This document discusses securing SharePoint apps using OAuth authentication. It provides an overview of app authentication in SharePoint 2013, including the use of OAuth and app principals. The key points covered are:
- SharePoint 2013 supports app authentication using OAuth or on-premise using security token service.
- Apps are assigned a principal that is used to manage app permissions separately from user permissions.
- The OAuth workflow involves apps obtaining access tokens from Azure Access Control Service to make calls to SharePoint on behalf of users.
- App principals must be registered both with SharePoint and ACS, and include a client ID, client secret, and redirect URL.
Building a document e-signing workflow with Azure Durable FunctionsJoonas Westlin
Durable functions offer an interesting programming model for building workflows. Whether you need to sometimes split and do multiple things or wait for user input, a lot of things are possible. They do present some challenges as well, and the limitations of orchestrator functions can make working with Durable seem very complicated.
In this talk we will go through the basics of Durable Functions along with strategies for deploying and monitoring them. A sample application will be presented where users can send documents for electronic signature. A Durable Functions workflow will power the signing process.
ECS 2018: Introduction to Azure Web ApplicationsEric Shupps
The Azure platform offers many opportunities for developers to build robust, cloud-first applications that integrate directly with Office 365. Learn how to leverage the power of the Microsoft cloud infrastructure to create solutions with fully-integrated single sign-on and authorization. Discover tips and tricks for rapidly building, deploying and managing Azure solutions, along with techniques for leveraging the Office 365 API’s from your cloud applications.
Planning on deploying an Extranet on SharePoint? Before you open up your internal site for the your partners, consider the security, confidentiality, authentication and licencing implications
Building a document e-signing workflow with Azure Durable FunctionsJoonas Westlin
Durable functions offer an interesting programming model for building workflows. Whether you need to sometimes split and do multiple things or wait for user input, a lot of things are possible. They do present some challenges as well, and the limitations of orchestrator functions can make working with Durable seem very complicated.
In this talk we will go through the basics of Durable Functions along with strategies for deploying and monitoring them. A sample application will be presented where users can send documents for electronic signature. A Durable Functions workflow will power the signing process.
ECS 2018: Introduction to Azure Web ApplicationsEric Shupps
The Azure platform offers many opportunities for developers to build robust, cloud-first applications that integrate directly with Office 365. Learn how to leverage the power of the Microsoft cloud infrastructure to create solutions with fully-integrated single sign-on and authorization. Discover tips and tricks for rapidly building, deploying and managing Azure solutions, along with techniques for leveraging the Office 365 API’s from your cloud applications.
Planning on deploying an Extranet on SharePoint? Before you open up your internal site for the your partners, consider the security, confidentiality, authentication and licencing implications
[Robert Vončina] With SharePoint 2016 there are a few new things that makes configuring SharePoint 2016 for BI a bit more challenging. This session will display how to configure your SharePoint 2016 environment for authentication delegation with Kerberos for different BI tools.
Azure Static Web Apps allows you to develop modern full-stack web apps quickly and easily with a static front-end and dynamic back end powered by Serverless APIs with custom routing, security including authentication/authrization, custom domains, private endpoint, etc. Azure Static Web Apps offers cost-effective pricing from hobby to production apps.
I presented this at a user group in Sweden, as a compilation discussion of practical customer experiences with WIndows Azure. The slides led the discussion. Enjoy.
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettBrian T. Jackett
Code samples: https://github.com/BrianTJackett/Presentations/tree/master/DogFoodCon2018
Dipping Your Toe into Cloud Development with Azure Functions. Presented at DogFoodCon 2018 by Brian T. Jackett.
Windows Azure Active Directory step-by-step, How to set-up Azure Active Directory, Identity Management in Azure, Access Management with Azure Active Directory
Single Page Apps bring a unique set of concerns to authentication and user management. Robert Damphousse, lead Javascript engineer at Stormpath, will show you how to use Stormpath to secure an Angular.js app with any backend: Java, Node, PHP, .NET and more!
Robert will deep dive into Angular.js authentication best practices and an extended technical example. Join us!
Topics Covered:
- Authentication in Single Page Apps (SPA)
- Using JWTs instead of Session IDs
- Secure Cookie storage
- Cross-Origin Resource Sharing
- Where does Stormpath fit in your architecture?
