Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API

Radi AtanassovSharePoint MCM & MVPOneBit Software Ltd.

Who’s this guy?• Radi Atanassov

• SharePoint 2010 MCM

• SharePoint Server MVP

• OneBit Software Ltd.

• Web Platform User Group@RadiAtanassov

This talk is about…

• How “apps” work

• The App infrastructure

• App authentication

• Connectivity

SharePoint’s extensibility history• 2001…

• 2003… CAML?!?

• 2007 – The SharePoint OM & UI enhanced…

– Greater complexity & greater flaws

– But still a strong “platform” we all love

• 2010 – Service Applications, Ribbon, Sandbox

• 2013 – Apps & the marketplace, On-Premise Apps

Why is the App Model important to us?• Cost to the business

– We don’t want SP projects to be expensive

– We want more value for the same budget

• SharePoint cannot be “fixed”– Cannot replace the DB schema

– Cannot rewrite the OM

• Microsoft’s preferred approach moving forward– We’ve been doing it for years

• Office now releases every 3 months

What is an “App” anyway?

• The new word for iFrame

• Another way of providing functionality, but keeping custom code outside of SharePoint

• Functionality you can buy from a marketplace

• A huge marketing stunt to drive adoption

• The infrastructure, plumbing, authentication model & framework to do things we did for a while

Why is authentication important to us?

• So we don’t look like we don’t know what we are doing!

• We are moving to the CLOUD…

• We need to integrate with Exchange 2013, Lync 2013 and custom Apps

• We need to understand & design hybrid deployments

• You can’t have “Apps” without authentication

• It matters when you do on-premises or hybrid Apps

APPTECTURESharePoint Apps

Recap - App Hosting Models

SharePoint App Web

SharePoint Host Web

SharePoint-Hosted app

Provisions an isolated sub web on a host web- Use SP artifacts & out-of-box web parts- Use HTML & JavaScript for UI & client-side logic- Use Workflows for middle tier logic

Provider-hosted app

Provide your own hosting environment

- Use server code- Receive SP events- Use OAuth to access SP

Cloud-hosted apps

Your Hosted Site

Autohosted app

Windows Azure + SQL Azure provisioned automatically as apps are installed

Azure

SharePoint Host Web

SharePoint Host Web

Recap - App Shapes

•

Full page

Implement complete app experiences

to satisfy business scenarios

App Parts

Create app parts that can interact

with the SharePoint experience

UI command extensions

Add new commands to the ribbon and item

menus

Recap - App Package.a

pp

Pack

ag

e (O

PC

)

WSP

Azure

App Web (from WSP)

HostWeb

Slide courtesy of Mike Morton

App Manifest<?xml version="1.0" encoding="utf-8" ?><!--Created:cb85b80c-f585-40ff-8bfc-12ff4d0e34a9--><App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"

Name="SharePointApp1“ ProductID="{6a680846-ddff-4a3c-beb6-cb5705289d28}"Version="1.0.0.0“ SharePointMinVersion="15.0.0.0">

<Properties><Title>SharePointApp1</Title><StartPage>~remoteAppUrl/Pages/Default.aspx?{StandardTokens}</StartPage><SupportedLocales>

<SupportedLocale CultureName="en" /><SupportedLocale CultureName="en-AU" /><SupportedLocale CultureName="bg" />

</SupportedLocales></Properties>

<AppPrincipal><RemoteWebApplication ClientId="*" />

</AppPrincipal>

<AppPermissionRequests><AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write" /><AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" />

</AppPermissionRequests>

<AppPrerequisites><AppPrerequisite Type="Capability" ID="A83C8D70-71DE-4260-9FB8-677418EB47F2" />

</AppPrerequisites></App>

The App Domain - *.contosoapps.com

• You should use a unique domain name, not a subdomain• Only one in the farm!• Prevents XSS attacks and script injection into the parent• Prevents cookie information leaking• Separates Apps from SharePoint sites, aka “app isolation”• The reason why AAM’s don’t work with Apps• Use SSL, even on dev environments!• Should use wildcard certificates on a dedicated web application• The app domain should be in the Internet or Restricted sites security zone

in Internet Explorer• Wildcard DNS should point to the load balancer

The App URL - *.contosoapps.com

• https://{appPrefix}-{UID}.{appdomain}/{appName}

• In MT scenarios each tenant has their own {appPrefix}

• {UID} comes from the subscription service

• {appName} - the App name

• https://app-73ff422090f6f4.mcmapps.com/ SharePointApp2

REVIEW APP SETUPDEMO

AUTHENTICATION WITH OFFICE 365SharePoint Apps

SharePoint OAuth & Office 365

OAUTH IN ACTION – OFFICE 365DEMO

OAuth-authenticated request –Context Token

<form id="frmRedirect" action="https://localhost:44301/Pages/Default.aspx?SPHostUrl=...;SPLanguage=en....." method="post">

