Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API


Published on

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API

  1. 1. Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity APIRadi AtanassovSharePoint MCM & MVPOneBit Software Ltd.
  2. 2. Who’s this guy?• Radi Atanassov• SharePoint 2010 MCM• SharePoint Server MVP• OneBit Software Ltd.• Web Platform User Group @RadiAtanassov
  3. 3. This talk is about…• How “apps” work• The App infrastructure• App authentication• Connectivity
  4. 4. SharePoint’s extensibility history• 2001…• 2003… CAML?!?• 2007 – The SharePoint OM & UI enhanced… – Greater complexity & greater flaws – But still a strong “platform” we all love• 2010 – Service Applications, Ribbon, Sandbox• 2013 – Apps & the marketplace, On-Premise Apps
  5. 5. Why is the App Model important to us?• Cost to the business – We don’t want SP projects to be expensive – We want more value for the same budget• SharePoint cannot be “fixed” – Cannot replace the DB schema – Cannot rewrite the OM• Microsoft’s preferred approach moving forward – We’ve been doing it for years• Office now releases every 3 months
  6. 6. What is an “App” anyway?• The new word for iFrame• Another way of providing functionality, but keeping custom code outside of SharePoint• Functionality you can buy from a marketplace• A huge marketing stunt to drive adoption• The infrastructure, plumbing, authentication model & framework to do things we did for a while
  7. 7. Why is authentication important to us?• So we don’t look like we don’t know what we are doing!• We are moving to the CLOUD…• We need to integrate with Exchange 2013, Lync 2013 and custom Apps• We need to understand & design hybrid deployments• You can’t have “Apps” without authentication• It matters when you do on-premises or hybrid Apps
  8. 8. SharePoint AppsAPPTECTURE
  9. 9. Recap - App Hosting Models Provider-hosted app SharePoint Host Web Your Hosted Site Provide your own hosting environmentCloud-hosted apps- Use server code- Receive SP events- Use OAuth to access SP Autohosted app SharePoint Host Web Windows Azure + SQL Azure provisioned Azure automatically as apps are installed SharePoint-Hosted app SharePoint Host Web Provisions an isolated sub web on a host web - Use SP artifacts & out-of-box web parts SharePoint App - Use HTML & JavaScript for UI & client-side logic Web - Use Workflows for middle tier logic
  10. 10. Recap - App Shapes Full page Implement complete app experiences• to satisfy business scenarios App Parts Create app parts that can interact with the SharePoint experience UI command extensions Add new commands to the ribbon and item menus
  11. 11. Recap - App Package Host Package (OPC) App Web WSP (from WSP) Azure Slide courtesy of Mike Morton
  12. 12. App Manifest<?xml version="1.0" encoding="utf-8" ?><!--Created:cb85b80c-f585-40ff-8bfc-12ff4d0e34a9--><App xmlns="" Name="SharePointApp1“ ProductID="{6a680846-ddff-4a3c-beb6-cb5705289d28}" Version="“ SharePointMinVersion=""> <Properties> <Title>SharePointApp1</Title> <StartPage>~remoteAppUrl/Pages/Default.aspx?{StandardTokens}</StartPage> <SupportedLocales> <SupportedLocale CultureName="en" /> <SupportedLocale CultureName="en-AU" /> <SupportedLocale CultureName="bg" /> </SupportedLocales> </Properties> <AppPrincipal> <RemoteWebApplication ClientId="*" /> </AppPrincipal> <AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write" /> <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" /> </AppPermissionRequests> <AppPrerequisites> <AppPrerequisite Type="Capability" ID="A83C8D70-71DE-4260-9FB8-677418EB47F2" /> </AppPrerequisites></App>
  13. 13. The App Domain - *• You should use a unique domain name, not a subdomain• Only one in the farm!• Prevents XSS attacks and script injection into the parent• Prevents cookie information leaking• Separates Apps from SharePoint sites, aka “app isolation”• The reason why AAM’s don’t work with Apps• Use SSL, even on dev environments!• Should use wildcard certificates on a dedicated web application• The app domain should be in the Internet or Restricted sites security zone in Internet Explorer• Wildcard DNS should point to the load balancer