- End-to-end example with Angular.js + Express.js
- Password-based registration and login
- How to secure your API endpoints
- Implement User Authorization
- Design for a frictionless User Experience
[Jussi Roine] This is literally the best session on serverless, ever. We'll have a figurative look at literally the best invention since Office Clipper guy (I miss him). You'll understand the how, what, why, where and whom and there was one more I think, to literally build solutions, integrations and spamming engines with ease. Make servers not great again!
Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: https://stormpath.com/blog
Join Stormpath Java Developer Evangelist Micah Silverman for a technical overview of the common pain points with Java authentication. We'll cover how to solve them with Stormpath in a Spring Boot application, and demonstrate how to quickly add a complete user management system to your Spring Boot app. By the end of this webinar, you’ll be on your way to a fully functioning Spring Boot app backed by Stormpath.
Topics Covered:
Authentication Pain Points in Java Stormpath, Spring Boot, and Your Architecture
Demo:
Auth in Spring Boot, with these features:
A complete user registration and login system
Pre-built login screens
Password reset workflows
Group-based authorization
Advanced user features: API authentication, Single Sign-On, social login, and more Technical Q&A
Zero credential development with managed identitiesJoonas Westlin
Introduction to Managed Identities in Azure, what they are and how they work. Also goes through what services they can be used with in Azure, how you can use services without any keys or secrets.
[Robert Vončina] With SharePoint 2016 there are a few new things that makes configuring SharePoint 2016 for BI a bit more challenging. This session will display how to configure your SharePoint 2016 environment for authentication delegation with Kerberos for different BI tools.
Azure Static Web Apps allows you to develop modern full-stack web apps quickly and easily with a static front-end and dynamic back end powered by Serverless APIs with custom routing, security including authentication/authrization, custom domains, private endpoint, etc. Azure Static Web Apps offers cost-effective pricing from hobby to production apps.
I presented this at a user group in Sweden, as a compilation discussion of practical customer experiences with WIndows Azure. The slides led the discussion. Enjoy.
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettBrian T. Jackett
Code samples: https://github.com/BrianTJackett/Presentations/tree/master/DogFoodCon2018
Dipping Your Toe into Cloud Development with Azure Functions. Presented at DogFoodCon 2018 by Brian T. Jackett.
Windows Azure Active Directory step-by-step, How to set-up Azure Active Directory, Identity Management in Azure, Access Management with Azure Active Directory
Single Page Apps bring a unique set of concerns to authentication and user management. Robert Damphousse, lead Javascript engineer at Stormpath, will show you how to use Stormpath to secure an Angular.js app with any backend: Java, Node, PHP, .NET and more!
Robert will deep dive into Angular.js authentication best practices and an extended technical example. Join us!
Topics Covered:
- Authentication in Single Page Apps (SPA)
- Using JWTs instead of Session IDs
- Secure Cookie storage
- Cross-Origin Resource Sharing
- Where does Stormpath fit in your architecture?
- End-to-end example with Angular.js + Express.js
- Password-based registration and login
- How to secure your API endpoints
- Implement User Authorization
- Design for a frictionless User Experience
[Jussi Roine] This is literally the best session on serverless, ever. We'll have a figurative look at literally the best invention since Office Clipper guy (I miss him). You'll understand the how, what, why, where and whom and there was one more I think, to literally build solutions, integrations and spamming engines with ease. Make servers not great again!
Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: https://stormpath.com/blog
Join Stormpath Java Developer Evangelist Micah Silverman for a technical overview of the common pain points with Java authentication. We'll cover how to solve them with Stormpath in a Spring Boot application, and demonstrate how to quickly add a complete user management system to your Spring Boot app. By the end of this webinar, you’ll be on your way to a fully functioning Spring Boot app backed by Stormpath.
Topics Covered:
Authentication Pain Points in Java Stormpath, Spring Boot, and Your Architecture
Demo:
Auth in Spring Boot, with these features:
A complete user registration and login system
Pre-built login screens
Password reset workflows
Group-based authorization
Advanced user features: API authentication, Single Sign-On, social login, and more Technical Q&A
Zero credential development with managed identitiesJoonas Westlin
Introduction to Managed Identities in Azure, what they are and how they work. Also goes through what services they can be used with in Azure, how you can use services without any keys or secrets.
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...Geoff Varosky
Abstract: “Why am I getting a security error??” “Why does my code work sometimes, but not others?” “I wonder if McDonalds is hiring.” Writing custom code in SharePoint opens up unlimited possibilities but also throws many hurdles in your way that will slow you down if you don’t take them into account. So, before giving up and searching for careers in the fast food industry, equip yourself with the knowledge you need to succeed in writing custom code for SharePoint.
