Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building Apps for SharePoint 2013 by Andrew Connell - SPTechCon


Published on

Technical Class:

  • I have 2 questions if u please: 1- Why It's allowed to make a call targeting the host web from the app web using CSOM or REST API (AppContextSite) despite the call is crossing domains(Domain of App Web != Domain of Host Web). 2-Does the REST calls from App Web carrying implicitly the SAML Token of the current logging user in its authorization header?
    Are you sure you want to  Yes  No
    Your message goes here
  • The following flow chart should help for the decision if you should use an App or something else:
    Are you sure you want to  Yes  No
    Your message goes here

Building Apps for SharePoint 2013 by Andrew Connell - SPTechCon

  1. 1. Building Apps for SharePoint 2013 Andrew Connell MVP, SharePoint @AndrewConnell
  2. 2. Andrew Connell @andrewconnell
  3. 3. Agenda SharePoint App Model App Model Shapes App Identity Authentication Authorization  @AndrewConnell
  4. 4. SharePoint 2013 Deployment Options On-Premises • Installed 100% on company servers (aka: on-prem • Access to 100% of SharePoint’s features & / behind capabilities firewall) Hosted (aka: Office • Installed 100% and managed in the cloud • Most common context: Office 365 / 365 / SharePoint Online SharePoint • Some features not available in the cloud Online) @AndrewConnell
  5. 5. Overview of the SharePoint App Model SharePoint app model based on these assumptions Apps supported in Office 365 and in on-premises farms App code never runs in SharePoint host environment Apps talk to SharePoint using Web service entry points App code is authenticated and has established identity App has permissions independent of user permissions Apps deployed to catalogs using a publishing scheme Published apps are easier to find, install and @AndrewConnell
  6. 6. App Installation Scopes Site-Scoped Installation  App is installed in a specific site  App is launched from same site  This site is known as host web Tenancy-Scoped Installation  App installed > app catalog site  App available many host webs  Host webs access one app instance  Centralizes app @AndrewConnell
  7. 7. SharePoint App Architecture SharePoint-Hosted Apps  App resources added to SharePoint host  Stored in child site known as app web  App can have client-side code  App cannot have server-side code Cloud-Hosted Apps  App resources deployed on remote server  Remote site known as remote web  App can have client-side code  App can have server-side @AndrewConnell
  8. 8. Creating SharePoint Hosted & Cloud-Hosted @AndrewConnell
  9. 9. App Web App web is created during app installation App web created as child to site where app is installed SharePoint-Hosted apps must create app web App must add start page and related resources App can add other SharePoint elements (e.g. lists) Cloud-Hosted apps can create app web Most cloud-hosted apps will not create an app web Cloud-hosted app can create app web if @AndrewConnell
  10. 10. Inspecting the @AndrewConnell
  11. 11. App Shapes What SharePoint Tells you… SharePoint-Hosted Apps Cloud-Hosted Apps What Visual Studio Forces You to Select… SharePoint-Hosted App Provider-Hosted App Auto-Hosted @AndrewConnell
  12. 12. App Shapes – What It Really Is SharePoint-Hosted Apps  Everything resides in SharePoint All Other Types  Majority resides external to SharePoint (IIS, Azure, etc.)  By default, don’t trigger creation of AppWeb… Unless they include SharePoint artifacts Auto-Hosted Apps  SharePoint handles deployment of external assets Azure Web Site SQL Azure @AndrewConnell
  13. 13. Inspecting App @AndrewConnell
  14. 14. Authentication in SharePoint 2013 Authentication Flow in SharePoint 2013  User authentication stays the same with standard sites  In calls to app web, app authentication occurs internally  Internal authentication occurs in calls to app web  External authentication used for calls from remote web  Call context can contain both user and app identity Requirements for establishing app identity  Host web application must be a claims-based  Incoming calls must target CSOM/REST endpoints Supported CSOM/REST endpoints not @AndrewConnell
  15. 15. User vs. App Authentication Flow SharePoint Farm Web Servers SAML call from user token OAuth call from app @AndrewConnell
  16. 16. SharePoint 2013 Authentication Flow start authentication request to set up call context SAML Token? YES NO app web with user identity NO YES set up call context CSOM/REST user info OAuth token? YES YES YES with user identity endpoint? in token? and app identity NO NO set up call context with app identity NO set up call context end with no identity authentication (anonymous access) @AndrewConnell
