Handling Cross-Domain calls & authentication in SharePoint 2013

Uploaded on


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Template may not be modified Twitter hashtag: #spsbe for all sessions
  • Please use a picture of yourself in a mountain/cloudscene


  • 1. Handling Cross- Domain calls & authentication in SharePoint 2013 Stephane Eyskens
  • 2. About me • SharePoint Server MVP since 2008 • Blog : http://www.silver-it.com • @stephaneeyskens
  • 3. Poll Who has already developed Apps for Customers? Who has deployed an App to the Office Store? Who has used CORS in a real-world project?
  • 4. Take Away CORS is your friend SharePoint X- DOM Libraries do not make X-DOM calls HTML5 is your friend too Everything is a question of HTTP Headers in the end
  • 5. Cross- Domain Challenges? Same-Origin Policy Authentication across domains isn’t easy
  • 6. Same-origin Policy reminder http://intranet.contoso.com http ://collaboration.contoso.com : 80 / Protocol HOST Port
  • 7. Same-Origin Policy Workaround #1 Using a Proxy PROS • Works with every browser CONS • One more hop • Must handle scaling • Not easy to authenticate against target domain
  • 8. Same-Origin Policy Workaround #2 JSONP PROS • None CONS • Is a browser hack • In theory limited to GET unless you hack it even more
  • 9. Same-Origin Policy Workaround #3 Using a reverse proxy • Browse requests http://intranet/fakeurl/someservice/ • Reverse-Proxy converts to http://target/someservice/
  • 10. Same-Origin Policy Workaround #3 Using a reverse proxy PROS • Works with every browser • Possibility to forward authentication credentials using SiteMinder. • Transparent auth if SSO is available • No coding effort CONS • More an onprem solution • Enterprise RP usually not available on dev boxes
  • 11. Demos Reverse Proxy on a Dev Box
  • 12. Same-Origin Policy Workaround #4 IFRAMES PROS • Super easy • No more cross domain • Authentication is handled by the browser CONS • IFRAMES are set to same-origin by SP OOTB • IFRAMES are not a real integration
  • 13. Demos IFRAMES
  • 14. IFRAME Recap • Remove x-frame-options or allow explicit origins via Reverse Proxy or HTTP Module • Use <WebPartPages:AllowFraming runat="server" />
  • 15. Same-Origin Policy Workaround #5 HTML5 PostMessage API
  • 16. HTML5 PostMessage API PROS • Fast as a rocket • Partially supported by all the browsers • Authentication is handled by the browser CONS • IFRAMES are set to same-origin by SP OOTB • Security Risks involved • Hard to maintain
  • 17. Demos HTML5 PostMessage API
  • 18. HTML5 PostMessage API Recap • Remove x-frame-options or allow explicit origins • In code, check the origin of the sender • SharePoint 2013 makes already use of this API in CustomActions & Popup windows
  • 19. Same-Origin Policy Workaround #6 SharePoint # Domain Libraries PROS • OOTB CONS • Only usable in Apps • Only targeting SharePoint OOB endpoints in an authenticated manner. Provider-Hosted Apps cannot do both CSOM & JSOM at the same time • Non OOTB endpoints must be registered in AppManifest & are called anonymously
  • 20. Demos I’m going to get you confused now 
  • 21. Same-Origin Policy Workaround #7 CORS
  • 22. Same-Origin Policy Workaround #8 CORS PROS • Granular control on the server • Possibility to forward authentication credentials • Emerging standard (recently enabled on Azure Storage) CONS • Requires IE 10+ • Requires configuration efforts on the server • Currently, not possible to enable CORS on o365
  • 23. Demo • Consume custom REST services Hosted inside of SharePoint
  • 24. CORS Config Recap • Add the necessary HTTP Response Headers • Use either a Reverse Proxy, a custom HTTP Module, a rewriter engine to deal with the headers • Use the Max-Age attribute to cache preflight request. • When using Access-Control-Allow- Credentials you can’t use * as Allowed Origin
  • 25. CORS in a Hybrid Architecture
  • 26. DEMO
  • 27. How to consume Claims Aware WCF Services hosted outside of SharePoint? • Make the WCF Claims Aware, create a cert, add it to the WCF bindings, export it • Trust the cert in SP • Use the SharePoint API (SPChannelFactoryOperations.Creat eChannelActingAsLoggedOnUser) • Not working with Cross-Domain Libs • Not working with CORS (oops) • Need to implement a custom proxy
  • 28. Alternative to CORS Create your own REST endpoints PROS • Accessible from Apps • Can be used together with SP # domain libraries • Well integrated to SP CONS • OnPrem only • Hard
  • 29. Foundation Server _api/web _api/site _api/lists _api/navigation _api/events _api/contextinfo _api/search _api/SP.UserProfiles.PeopleManager _api/social.feed _api/social.following _api/publishing …. OOTB REST endpoints • http://office.microsoft.com/en-us/store/rest-api-demo-WA104068939.aspx • http://sprest.architectingconnectedsystems.com/
  • 30. Demo • Develop custom REST endpoints
  • 31. Summary • Cross Domain Libraries are not the only option • All the other options work with and without Apps • With Apps, some approaches « bypasses » the App Security Model • Extending REST endpoints is hard but facilitates authentication aspects
  • 32. THANK YOU Stephane Eyskens stephaneey@hotmail.com http://www.silver-it.com/ @stephaneeyskens