Understanding SharePoint Apps, authentication and authorization infrastructur...SPC Adriatics
This session will teach you everything that you need to know in order to understand SharePoint Apps, authentication and authorization. Learn about the different type of Apps, the underlying Apps architecture and how to configure an on-premises environment to support Apps. Also you will learn about the different authentications options available for integrating apps, devices, and applications for on-prem scenarios, in the cloud and hybrid.
The session will address the different ways users can be authenticated in SharePoint: Active Directory, forms based authentication, claims based authentication, and anonymous access. I’ll discuss when to implement each method and what the best practices are for permission application and management. I’ll address when to use each method and when to implement other concepts like web application policies, extending web applications, laying out a decentralized security model.
To abide by this best practice, I’ll discuss how the farm’s taxonomy may need to be restructured. This is where administrators need to develop and enforce a governance plan around the farm’s taxonomy. Thinking about where lists, items, and groups need to be in a SharePoint farm will ensure the right eyes are seeing the right content- and nothing more.
The goal of the session is to ensure SharePoint content is secure and permissions do not get out of control. I’ll take a deep dive into what is available out of the box and what you can customize. Finally, I’ll also demonstrate how to utilize SharePoint’s auditing functionality to track who is changing permissions. The audit reports will be used to ensure the admins changing permissions are taking the correct action. When administrators know all their options around security, internal governance plans can be developed to safeguard their farm’s content.
Solving business problems: No-code approach with SharePoint designer workflow...Bhakthi Liyanage
Let's not write code, until we have to write code. Whether you are a power user, decision maker, administrator, or developer. The SharePoint and Office platform makes no-code solutions a practical reality. In this session, I will show how SharePoint designer workflows can be used to solve complex business problems without a single line of code. This session also discusses how SPD workflows can be leveraged to surface SharePoint 2013 features via REST API.
Governance of content, permissions & apps in sharepoint 2013Kashish Sukhija
Overview of governance and security of apps in sharepoint 2013, On Premises Apps store and Catalog, apps configuration settings. Session will also include detailed code examples using SharePoint 2013 of how to customize Permission Levels, Audit Settings, Portal Settings, Custom Content Organizer File Submission, Custom Record Center Router, Custom Expiration Formula & Action, Custom Tagging using Information Management Policy & Site retention in SharePoint 2013 governed by policies.
When working with SharePoint On-Premises or on Office 365, we can't ignore our Security Management. Many things we do can lead to further problems or even worse security breaches.
This is a session recording of a webinar recorded and available http://en.share-gate.com/blog/sharepoint-security-management-lessons-learned which includes tips and best practises concerning your SharePoint Security.
Don't be deceived by the simplified experience of managing SharePoint permissions! What appears to be harmless could tailspin to a giant mess, requiring massive cleanup. This presentation walks through real-world scenarios and pitfalls of permissions administrations, so you could learn from the mistakes of others and not end up digging yourself into a SharePoint permissions hole.
View a recording of the session here: https://www.youtube.com/watch?v=Poh4zxHTNvw
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...Brian Culver
How will SharePoint 2013 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn about the Product Catalog site template and how you can to use it. Learn about the new improvements in SharePoint 2013 regarding extranets. Learn how SharePoint 2013 can help your organization open its doors to its clients and partners securely.
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
We know and love our authentication standards for the web, yet on mobile we often still resort to usernames & passwords in our apps.
This presentation explores OpenID Connect (OIDC) and OAuth 2.0 in the context of mobile apps to see how they decouple authentication logic from your app and promote simpler and more flexible patterns for user authentication and API authorization.
This presentation was first given in the London Mobile Security Meetup
https://www.meetup.com/London-Mobile-Developer-Security/
In this month's call, Loki Meyburg, Program Manager for Microsoft Teams discusses single sign-on (SS0) in Microsoft Teams, including:
-What is single sign-on (SSO)
-Authentication in 2019
-Single sign-on for Teams tabs today!