  17. 17. Provider-Hosted Apps & App Identity • Apps can obtain an identity using one of two methods: High-Trust (via OAuth (via S2S Trust & Azure ACS) certificates) @AndrewConnell
  18. 18. OAuth 2.0 Primer What is OAuth? Internet protocol for creating and managing app identity A cross-platform mechanism for authenticating apps Internet standard used by Facebook, Google and Twitter SharePoint 2013 use OAuth to establish app identity SharePoint integration with OAuth based on Azure ACS OAuth authentication used in Office 365 but not on-premises @AndrewConnell
  19. 19. Windows Azure ACS Windows Azure Access Control Service (ACS) Required to use OAuth with SharePoint 2013 ACS server acts as authentication server ACS server must be trusted by content server ACS server must be trusted by client app How is ACS configured as authentication server? Its configured automatically in Office 365 tenancies Not supported in on-prem farms in SharePoint @AndrewConnell
  20. 20. What is a Server-to-Server (S2S) Trust Trusted connection between client app and SharePoint  Eliminates need for ACS when running apps in on-premises farm  Trust between servers configured using SSL certificates  App code requires access to private key of SSL certificate  Requires creating Security Token Service on SharePoint server(s) @AndrewConnell
  21. 21. Developing Apps that use S2S Trusts What are the developer responsibilities with an S2S app?  Expose an endpoint to SharePoint to discover service metadata  Authenticate the user (can use Windows Auth, FBA, etc.)  Create security tokens to send to SharePoint server Details of creating the S2S security token  S2S token like OAuth token but differs from OAuth specification  Security token must contain app identity  Security token can optionally include user identity  Security token must be signed using certificate’s private @AndrewConnell
  22. 22. OAuth & S2S Trusts OAuth Enabled Apps  Before deployment marketplace, app must be registered with Azure ACS  Apps obtain their identity / token from Azure ACS  When calling SharePoint, app includes OAuth token  SharePoint trusts Azure ACS On-Prem deployments will typically use S2S  Before deployment, app must be registered with SharePoint  Developer registers a certificate with SharePoint & associates app with certificate  App creates token using private key of certificate  SharePoint trusts this token because it was signed with the private @AndrewConnell
  23. 23. What You Might Not Be Aware Of: #1 OAuth is only supported in Office 365 No support in On-Prem deployments at RTM Why? Possible update to this story after RTM Extra steps? Hotfix? Cumulative Update? Service Pack? Next Version? @AndrewConnell
  24. 24. Creating Apps with Identities & @AndrewConnell
  25. 25. What You Might Not Be Aware Of: #2 Office 365 Azure != Windows Azure Office 365 Azure Windows Azure • “Private Cloud” • • Azure Web Sites • Cloud services • SQL Azure DBs • Web Sites • Access Control Service • Virtual Machines • Storage (blob / queue / table) • Service Bus • SQL Azure • Access Control Service •… @AndrewConnell
  26. 26. The Sandbox Isn’t Dead Where you build sandbox solutions, try to replace them with SharePoint Apps There are many scenarios where Apps can’t replace sandbox solutions Some things are ONLY possible with sandboxed solutions in a hosted deployment Remember, they are deprecated, not dead! @AndrewConnell
  27. 27. App Model Parting Thoughts SharePoint ALM has always been hard .NET ALM > SharePoint ALM  More tools, more mature, more documentation & support No longer limited to what SharePoint supports  Latest version of the .NET Framework  New “toys” (MVC, Entity Framework, etc)  Not limited to any technology stack / infrastructure Working with service layer vs. server side API  More community tools & libraries to choose from  Can follow more “standards” Don’t have to scale SharePoint, can now just scale the @AndrewConnell
  28. 28. Questions? Want to Learn More? Hands-On & Virtual Training On-Demand Training  SharePoint Courses for Everyone  SharePoint Courses for Everyone  SharePoint 2007, 2010 & 2013  SharePoint 2007, 2010 & 2013  Developers, Administrators & End Users  Developers, Administrators & End Users  Get Training How You Like it  Individual, Small Business & Enterprise Plans  Hands-On (classroom with hands-on labs)  Monthly or Annual Subscriptions  Online (live webcast with take-away labs)  Watch Online & Offline  Private Classes Available for Large Groups  Subscribers Have Access to Entire @AndrewConnell