Oauth and SharePoint 2013 Provider Hosted apps

630 Freedom Business Center
Drive
3rd Floor
King of Prussia, PA 19406
©2013 CapTech Ventures
www.captechconsulting.com
Tri-State SharePoint
SharePoint 2013 Auth
– Giving an app a first class identity
James Tramel
May 14, 2013

©2012 CapTech Ventures, Inc. All rights reserved.
CapTech
• Philadelphia, DC, Richmond and Charlotte Based
• Practices – MC/SI/DMBI - thought leadership
• Technology agnostic, several MS folks in SI practice
• We’re local and community focused
• Philadbundance, Run to Rebuild, United Way
Page 2

Agenda
Clouds and SharePoint, Clouds and Apps, Clouds and You
Oauth – small demo
Authorization vs Authentication
Oauth, Apps and Identity
Hosting and Trust
Demo

Cloudy with a chance of meatballs
Page 4

The Cloud – compute as a service utility
• Bing Maps Data Center in a minute:
http://www.youtube.com/watch?v=XbKunHnuIcA
• Modular Data Center Overview:
http://www.youtube.com/watch?v=LiMq_5L1MQg
• Inside a Modular Data Center:
http://www.youtube.com/watch?v=nIliMskAHro
Page 5

What is SharePoint?
• Application or platform?
• What’s the difference between these things:
- Office 365, BPOS
- SharePoint Online
- SharePoint on Premise
- SharePoint Hybrid
- SharePoint 2010
- SharePoint 2013
- Foundation, Server and Enterprise
- SharePoint in Azure, AWS, RackSpace, Cloudshare
Page 6

What is SharePoint in relation to the cloud
Page 7

Cloud Continuum
Page 8

IaaS vs PaaS vs SaaS
Page 9

IaaS vs PaaS vs Saas
Page 10

Iaas vs PaaS vs SaaS
Page 11

5-3-2 Cloud
Page 12

What does this have to do with apps?
Page 13

What does this have to do with apps?
• Apps in the cloud
• Making systems and apps more robust
• Tying to the cloud, but you don’t have to
• Services working together
• How do you make this work?
Page 14

What else is going on in the web?
• Twitter
• Tumblr
• Bitly
• Facebook
• Instagram
• Wordpress
• Geolocation
Page 15

Demo
Page 16

Oauth
• OAuth is an open standard for authorization
• OAuth is not OpenID (authentication/digital ID)
• Valet Key
• Access Token
• Scopes
Page 17

What's your P@ssword!
• Last time you changed your password?
• Benefits of the valet?
Page 18

Authentication vs Authorization
Page 19
Authentication is the verification of the
credentials of the connection attempt
•Who is the user?
•Is the user really who he/she represents himself to
be?
Authorization is the verification that the
connection attempt is allowed
•Is user X authorized to access resource R?
•Is user X authorized to perform operation P?
•Is user X authorized to perform operation P on
resource R?

SharePoint 2010 Authentication
• Authentication
- Windows (NT, Kerberos, Anonymous, Basic, Digest)
- Forms (LDAP, SQL, Custom)
- SAML (ADFS, Custom, LDAP)
• Development
- Farm (full trust)
- Sandbox (some trust)
- Rest/API (no trust – except where given, COM)
Page 20

SP 2013 Auth
Claims, Claims, Claims
• Classic is no more, or on its way out
• Distributed Cache
Server to Server
• Exchange, Lync
App Authentication (App Model / App Catalog / CSOM)
• Create apps that use Oauth or other identity provider
• App Permission Policies (User/App, App Only, User Only)
Page 21

Oauth Terms
• Client app
- Remote app that needs site perms
• Content owner
- User who grants perms to content
• Content Server
- Web server where content is
• Auth Server
- Trusted server that authenticates apps and creates oauth tokens
Page 22

The Dance – how this works for Apps
Page 23

Low Trust Apps in SharePoint 2013
Page 24

BCS Hybrid and Oauth – The Dance (Example)
Page 25

Apps are people too
• Apps have permission like users
• App principle is like a user identify – a security principle
• Apps are granted perms
- Differ than users
- All or nothing / No hierarchy
• Apps have default perms
- App can run app web
- App can include permissions
- Install grants / denies permission
Page 26

Access Tokens
• Access tokens are issued by the OAuth security token service (STS).
- An example of OAuth STS is Windows Azure Access Control
Service (ACS) OAuth endpoints.
- In contrast, the WS-Federation STS and the Security Assertion
Markup Language (SAML) passive sign-in STS are primarily
intended to issue sign-in tokens
• What’s a token?
Page 27

Identity
Page 28

When is using OAuth required?
• To authorize requests by an app for SharePoint to access SharePoint
resources on behalf of a user.
• To authenticate apps in the Office Store, an app catalog, or a developer
tenant.
Page 29

Plan for App Authentication
App authentication is the validation of an external app for SharePoint's
identity and the authorization of both the app and an associated user
when the app requests access to a secured SharePoint resource
• Verify that the requesting app is trusted.
• Verify that the type of access that the app is requesting is authorized.
Page 30

Types of Hosting options
Page 31

Types of hosting
Page 32

Trust Relationships for hosting optoins
• Autohosted
- Autohosted apps run as a web role in Windows Azure and use the Windows
Azure Access Control Service (ACS) to obtain the access token.
• Provider-hosted
- Provider-hosted apps run on their own servers on the Internet or your intranet,
are registered with Windows Azure, and use ACS to obtain the access token.
• SharePoint-hosted
- Sharepoint hosted apps run in an appweb, can have client side code but not
server side code. Developer must use certificates or create their own trust
Page 33

High Trust vs Low Trust
• High-trust apps
- High-trust apps run on stand-alone servers on your intranet and use a signing
certificate to digitally sign the access tokens that the app generates. Typically
server to server.
• Low-Trust apps
- Low trust apps can run anywhere and run on an Oauth code flow to delegate
limited rights to apps to act as users. SharePoint and client application must trust
and communicate with an authentication provider such as azure active directory.
Page 34

Demo
• Setting up a provider hosted app to run in Azure
Page 35

References
• MSDN, Technet, Microsoft, Wikipedia
• Robert G Carter, Duke Uniersity OIT
• Connecting a PaaS Application to an IaaS application with a Virtual
Network – Yung Chou, MS Tech Evangelist
• Introduction to Windows Azure Virtual Machines – Keith Mayer, MS
Developer Evangelist
• Creating a SharePoint Server 2013 Environment for Development and
Testing – Critical Path
• SharePoint 2013 Developer Ramp Up – Plural Sight, Andrew Connell
Page 36

Yes You can
• Premium Subscriber
• Free Account in Azure
Page 37

Do it
• Client
- Powershell
• Azure cmdlets
• Import azure module
• Get/set azure publishing
settings
- Visual Studio 2012
• Azure toolkit
• Office Developer Tools
Page 38
Azure
• Affinity Group
• Storage
• DNS
• Network
• Active Directory

SharePoint Demo
Page 39

Oauth and SharePoint 2013 Provider Hosted apps

More Related Content

What's hot

Viewers also liked

Similar to Oauth and SharePoint 2013 Provider Hosted apps

More from James Tramel

Recently uploaded

Oauth and SharePoint 2013 Provider Hosted apps