0 who are you and what do you want? working with oauth in sharepoint 2013 eric shupps sharepoint mvp
TRANSCRIPT
1
Who Are You and What Do You Want?Working with Oauth in SharePoint 2013
Eric ShuppsSharePoint MVP
2
Welcome to SharePoint Saturday Houston
• Please turn off all electronic devices or set them to vibrate• If you must take a phone call, please do so in the hall so as not
to disturb others• Special thanks to our Title Sponsor, ProSymmetry
Thank you for being a part of the 5th Annual SharePoint Saturday
for the greater Houston area!
3
Thanks to all our Sponsors!
4
Information• Speaker presentation slides should be available
from the SPSHOU website within a week or so
• The Houston SharePoint User Group will be having it’s next meeting Wednesday April 15th. Please join us at www.h-spug.org
5
About Me
CKS:DEV
TheSharePoint
Cowboy
Patterns&
Practices
Eric Shupps
www.sharepointcowboy.com [email protected]/
sharepointcowboy@eshupp
s
6
Introduction
Agenda
Fundamentals
Application
Implementation
7
INTRODUCTION
8
• Open standard for app integration and authorization
• Authentication independent
• “Valet Key”– Access– Permissions
What is OAuth?
9
What OAuth is NOT
Authentication
10
• Simplify credential management• Minimize vulnerabilities• Increase user control over application activities• Define explicit trust relationships• Expand interoperability• Decrease API complexity
Why do we need it?
11
• Designed for non-secure communications over HTTP– HTTPS also supported (and preferred by many)
• Digital signatures, identifiers, tokens and secrets• Risks– Man in the Middle– Private keys– Session fixation– Covert redirect
Security
12
Fundamentals
13
Roles
ResourceOwner
Grants access to a protected resource
ResourceServer
Hosts the protected resource
and accepts access
requests
Client
Application making
protected resource
requests on behalf of the
resource owner
Authorization
Server
Issues access tokens
14
Flow
Client
ResourceOwner
Authorization
Server
ResourceServer
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
15
Three Legged Authorization
User App Provider
User requests access
App requests Request Token
Provider returns Request Token
App builds auth link w/ Request
Token
User requests URL + Request Token
Provider returns access token
User requests URL + Access Token
App validates access token
Access token validated
User granted access
1
2
3
16
Two Legged Authorization
User App Provider
User requests access
App requests Access Token
Provider returns Access Token
App builds auth link w/ Access
Token
User requests URL + Access Token
App validates access token
Access token validated
User granted access
1
2
17
Implementation
18
Overview
Provides integration without multiple logins
Enables server to server operations on behalf of users
Establishes trust relationships between diverse components
Supports App Model
19
Manages identity information for principals (STS) Identity Provider
Handles requests for trusted identity claimsSecurity Token Service
Identity provider associated with a web applicationIdentity Token Issuer
Trusted resource (farm, server, etc.)Security Token Issuer
Resource information and signing certificate (JSON)Metadata Endpoint
Used to request permission to protected resourceRequest Token
Used by App to access resource on behalf of userAccess Token
Operation scope for authorizationRealm
Cloud-based security token service (IP-STS)Azure ACS
Concepts
20
Scenarios
Farm to Farm Server to Server
.NET HTML PHP
Apps
21
Platforms
On Premise
High Trust
S2S
Farm to Farm
Server to Server
Apps
High Trust
Low Trust
Apps ACS
Online
Low Trust
Apps ACS
22
Configuration - Certificates
ConsumerExport Root & STS Certificates
Copy Certificates
Import root certificate(s) and create trusted root authority
Provider