  14. 14. The App URL - *• https://{appPrefix}-{UID}.{appdomain}/{appName}• In MT scenarios each tenant has their own {appPrefix}• {UID} comes from the subscription service• {appName} - the App name • SharePointApp2
  16. 16. SharePoint AppsAUTHENTICATION WITH OFFICE 365
  17. 17. SharePoint OAuth & Office 365
  19. 19. OAuth-authenticated request – Context Token<form id="frmRedirect"action="https://localhost:44301/Pages/Default.aspx?SPHostUrl=...;SPLanguage=en....."method="post"> <input type="hidden" name="SPAppToken" value="eyJ0eXAiOiJKV…CnQ" /> <input type="hidden" name="SPSiteUrl" value="" /> <input type="hidden" name="SPSiteTitle" value="OneBit Software Ltd. Team Site" /> <input type="hidden" name="SPSiteLogoUrl" value="" /> <input type="hidden" name="SPSiteLanguage" value="en-US" /> <input type="hidden" name="SPSiteCulture" value="en-US" /> <input type="hidden" name="SPRedirectMessage" value="EndpointAuthorityMatches" /> <input type="hidden" name="SPErrorCorrelationId" value="" /> <input type="hidden" name="SPErrorInfo" value="" /></form>
  20. 20. Decoded JWT token{"typ":"JWT","alg":"HS256“} Audience{"aud":"ded48005-1c15-416e-a84b-9b1b0fb5a50e/localhost:44301@8822364f-0b55-48a9-88f8-1b1fcc2e5e89","iss":"00000001-0000-0000-c000-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89","nbf":"1360231739", Issuer"exp":"1360274939","appctxsender":"00000003-0000-0ff1-ce00-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89","appctx":"{"CacheKey":"jE7itw4EgtsIxnejiJ20ldz4VUVQagnkh5A+tShdjTU=","SecurityTokenServiceUri":""}","refreshtoken":"IAAAALi3Arn…","isbrowserhostedapp":"true“}
  21. 21. Context Token in POST• POST HTTP/1.1• Authorization: Bearer eyJ0eXAiOiJKV1QiLC…iKlpA• Content-Type: text/xml Access Token inside• Host:• Content-Length: 615• Expect: 100-continue• Accept-Encoding: gzip, deflate• <Request AddExpandoFieldTypeSuffix="true" SchemaV….
  22. 22. Oauth 2.0 Request{grant_type=refresh_tokenclient_id=ded48005-1c15-416e-a84b-9b1b0fb5a50e%408822364f-0b55-48a9-88f8-1b1fcc2e5e89client_secret=9hU432522%2fupFTP7ogz6pw7IgsbY8JpW1JFjgHCcegs%3drefresh_token=IAAAALi3…}
  23. 23. Oauth 2.0 Response{"token_type":"Bearer","access_token":"eyJ0eXAiOiJKV1Q…phfQ","expires_in":"43199","not_before":"1360233350","expires_on":"1360276550","resource":00000003-0000-0ff1-ce00-000000000000/}
  24. 24. SharePoint AppsOAUTH IN ACTION – ON-PREMISES
  25. 25. Server-to-Server Trust• Trusted connection between app and SharePoint – Eliminates need for ACS when running apps in on-premises farm – Trust between servers configured using SSL certificates – App code requires access to private key of SSL certificate – Requires creating Security Token Service on SharePoint server(s) S2S STS 1 3 4 2 SSL Cert Public/Private key pair (.pfx)
  26. 26. Developing High-Trust Apps
  27. 27. Terminology• High-Trust• Low-Trust• Full-Trust• Partial-Trust• Server-2-Server Trust (S2S)…. Different from STS • Sandbox Solutions• User Code Solutions 
  28. 28. Configuring Server-2-Server Trust for App DevDEMO
  29. 29. App security concerns• A new attack vector, old attack principles• A provider hosted app can be “upgraded” by the provider. Do you trust your vendor?• Script injection and in-flight modification• SSL is important!• Many more…
  30. 30. References• Explore the app manifest and the package of an app for SharePoint• URL strings and tokens in apps for SharePoint• OAuth authentication and authorization flow for cloud-hosted apps in SharePoint 2013• How to: Create high-trust apps for SharePoint 2013 using the server-to- server protocol (advanced topic)• How to: Package and publish high-trust apps for SharePoint 2013
  31. 31. Key takeaways• You should definitely look into SharePoint Apps!• Do your best to understand authentication now• Complex cloud scenario’s will come
  32. 32. Contact me•• @RadiAtanassov• Facebook: Radi Atanassov• LinkedIn:•• Mobile: +359 878 823 339
  33. 33. Questions?Please fill out the feedback stuff!E-mail me:
  34. 34. THANK YOU!Please fill out the feedback stuff!E-mail me: