Handling Cross-Domain calls & authentication in SharePoint 2013

3,264 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,264
On SlideShare
0
From Embeds
0
Number of Embeds
87
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Template may not be modified Twitter hashtag: #spsbe for all sessions
  • Please use a picture of yourself in a mountain/cloudscene
  • Handling Cross-Domain calls & authentication in SharePoint 2013

    1. 1. Handling Cross- Domain calls & authentication in SharePoint 2013 Stephane Eyskens
    2. 2. About me • SharePoint Server MVP since 2008 • Blog : http://www.silver-it.com • @stephaneeyskens
    3. 3. Poll Who has already developed Apps for Customers? Who has deployed an App to the Office Store? Who has used CORS in a real-world project?
    4. 4. Take Away CORS is your friend SharePoint X- DOM Libraries do not make X-DOM calls HTML5 is your friend too Everything is a question of HTTP Headers in the end
    5. 5. Cross- Domain Challenges? Same-Origin Policy Authentication across domains isn’t easy
    6. 6. Same-origin Policy reminder http://intranet.contoso.com http ://collaboration.contoso.com : 80 / Protocol HOST Port
    7. 7. Same-Origin Policy Workaround #1 Using a Proxy PROS • Works with every browser CONS • One more hop • Must handle scaling • Not easy to authenticate against target domain
    8. 8. Same-Origin Policy Workaround #2 JSONP PROS • None CONS • Is a browser hack • In theory limited to GET unless you hack it even more
    9. 9. Same-Origin Policy Workaround #3 Using a reverse proxy • Browse requests http://intranet/fakeurl/someservice/ • Reverse-Proxy converts to http://target/someservice/
    10. 10. Same-Origin Policy Workaround #3 Using a reverse proxy PROS • Works with every browser • Possibility to forward authentication credentials using SiteMinder. • Transparent auth if SSO is available • No coding effort CONS • More an onprem solution • Enterprise RP usually not available on dev boxes
    11. 11. Demos Reverse Proxy on a Dev Box
    12. 12. Same-Origin Policy Workaround #4 IFRAMES PROS • Super easy • No more cross domain • Authentication is handled by the browser CONS • IFRAMES are set to same-origin by SP OOTB • IFRAMES are not a real integration
    13. 13. Demos IFRAMES
    14. 14. IFRAME Recap • Remove x-frame-options or allow explicit origins via Reverse Proxy or HTTP Module • Use <WebPartPages:AllowFraming runat="server" />
    15. 15. Same-Origin Policy Workaround #5 HTML5 PostMessage API
    16. 16. HTML5 PostMessage API PROS • Fast as a rocket • Partially supported by all the browsers • Authentication is handled by the browser CONS • IFRAMES are set to same-origin by SP OOTB • Security Risks involved • Hard to maintain
    17. 17. Demos HTML5 PostMessage API
    18. 18. HTML5 PostMessage API Recap • Remove x-frame-options or allow explicit origins • In code, check the origin of the sender • SharePoint 2013 makes already use of this API in CustomActions & Popup windows
    19. 19. Same-Origin Policy Workaround #6 SharePoint # Domain Libraries PROS • OOTB CONS • Only usable in Apps • Only targeting SharePoint OOB endpoints in an authenticated manner. Provider-Hosted Apps cannot do both CSOM & JSOM at the same time • Non OOTB endpoints must be registered in AppManifest & are called anonymously
    20. 20. Demos I’m going to get you confused now 
    21. 21. Same-Origin Policy Workaround #7 CORS
    22. 22. Same-Origin Policy Workaround #8 CORS PROS • Granular control on the server • Possibility to forward authentication credentials • Emerging standard (recently enabled on Azure Storage) CONS • Requires IE 10+ • Requires configuration efforts on the server • Currently, not possible to enable CORS on o365
    23. 23. Demo • Consume custom REST services Hosted inside of SharePoint
    24. 24. CORS Config Recap • Add the necessary HTTP Response Headers • Use either a Reverse Proxy, a custom HTTP Module, a rewriter engine to deal with the headers • Use the Max-Age attribute to cache preflight request. • When using Access-Control-Allow- Credentials you can’t use * as Allowed Origin
    25. 25. CORS in a Hybrid Architecture
    26. 26. DEMO
    27. 27. How to consume Claims Aware WCF Services hosted outside of SharePoint? • Make the WCF Claims Aware, create a cert, add it to the WCF bindings, export it • Trust the cert in SP • Use the SharePoint API (SPChannelFactoryOperations.Creat eChannelActingAsLoggedOnUser) • Not working with Cross-Domain Libs • Not working with CORS (oops) • Need to implement a custom proxy
    28. 28. Alternative to CORS Create your own REST endpoints PROS • Accessible from Apps • Can be used together with SP # domain libraries • Well integrated to SP CONS • OnPrem only • Hard
    29. 29. Foundation Server _api/web _api/site _api/lists _api/navigation _api/events _api/contextinfo _api/search _api/SP.UserProfiles.PeopleManager _api/social.feed _api/social.following _api/publishing …. OOTB REST endpoints • http://office.microsoft.com/en-us/store/rest-api-demo-WA104068939.aspx • http://sprest.architectingconnectedsystems.com/
    30. 30. Demo • Develop custom REST endpoints
    31. 31. Summary • Cross Domain Libraries are not the only option • All the other options work with and without Apps • With Apps, some approaches « bypasses » the App Security Model • Extending REST endpoints is hard but facilitates authentication aspects
    32. 32. THANK YOU Stephane Eyskens stephaneey@hotmail.com http://www.silver-it.com/ @stephaneeyskens

    ×