oauth in sharepoint 2013
DESCRIPTION
TRANSCRIPT
• Access Control and SharePoint• What is OAuth• App Authentication• Server to Server Authentication
Agenda
Authentication & Authorization
Access Control and SharePoint
Authentication• verifying a claim made by a
subject that it should be allowed to act on behalf of a given principal
Authorization• verifying that an authenticated subject has permission to perform certain operations or access specific resources
Access control in SharePoint
Access Control and SharePoint
SharePoint 2007
Windows Authentication
Forms based authentication
SharePoint 2010
Classic mode authentication
Claims based authentication
SharePoint 2013
Claims based authentication
Claims based authentication
Access Control and SharePoint
Challenges
Access Control and SharePoint
Fully trusted farm solutions (e.g.: visual WebPart)• By default, code runs with the permissions of current user• Developer can call SPSecurity.RunWithElevatedPrivledges• Code runs as all-powerful SHAREPOINT\SYSTEM account• Code reverts to Windows identity of host application pool
SharePoint App architecture
App authentication
SharePoint Hosted Apps Cloud Hosted Apps
App resources are in SharePointStored in child site called app-webApp can have client side code
App resources are in remote serverStored in site called remote-webApp can have client/server side code
App permissions
App authentication
• Do not involve hierarchy of securable objects• Assigned to target permission scopes• Scope can be site, site collection and tenancy
Permission policies
App authentication
• App + User Policy• Both user and app require permissions to access resource• Access denied error occurs if either user or app has insufficient
permissions
• App-only Policy• Only the app needs permissions to access a resource• Allows for app code to elevate above permissions of current user• Only supported for server-side code in cloud-hosted apps
• User policy• Never used when an app makes a call to SharePoint
App authentication
App authentication
App authentication types• Internal authentication• External authentication using OAuth• External authentication using S2S
Internal Authentication
App authentication
• In which scenarios is internal authentication used?• Client-side calls from pages in the app web• Client-side calls from pages in remote web which use cross domain library• Server-side calls to app web in on-premises scenarios
• How does it work?• Incoming calls require a SAML token holding an established user identity• Call targets unique domain of app web associated with an app• SharePoint maps target URL to instance of an app• Your app code is not required to create and manage security tokens
External Authentication
App authentication
• In which scenarios is external authentication used?• Calls to SharePoint from server-side code running in the remote web
• How does it work?• Incoming calls requires access token with app identity• Access token can optionally carry a user identity as well• Call does not need to target URL inside app web• Call can target any CSOM or REST endpoint in any site• Your app code is required to create and manage security tokens
What is OAuth• OAuth
• Internet protocol/specification for creating and managing app identity• A cross-platform mechanism for authenticating apps• Internet standard used by Facebook, Google and Twitter• With SharePoint 2013, Microsoft is using OAuth 2.0
• SharePoint 2013 support authentication using OAuth • OAuth used for external authentication in Office 365 environment• OAuth authentication requires Windows Azure Access Control Service
(ACS)• Remote web must communicate with ACS to obtain access tokens• Access tokens pass to SharePoint host in CSOM calls and REST API calls
Terms
What is OAuth
• Content Owner(s)• SharePoint user (or users) who can grant permissions to site content
• Content Server• SharePoint web server that hosts site with the content that is to be accessed
• Client App• Remote web that needs permissions to access site content
• Authentication Server• Trusted service that provides apps with access tokens allowing access to content
Windows Azure Access Control Service (ACS)
What is OAuth
• Required service when using OAuth with SharePoint 2013• ACS server acts as authentication server• Office 365 is configured with a trust to ACS• Client app (i.e. remote web) must communicate with ACS to acquire
access tokensSharePoint 2013Content ServerOffice 365 Tenancy
End User• computer• mobile device• tablet or iPad
Client AppWeb Server running remote app code
Windows Azure ACSAuthentication server
How OAuth work
What is OAuth
SharePoint 2013Content ServerOffice 365 Tenancy
End User• computer• mobile device• tablet or iPad
Client AppWeb Server running remote app code
Authentication ServerTrusted ACS server that authenticates applications and creates OAuth tokens
1
1 SharePoint authenticates user using claims
2
2 SharePoint requests context token for user
3
3 ACS returns context token
4
4 SharePoint passes context token to user
5
5 User POSTS to app and passes context token
6
6 Client app extracts refresh token from context tokenand passes it to ACS to request access token
7
7 ACS returns access token to client app
8
8 Client App makes CSOM/REST calls to SharePoint site passing OAuth token
9
9 SharePoint authenticates app and processes CSOM/REST calls and returns content to app
10
10 Client App returns HTML to user device
Demo
Thank You !