Export Root Certificate
Copy Certificates
Import STS Certificate
Create Trusted Service Token Issuer
Import root certificate(s) and create trusted root authority
23
Configuration - Metadata
Consumer Provider
Create Trusted Root Authority
Set Authentication Realm
Create Trusted Security Token Issuer
Create App Principals
Create Trusted Root Authority
Create Trusted Security Token Issuer
24
Application
25
SharePoint Authorization Process
26
Context
App establishes context
SP validates S2S trust
App requests access token from SP
Browser POSTS parameters to App
SP returns parameters
User browses to App
On P
rem
ise
App establishes context
ACS provides access token
App requests access token from ACS
Browser POSTS request token to app
SP sends request tokens to browser
SP gets request token from ACS
User browses to app
Onlin
e1
2 3
4
5
6
7
8 9
27
Token ManagementO
n P
rem
ise
Onlin
e
Establish client context
Get access token with S2S
Get claims from Windows identity
Get request parameters
Get client context from SP with access token
Get access token
Read and validate context token
Parse out Context Token
Get POST parameters from SP
28
On-Premise ACS Trust via O365
29
DEMO
SharePoint App Authorization Process
30
Request Token{ "aud": "c7f21d1e-95df-41df-a2e0-a2e29ad2f62b/localhost:44305@2ae1caa2-a173-4989-b8f5-9da45655b8f4", "iss": "00000001-0000-0000-c000-000000000000@2ae1caa2-a173-4989-b8f5-9da45655b8f4", "nbf": 1398292956, "exp": 1398336156, "appctxsender": "00000003-0000-0ff1-ce00-000000000000@2ae1caa2-a173-4989-b8f5-9da45655b8f4", "appctx": "{\"CacheKey\":\"082e7cPwbER/1hDi2XQ9knd0+yBxexLQr4NGa2/OeQ8=\",\"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\"}", "refreshtoken": "IAAAAL-NR6oQnFU49avbpq7mAhglyGqBvmT3YF8_DGO88fIAIXioxAllnYe0XHr-rb_RDk8X8iqc4gmcyBjpV8E-uVgRG9d6j-IvQQ8qtk2acNXaJ3JpuFKNRhAJoOGOep1i3XGi5jX3Z1u5MzyjmHv2VBGJFEhYtc99TGlZTDIFTqlJmDcxcMAjLZWnY5sMBr-B5IRvl5Cw6l2hvqolj3R2hJ9mPDpVQ4l0l-v28wK6OLi57wPpKAUWlbcRCxmC6oGggdkkF2OEoxujZvZSCCG05YQaS2Z1w_Gphgu5kcYfwVU27bAYfsq3TcA8W0sIt_lUxvD3Lg3mGLr_X5JoTw-t28g", "isbrowserhostedapp": "true"}
Client ID App URLTenant ID
Tenant IDAzure ACS
StartEnd
SharePointTenant ID
User ID + Issuer + App + Realm
IP-STS URL
Browser or Event Receiver
Token sent to IP-STS (Azure ACS)
31
Access Token
{ "typ":"JWT" "alg":"RS256" "x5t":"kriMPdmBvx68skT8-mPAB3BseeA"}.{"aud":"00000003-0000-0ff1-ce00- 000000000000 /binarywaveinc.sharepoint.com@2ae1caa2-a173-4989-b8f5-9da45655b8f4" "iss":"00000001-0000-0000-c000-000000000000@2ae1caa2-a173-4989-b8f5-9da45655b8f4" "nbf":1400013357 "exp":1400056557 "nameid":"1003000086ad02d6" "actor":"c90047b7-392a-42e7-8c52-65afa92e5d0d@2ae1caa2-a173-4989-b8f5-9da45655b8f4" "identityprovider":"urn:federation:microsoftonline“}
SharePointHost Web
Tenant ID
Start
Azure ACSTenant ID
End
Tenant ID
UPNSTS ID
32
DEMO
Decoding Authorization Tokens
33
Resources
Description Link
OAuth Working Group http://oauth.net/
OAuth Resource Guide http://bit.ly/14CWPNb
Authorization and authentication for apps in SharePoint 2013 http://bit.ly/16f8WFh
Setting up an OAuth trust between farms in SharePoint 2013 http://bit.ly/12Yr7e3
Plan for server-to-server authentication in SharePoint 2013 http://bit.ly/1chAgFl
What’s new in authentication for SharePoint 2013 http://bit.ly/1e6KaYv
Creating High-Trust apps with S2S http://bit.ly/18RL8uL
Using O365 to Authorize On-Premise Apps http://bit.ly/1fvv1Bo
Demos http://bit.ly/1z6gohH
Slides http://bit.ly/1FygEIz
34
Please Leave Feedback During Q&ASpeakers: If you want to get feedback on your talk, put the shortened link and the QR code on this page. Instructions on how to get your link and QR code are at: bit.ly/spshou2015decktemplate
Also, please upload your completed deck to our Onedrive folder: bit.ly/spshou2015deckuploads