVP• OneBit Software Ltd.• Web Platform User Group @RadiAtanassov
  • 3. This talk is about…• How “apps” work• The App infrastructure• App authentication• Connectivity
  • 4. SharePoint’s extensibility history• 2001…• 2003… CAML?!?• 2007 – The SharePoint OM & UI enhanced… – Greater complexity & greater flaws – But still a strong “platform” we all love• 2010 – Service Applications, Ribbon, Sandbox• 2013 – Apps & the marketplace, On-Premise Apps
  • 5. Why is the App Model important to us?• Cost to the business – We don’t want SP projects to be expensive – We want more value for the same budget• SharePoint cannot be “fixed” – Cannot replace the DB schema – Cannot rewrite the OM• Microsoft’s preferred approach moving forward – We’ve been doing it for years• Office now releases every 3 months
  • 6. What is an “App” anyway?• The new word for iFrame• Another way of providing functionality, but keeping custom code outside of SharePoint• Functionality you can buy from a marketplace• A huge marketing stunt to drive adoption• The infrastructure, plumbing, authentication model & framework to do things we did for a while
  • 7. Why is authentication important to us?• So we don’t look like we don’t know what we are doing!• We are moving to the CLOUD…• We need to integrate with Exchange 2013, Lync 2013 and custom Apps• We need to understand & design hybrid deployments• You can’t have “Apps” without authentication• It matters when you do on-premises or hybrid Apps
  • 8. SharePoint AppsAPPTECTURE
  • 9. Recap - App Hosting Models Provider-hosted app SharePoint Host Web Your Hosted Site Provide your own hosting environmentCloud-hosted apps- Use server code- Receive SP events- Use OAuth to access SP Autohosted app SharePoint Host Web Windows Azure + SQL Azure provisioned Azure automatically as apps are installed SharePoint-Hosted app SharePoint Host Web Provisions an isolated sub web on a host web - Use SP artifacts & out-of-box web parts SharePoint App - Use HTML & JavaScript for UI & client-side logic Web - Use Workflows for middle tier logic
  • 10. Recap - App Shapes Full page Implement complete app experiences• to satisfy business scenarios App Parts Create app parts that can interact with the SharePoint experience UI command extensions Add new commands to the ribbon and item menus
  • 11. Recap - App Package Host Web.app Package (OPC) App Web WSP (from WSP) Azure Slide courtesy of Mike Morton
  • 12. App Manifest<?xml version="1.0" encoding="utf-8" ?><!--Created:cb85b80c-f585-40ff-8bfc-12ff4d0e34a9--><App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest" Name="SharePointApp1“ ProductID="{6a680846-ddff-4a3c-beb6-cb5705289d28}" Version="1.0.0.0“ SharePointMinVersion="15.0.0.0"> <Properties> <Title>SharePointApp1</Title> <StartPage>~remoteAppUrl/Pages/Default.aspx?{StandardTokens}</StartPage> <SupportedLocales> <SupportedLocale CultureName="en" /> <SupportedLocale CultureName="en-AU" /> <SupportedLocale CultureName="bg" /> </SupportedLocales> </Properties> <AppPrincipal> <RemoteWebApplication ClientId="*" /> </AppPrincipal> <AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write" /> <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" /> </AppPermissionRequests> <AppPrerequisites> <AppPrerequisite Type="Capability" ID="A83C8D70-71DE-4260-9FB8-677418EB47F2" /> </AppPrerequisites></App>
  • 13. The App Domain - *.contosoapps.com• You should use a unique domain name, not a subdomain• Only one in the farm!• Prevents XSS attacks and script injection into the parent• Prevents cookie information leaking• Separates Apps from SharePoint sites, aka “app isolation”• The reason why AAM’s don’t work with Apps• Use SSL, even on dev environments!• Should use wildcard certificates on a dedicated web application• The app domain should be in the Internet or Restricted sites security zone in Internet Explorer• Wildcard DNS should point to the load balancer
  • 14. The App URL - *.contosoapps.com• https://{appPrefix}-{UID}.{appdomain}/{appName}• In MT scenarios each tenant has their own {appPrefix}• {UID} comes from the subscription service• {appName} - the App name • https://app-73ff422090f6f4.mcmapps.com/ SharePointApp2
  • 15. DEMOREVIEW APP SETUP
  • 16. SharePoint AppsAUTHENTICATION WITH OFFICE 365
  • 17. SharePoint OAuth & Office 365
  • 18. DEMOOAUTH IN ACTION – OFFICE 365