-Getting starting with SSO
Watch the recording here - https://youtu.be/91Sb5lz3STI
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
My presentation at DDD Melbourne 2014 Conference on Security in ASP.Net Web API 2. Includes a brief introduction to OWIN and Katana.
http://www.dddmelbourne.com/
Similar to Securing SharePoint Apps with OAuth (20)
Introduction to Microsoft Azure.IaaS, PaaS, Virtual Machines, Cloud Services, Websites, Virtual Network, Express Route, Mobile Services, Media Services, Backup.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
2. Agenda
• Issues with SharePoint Development/Security In the Past
• SharePoint Apps
• Security Primer
• App Authentication in SharePoint 2013
• OAuth
• OAuth Flow in SharePoint 2013 and Security Tokens
• Managing App Principals
• Questions
3. Issues with SharePoint Security
• Farm Solutions
• Runs within the SharePoint workerprocess (w3wp.exe)
• Access to Server Object Model
• By default runs with current user’s permission
• Developer can use SPSecurity.RunWithElevatedPrivileges that reverts code to Windows
identity of host application pool
• Farm stability issues
• Installation and upgrade (iisreset)
• Upgrade farm to newer version of SharePoint
• Sandboxed Solutions
• SPUCWorkerProcess.exe
• Access to Server Object Model
• Feature activation has full access to content (runs as site administrator)
• Always runs as current user, can not use SPSecurity.RunWithElevatedPrivileges
• Deprecated in SharePoint 2013 in favor of developing apps for SharePoint
4. SharePoint Apps
• A web application that is registered with SharePoint using an app
manifest.
• Customize and extend SharePoint without full-trust access
• Get its own security principal
• Interacts with SharePoint using Client Object Model/REST
• Distributed as app package (.app) to the public marketplace or
corporate app catalog
• Installed at site or tenant scope
• Any Programming language/technology that can communicate with
SharePoint via REST and OAuth
5. Types of SharePoint Apps
• SharePoint-hosted
• App resources stored in child
site known as (app web)
• App can only have client-side code
• Cloud-Hosted
• App resources deployed on remote server
known as remote web
• App can have both client-side and
server-side code
• 2 Types of Cloud-Hosted Apps
• Autohosted (Hosted in Azure)
• Provider-hosted (Deployed by provider)
6. Security Primer
• Authentication (AuthN)
• Authentication establishes an identity
• SP 2010 supports user authentication
• SP 2013 supports user and app authentication
• Authorization (AuthZ)
• Based on ACL
• Ensure current principal has the proper permissions
• SP 2010 supports permission only for users
• SP 2013 supports permission for users and apps
• Security Principal
• An entity that is understood by a security system
• An entity on which you can configure permission for resources
• Examples: User in AD, FBA User, AD Group or FBA Role, SharePoint App
7. Claims-based Identity Model
• Way for applications to acquire the identity information about internal or external users
• Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority”
• Applications do not need to authenticate users, store user accounts or passwords, etc.
• Original intention behind the claims-based identity model was to enable federation between organization, but claims are not just
for federation
• Claim
• Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc.
• Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up
in some directory
• Claims are NOT what a user can or can not do, they are what a user is or is not
• Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer
• Issuer, Type, Value => (Google, Email, darwaish@gmail.com)
• Security Token
• Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in)
• Successful outcome of sign in
• SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)
8. Relying Party and STS
• Relying Party (RP)
• An application that relies on claims
• Claims aware application
• Claims-based application
• Security Token Service
• Service component that builds, signs and issues security tokens
• Implicit authN (no token, no party)
• WS-Trust, WS-Fed, SAML
• IP-STS:
• authenticates a client and creates SAML token
• Façade for one or more identity stores
• RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS)
• Transforms token issues by another STS
• Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts
• Façade for one boundary
• Federation Patterns
• Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies.
• Active: Code to acquire tokens explicitly
9. Windows Identity Foundation (WIF)
• .NET library encapsulating the inner workings of WS-Federation and
WS-Trust
• System.IdentityModel
• System.IdentityModel.Services
• IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType,
IsAuthenicated, Name)
• IClaimsPrincipal = IPrincipal + Identities
• IClaimsIdentity = IIdentity + Claims
• Claims: Property bag, Subject, issuer, originalissuer, claimtype, value,
valuetype
11. App Authentication in SharePoint 2013
• App are first class security principals and granted permissions separate
from user permission
• Granted as all or none and No hierarchy of permission
• App authentication is only supported in CSOM and REST API end points
• App authentication is NOT supported in custom web service entry points
• Apps have Full rights against app web, can request permissions for other
webs
• Full Control permission can not be used for OfficeStore apps
• Project Server permissions available if PWA is installed
13. SP Permission Policies
• App + User Policy
• Both user and app require permission on the resource
• App-Only Policy
• Only app needs permissions on resource
• Allow app code to elevate above permission of current user
• Only supported for server-side code in cloud-hosted apps
• AllowAppOnlyPolicy=“true” in AppManifest.xml
• Permission granted during install (all or nothing)
• User Policy
• Not used when app makes a call to SharePoint
15. Types of App Authentication in SharePoint
• 3 basic types of app authentication
• Internal authentication
• External authentication using OAuth
• Office 365
• External authentication using S2S
• On-premise
16. Internal Authentication
• Used in Client-side calls from pages in app web or remote web which
use cross domain library
• Incoming calls require a SAML token holding an established user
identity
• Call targets unique domain of app web associated with an app
• SharePoint maps target URL to instance of an app
• App code is not required to create and manage security tokens
17. App Web
• App by default has full permissions to read/write content to app web
• No default permissions on any location in the SharePoint host environment
• App.master provides UI to go back to host web
• Isolated in its own private domain
• https://{ TenancyName}-{14 char App UID}. sharepoint.com/ sites/{ ParentSiteName}/{
AppName}/
• http:// apps-{ UniqueID}. sp2013apps.local/ sites/{ ParentSiteName}/{ AppName}/
• Why Private Domain?
