Oauth and SharePoint 2013 Provider Hosted apps

2,407 views

Published on

A deep dive into Oauth and a look at provider hosted apps in SharePoint 2013, including how to host an app in Azure, but added to SharePoint

Published in: Software, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,407
On SlideShare
0
From Embeds
0
Number of Embeds
40
Actions
Shares
0
Downloads
68
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Oauth and SharePoint 2013 Provider Hosted apps

  1. 1. 630 Freedom Business Center Drive 3rd Floor King of Prussia, PA 19406 ©2013 CapTech Ventures www.captechconsulting.com Tri-State SharePoint SharePoint 2013 Auth – Giving an app a first class identity James Tramel May 14, 2013
  2. 2. ©2012 CapTech Ventures, Inc. All rights reserved. CapTech • Philadelphia, DC, Richmond and Charlotte Based • Practices – MC/SI/DMBI - thought leadership • Technology agnostic, several MS folks in SI practice • We’re local and community focused • Philadbundance, Run to Rebuild, United Way Page 2
  3. 3. ©2012 CapTech Ventures, Inc. All rights reserved. Agenda Clouds and SharePoint, Clouds and Apps, Clouds and You Oauth – small demo Authorization vs Authentication Oauth, Apps and Identity Hosting and Trust Demo
  4. 4. ©2012 CapTech Ventures, Inc. All rights reserved. Cloudy with a chance of meatballs Page 4
  5. 5. ©2012 CapTech Ventures, Inc. All rights reserved. The Cloud – compute as a service utility • Bing Maps Data Center in a minute: http://www.youtube.com/watch?v=XbKunHnuIcA • Modular Data Center Overview: http://www.youtube.com/watch?v=LiMq_5L1MQg • Inside a Modular Data Center: http://www.youtube.com/watch?v=nIliMskAHro Page 5
  6. 6. ©2012 CapTech Ventures, Inc. All rights reserved. What is SharePoint? • Application or platform? • What’s the difference between these things: - Office 365, BPOS - SharePoint Online - SharePoint on Premise - SharePoint Hybrid - SharePoint 2010 - SharePoint 2013 - Foundation, Server and Enterprise - SharePoint in Azure, AWS, RackSpace, Cloudshare Page 6
  7. 7. ©2012 CapTech Ventures, Inc. All rights reserved. What is SharePoint in relation to the cloud Page 7
  8. 8. ©2012 CapTech Ventures, Inc. All rights reserved. Cloud Continuum Page 8
  9. 9. ©2012 CapTech Ventures, Inc. All rights reserved. IaaS vs PaaS vs SaaS Page 9
  10. 10. ©2012 CapTech Ventures, Inc. All rights reserved. IaaS vs PaaS vs Saas Page 10
  11. 11. ©2012 CapTech Ventures, Inc. All rights reserved. Iaas vs PaaS vs SaaS Page 11
  12. 12. ©2012 CapTech Ventures, Inc. All rights reserved. 5-3-2 Cloud Page 12
  13. 13. ©2012 CapTech Ventures, Inc. All rights reserved. What does this have to do with apps? Page 13
  14. 14. ©2012 CapTech Ventures, Inc. All rights reserved. What does this have to do with apps? • Apps in the cloud • Making systems and apps more robust • Tying to the cloud, but you don’t have to • Services working together • How do you make this work? Page 14
  15. 15. ©2012 CapTech Ventures, Inc. All rights reserved. What else is going on in the web? • Twitter • Tumblr • Bitly • Facebook • Instagram • Wordpress • Geolocation Page 15
  16. 16. ©2012 CapTech Ventures, Inc. All rights reserved. Demo Page 16
  17. 17. ©2012 CapTech Ventures, Inc. All rights reserved. Oauth • OAuth is an open standard for authorization • OAuth is not OpenID (authentication/digital ID) • Valet Key • Access Token • Scopes Page 17
  18. 18. ©2012 CapTech Ventures, Inc. All rights reserved. What's your P@ssword! • Last time you changed your password? • Benefits of the valet? Page 18
  19. 19. ©2012 CapTech Ventures, Inc. All rights reserved. Authentication vs Authorization Page 19 Authentication is the verification of the credentials of the connection attempt •Who is the user? •Is the user really who he/she represents himself to be? Authorization is the verification that the connection attempt is allowed •Is user X authorized to access resource R? •Is user X authorized to perform operation P? •Is user X authorized to perform operation P on resource R?
  20. 20. ©2012 CapTech Ventures, Inc. All rights reserved. SharePoint 2010 Authentication • Authentication - Windows (NT, Kerberos, Anonymous, Basic, Digest) - Forms (LDAP, SQL, Custom) - SAML (ADFS, Custom, LDAP) • Development - Farm (full trust) - Sandbox (some trust) - Rest/API (no trust – except where given, COM) Page 20
  21. 21. ©2012 CapTech Ventures, Inc. All rights reserved. SP 2013 Auth Claims, Claims, Claims • Classic is no more, or on its way out • Distributed Cache Server to Server • Exchange, Lync App Authentication (App Model / App Catalog / CSOM) • Create apps that use Oauth or other identity provider • App Permission Policies (User/App, App Only, User Only) Page 21