<input type="hidden" name="SPAppToken" value="eyJ0eXAiOiJKV…CnQ" /><input type="hidden" name="SPSiteUrl" value="https://onebitdev5.sharepoint.com" /><input type="hidden" name="SPSiteTitle" value="OneBit Software Ltd. Team Site" /><input type="hidden" name="SPSiteLogoUrl" value="" /><input type="hidden" name="SPSiteLanguage" value="en-US" /><input type="hidden" name="SPSiteCulture" value="en-US" /><input type="hidden" name="SPRedirectMessage" value="EndpointAuthorityMatches" /><input type="hidden" name="SPErrorCorrelationId" value="" /><input type="hidden" name="SPErrorInfo" value="" />

</form>

Decoded JWT token{

"typ":"JWT",

"alg":"HS256“

}

{

"aud":"ded48005-1c15-416e-a84b-9b1b0fb5a50e/localhost:44301@8822364f-0b55-48a9-88f8-1b1fcc2e5e89",

"iss":"00000001-0000-0000-c000-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89",

"nbf":"1360231739",

"exp":"1360274939",

"appctxsender":"00000003-0000-0ff1-ce00-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89",

"appctx":"{\"CacheKey\":\"jE7itw4EgtsIxnejiJ20ldz4VUVQagnkh5A+tShdjTU=\",\"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\"}","refreshtoken":"IAAAALi3Arn…",

"isbrowserhostedapp":"true“

}

Issuer

Audience

Context Token in POST• POST https://onebitdev5.sharepoint.com/_vti_bin/client.svc/ProcessQuery HTTP/1.1

• Authorization: Bearer eyJ0eXAiOiJKV1QiLC…iKlpA

• Content-Type: text/xml

• Host: onebitdev5.sharepoint.com

• Content-Length: 615

• Expect: 100-continue

• Accept-Encoding: gzip, deflate

• <Request AddExpandoFieldTypeSuffix="true" SchemaV….

Access Token inside

Oauth 2.0 Request{

grant_type=refresh_token

client_id=ded48005-1c15-416e-a84b-9b1b0fb5a50e%408822364f-0b55-48a9-88f8-1b1fcc2e5e89

client_secret=9hU432522%2fupFTP7ogz6pw7IgsbY8JpW1JFjgHCcegs%3d

refresh_token=IAAAALi3…ifDZwbNk

resource=00000003-0000-0ff1-ce00-000000000000%2fonebitdev5.sharepoint.com%408822364f-0b55-48a9-88f8-1b1fcc2e5e89

}

Oauth 2.0 Response{

"token_type":"Bearer",

"access_token":"eyJ0eXAiOiJKV1Q…phfQ",

"expires_in":"43199",

"not_before":"1360233350",

"expires_on":"1360276550",

"resource":00000003-0000-0ff1-ce00-000000000000/onebitdev5.sharepoint.com@8822364f-0b55-48a9-88f8-1b1fcc2e5e89

}

OAUTH IN ACTION – ON-PREMISESSharePoint Apps

Server-to-Server Trust• Trusted connection between app and SharePoint

– Eliminates need for ACS when running apps in on-premises farm

– Trust between servers configured using SSL certificates

– App code requires access to private key of SSL certificate

– Requires creating Security Token Service on SharePoint server(s)

1

2

43

S2S STS

SSL Cert

Public/Private

key pair (.pfx)

Developing High-Trust Apps

http://msdn.microsoft.com/en-us/library/fp179901.aspx

Terminology

• High-Trust• Low-Trust• Full-Trust• Partial-Trust• Server-2-Server Trust (S2S)…. Different from STS • Sandbox Solutions• User Code Solutions

DEMOConfiguring Server-2-Server Trust for App Dev

App security concerns

• A new attack vector, old attack principles

• A provider hosted app can be “upgraded” by the provider. Do you trust your vendor?

• Script injection and in-flight modification

• SSL is important!

• Many more…

References

• Explore the app manifest and the package of an app for SharePoint http://msdn.microsoft.com/en-us/library/fp179918.aspx

• URL strings and tokens in apps for SharePoint http://msdn.microsoft.com/en-us/library/jj163816.aspx

• OAuth authentication and authorization flow for cloud-hosted apps in SharePoint 2013 http://msdn.microsoft.com/en-us/library/fp142382.aspx

• How to: Create high-trust apps for SharePoint 2013 using the server-to-server protocol (advanced topic) http://msdn.microsoft.com/en-us/library/office/apps/fp179901.aspx

• How to: Package and publish high-trust apps for SharePoint 2013 http://msdn.microsoft.com/en-us/library/office/apps/jj860570.aspx

Key takeaways

• You should definitely look into SharePoint Apps!

• Do your best to understand authentication now

• Complex cloud scenario’s will come

Contact me

• radi@sharepoint.bg

• @RadiAtanassov

• Facebook: Radi Atanassov

• LinkedIn: http://au.linkedin.com/in/sharepointradi

• www.onebitsoftware.net

• Mobile: +359 878 823 339

Questions?

Please fill out the feedback stuff!

E-mail me: radi@sharepoint.bg

THANK YOU!

Please fill out the feedback stuff!

E-mail me: radi@sharepoint.bg