  • 19. OAuth-authenticated request – Context Token<form id="frmRedirect"action="https://localhost:44301/Pages/Default.aspx?SPHostUrl=...;SPLanguage=en....."method="post"> <input type="hidden" name="SPAppToken" value="eyJ0eXAiOiJKV…CnQ" /> <input type="hidden" name="SPSiteUrl" value="https://onebitdev5.sharepoint.com" /> <input type="hidden" name="SPSiteTitle" value="OneBit Software Ltd. Team Site" /> <input type="hidden" name="SPSiteLogoUrl" value="" /> <input type="hidden" name="SPSiteLanguage" value="en-US" /> <input type="hidden" name="SPSiteCulture" value="en-US" /> <input type="hidden" name="SPRedirectMessage" value="EndpointAuthorityMatches" /> <input type="hidden" name="SPErrorCorrelationId" value="" /> <input type="hidden" name="SPErrorInfo" value="" /></form>
  • 20. Decoded JWT token{"typ":"JWT","alg":"HS256“} Audience{"aud":"ded48005-1c15-416e-a84b-9b1b0fb5a50e/localhost:44301@8822364f-0b55-48a9-88f8-1b1fcc2e5e89","iss":"00000001-0000-0000-c000-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89","nbf":"1360231739", Issuer"exp":"1360274939","appctxsender":"00000003-0000-0ff1-ce00-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89","appctx":"{"CacheKey":"jE7itw4EgtsIxnejiJ20ldz4VUVQagnkh5A+tShdjTU=","SecurityTokenServiceUri":"https://accounts.accesscontrol.windows.net/tokens/OAuth/2"}","refreshtoken":"IAAAALi3Arn…","isbrowserhostedapp":"true“}
  • 21. Context Token in POST• POST https://onebitdev5.sharepoint.com/_vti_bin/client.svc/ProcessQuery HTTP/1.1• Authorization: Bearer eyJ0eXAiOiJKV1QiLC…iKlpA• Content-Type: text/xml Access Token inside• Host: onebitdev5.sharepoint.com• Content-Length: 615• Expect: 100-continue• Accept-Encoding: gzip, deflate• <Request AddExpandoFieldTypeSuffix="true" SchemaV….
  • 22. Oauth 2.0 Request{grant_type=refresh_tokenclient_id=ded48005-1c15-416e-a84b-9b1b0fb5a50e%408822364f-0b55-48a9-88f8-1b1fcc2e5e89client_secret=9hU432522%2fupFTP7ogz6pw7IgsbY8JpW1JFjgHCcegs%3drefresh_token=IAAAALi3…ifDZwbNkresource=00000003-0000-0ff1-ce00-000000000000%2fonebitdev5.sharepoint.com%408822364f-0b55-48a9-88f8-1b1fcc2e5e89}
  • 23. Oauth 2.0 Response{"token_type":"Bearer","access_token":"eyJ0eXAiOiJKV1Q…phfQ","expires_in":"43199","not_before":"1360233350","expires_on":"1360276550","resource":00000003-0000-0ff1-ce00-000000000000/onebitdev5.sharepoint.com@8822364f-0b55-48a9-88f8-1b1fcc2e5e89}
  • 24. SharePoint AppsOAUTH IN ACTION – ON-PREMISES
  • 25. Server-to-Server Trust• Trusted connection between app and SharePoint – Eliminates need for ACS when running apps in on-premises farm – Trust between servers configured using SSL certificates – App code requires access to private key of SSL certificate – Requires creating Security Token Service on SharePoint server(s) S2S STS 1 3 4 2 SSL Cert Public/Private key pair (.pfx)
  • 26. Developing High-Trust Appshttp://msdn.microsoft.com/en-us/library/fp179901.aspx
  • 27. Terminology• High-Trust• Low-Trust• Full-Trust• Partial-Trust• Server-2-Server Trust (S2S)…. Different from STS • Sandbox Solutions• User Code Solutions 
  • 28. Configuring Server-2-Server Trust for App DevDEMO
  • 29. App security concerns• A new attack vector, old attack principles• A provider hosted app can be “upgraded” by the provider. Do you trust your vendor?• Script injection and in-flight modification• SSL is important!• Many more…
  • 30. References• Explore the app manifest and the package of an app for SharePoint http://msdn.microsoft.com/en-us/library/fp179918.aspx• URL strings and tokens in apps for SharePoint http://msdn.microsoft.com/en-us/library/jj163816.aspx• OAuth authentication and authorization flow for cloud-hosted apps in SharePoint 2013 http://msdn.microsoft.com/en-us/library/fp142382.aspx• How to: Create high-trust apps for SharePoint 2013 using the server-to- server protocol (advanced topic) http://msdn.microsoft.com/en-us/library/office/apps/fp179901.aspx• How to: Package and publish high-trust apps for SharePoint 2013 http://msdn.microsoft.com/en-us/library/office/apps/jj860570.aspx
  • 31. Key takeaways• You should definitely look into SharePoint Apps!• Do your best to understand authentication now• Complex cloud scenario’s will come
  • 32. Contact me• radi@sharepoint.bg• @RadiAtanassov• Facebook: Radi Atanassov• LinkedIn: http://au.linkedin.com/in/sharepointradi• www.onebitsoftware.net• Mobile: +359 878 823 339
  • 33. Questions?Please fill out the feedback stuff!E-mail me: radi@sharepoint.bg
  • 34. THANK YOU!Please fill out the feedback stuff!E-mail me: radi@sharepoint.bg