  22. 22. ©2012 CapTech Ventures, Inc. All rights reserved. Oauth Terms • Client app - Remote app that needs site perms • Content owner - User who grants perms to content • Content Server - Web server where content is • Auth Server - Trusted server that authenticates apps and creates oauth tokens Page 22
  23. 23. ©2012 CapTech Ventures, Inc. All rights reserved. The Dance – how this works for Apps Page 23
  24. 24. ©2012 CapTech Ventures, Inc. All rights reserved. Low Trust Apps in SharePoint 2013 Page 24
  25. 25. ©2012 CapTech Ventures, Inc. All rights reserved. BCS Hybrid and Oauth – The Dance (Example) Page 25
  26. 26. ©2012 CapTech Ventures, Inc. All rights reserved. Apps are people too • Apps have permission like users • App principle is like a user identify – a security principle • Apps are granted perms - Differ than users - All or nothing / No hierarchy • Apps have default perms - App can run app web - App can include permissions - Install grants / denies permission Page 26
  27. 27. ©2012 CapTech Ventures, Inc. All rights reserved. Access Tokens • Access tokens are issued by the OAuth security token service (STS). - An example of OAuth STS is Windows Azure Access Control Service (ACS) OAuth endpoints. - In contrast, the WS-Federation STS and the Security Assertion Markup Language (SAML) passive sign-in STS are primarily intended to issue sign-in tokens • What’s a token? Page 27
  28. 28. ©2012 CapTech Ventures, Inc. All rights reserved. Identity Page 28
  29. 29. ©2012 CapTech Ventures, Inc. All rights reserved. When is using OAuth required? • To authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user. • To authenticate apps in the Office Store, an app catalog, or a developer tenant. Page 29
  30. 30. ©2012 CapTech Ventures, Inc. All rights reserved. Plan for App Authentication App authentication is the validation of an external app for SharePoint's identity and the authorization of both the app and an associated user when the app requests access to a secured SharePoint resource • Verify that the requesting app is trusted. • Verify that the type of access that the app is requesting is authorized. Page 30
  31. 31. ©2012 CapTech Ventures, Inc. All rights reserved. Types of Hosting options Page 31
  32. 32. ©2012 CapTech Ventures, Inc. All rights reserved. Types of hosting Page 32
  33. 33. ©2012 CapTech Ventures, Inc. All rights reserved. Trust Relationships for hosting optoins • Autohosted - Autohosted apps run as a web role in Windows Azure and use the Windows Azure Access Control Service (ACS) to obtain the access token. • Provider-hosted - Provider-hosted apps run on their own servers on the Internet or your intranet, are registered with Windows Azure, and use ACS to obtain the access token. • SharePoint-hosted - Sharepoint hosted apps run in an appweb, can have client side code but not server side code. Developer must use certificates or create their own trust Page 33
  34. 34. ©2012 CapTech Ventures, Inc. All rights reserved. High Trust vs Low Trust • High-trust apps - High-trust apps run on stand-alone servers on your intranet and use a signing certificate to digitally sign the access tokens that the app generates. Typically server to server. • Low-Trust apps - Low trust apps can run anywhere and run on an Oauth code flow to delegate limited rights to apps to act as users. SharePoint and client application must trust and communicate with an authentication provider such as azure active directory. Page 34
  35. 35. ©2012 CapTech Ventures, Inc. All rights reserved. Demo • Setting up a provider hosted app to run in Azure Page 35
  36. 36. ©2012 CapTech Ventures, Inc. All rights reserved. References • MSDN, Technet, Microsoft, Wikipedia • Robert G Carter, Duke Uniersity OIT • Connecting a PaaS Application to an IaaS application with a Virtual Network – Yung Chou, MS Tech Evangelist • Introduction to Windows Azure Virtual Machines – Keith Mayer, MS Developer Evangelist • Creating a SharePoint Server 2013 Environment for Development and Testing – Critical Path • SharePoint 2013 Developer Ramp Up – Plural Sight, Andrew Connell Page 36
  37. 37. ©2012 CapTech Ventures, Inc. All rights reserved. Yes You can • Premium Subscriber • Free Account in Azure Page 37
  38. 38. ©2012 CapTech Ventures, Inc. All rights reserved. Do it • Client - Powershell • Azure cmdlets • Import azure module • Get/set azure publishing settings - Visual Studio 2012 • Azure toolkit • Office Developer Tools Page 38 Azure • Affinity Group • Storage • DNS • Network • Active Directory
  39. 39. ©2012 CapTech Ventures, Inc. All rights reserved. SharePoint Demo Page 39

×