• XSS: JavaScript code can not call back to host web
• JavaScript do not run with the same established user identity as host web
• SharePoint environment sees JavaScript callbacks from appweb with unique URLs and can
authenticate apps
• {StandardTokens}: { HostUrl}, {AppWebUrl}, { Language}
• Use Internal Authentication: App is not required to create/manage security tokens
19. External Authentication
• Calls to SP from server-side code running in remote web
• Used for both OAuth and S2S
• Incoming calls require access token with app identity
• Access token can optionally carry user identity as well
• Call can target any CSOM or REST endpoint in any site
• App code is required to create and manage security tokens
21. OAuth
• Manage app permission on the web
• OAuth.net
• Internet protocol/spec for creating/mapping app identity
• A cross platform, open protocol for authenticating apps
• Internet standard used by Google, Facebook, Twitter
• Authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user
• SP2013 uses OAuth 2.0 (very different from OAuth 1.0)
• OAuth specs provides details on how to create access tokens
• Used for external auth in Office 365
• Delegated authorization codes or access tokens are issues by OAuth STS (Windows Azure Control Services)
• Remote web must communicate with ACS to obtain access tokens
• Access tokens pass to SharePoint host in CSOM or REST API calls
• WS-Federation STS and SAML passive sign-in STS are primarily intended to issue sign-in tokens
• In SP2013, OAuth STS is uses only for issuing context tokens and not used as identity providers
22. OAuth Concepts
• Content Owner(s)
• SharePoint user(s) who can grant permissions to site content
• Content Server
• SharePoint web server that hosts site with the content that is to be accessed
• Client App/ClientID/AppID
• Remote web that needs permissions to access site content
• Authentication Server
• Trusted service that provides apps with access tokens allowing access to
content
• Windows Azure ACS in Sp2013 apps case
23. App Principals
• Tenancy-scoped configuration for app identity
• App principals must be registered with SharePoint and ACS
• App Principal Properties
• Client Id: GUID based identifier for app principal
• Client Secret: Key to encrypt message between app and ACS
• App Host Domain: Base URL of domain hosting remote web
• Redirect URL: URL to a page used to configure security
24. Security Tokens used in OAuth
• Context Token
• Contextual information passed to app
• JWT
• Valid for 12 hours
• Cache key: identify unique user
(user, app, tenant)
• Refresh Token
• Used by client app to acquire an access token
• Valid for 6 months
• Access Token
• Token passed to SharePoint to app
when using external authentication
• Valid for 12 hours
28. Steps to use OAuth in O365
• Create new Cloud-hosted app project
• Register App Principal
• Registration handled automatically in autohosted apps
• Registration requires manual steps in provider hosted apps
• Registration requires extra steps for apps published to Office Store. Have to get client
id/secret from Seller Dashboard
• App principal properties
• Client ID: Guid or app principal
• Clint secret: key used to encrypt message sent between app and ACS
• App host domain: base url which defined hosting domain for remote web
• Redirect URL: URL to a page used to configure on the fly security
• Add code in remote web to manage tokens
• Code required to retrieve access tokens from ACS
• Explicit code required to add access token to csom and rest api calls
30. Managing App Principals in O365
• /_layouts/15/…
• AppRegNew.aspx
• AppInv.aspx
• AppPrincipals.aspx
• PowerShell for SPOnline to administer SharePoint apps and app
principals