TechEd NA 2014 - DEVB389 - Working with OAuth in SharePoint 2013

CKS:DEV

The

SharePoint

Cowboy

Patterns

&

Practices

Eric Shupps

www.sharepointcowboy.com eshupps@binarywave.com facebook.com/sharepointcowboy @eshupps

CKS:DEV

The

SharePoint

Cowboy

Patterns

&

Practices

www.sharepointcowboy.com eshupps@binarywave.com slideshare.net/eshupps

authorization

Resource

Owner

Grants access to

a protected

resource

Resource

Server

Hosts the

protected

resource and

accepts access

requests

Client

Application

making

protected

resource

requests on

behalf of the

resource owner

Authorization

Server

Issues access

tokens

Client

Resource

Owner

Authorization

Server

Resource

Server

Authorization Request

Authorization Grant

Authorization Grant

Access Token

Access Token

Protected Resource

User requests access App requests Request Token

Provider returns Request Token

App builds auth link w/ Request Token

User requests URL + Request Token

Provider returns access token

User requests URL + Access Token

App validates access token

Access token validated

User granted access

1

2

3

User requests access App requests Access Token

Provider returns Access Token

App builds auth link w/ Access Token

User requests URL + Access Token

App validates access token

Access token validated

User granted access

1

2

Manages identity information for principals (STS) Identity Provider

Handles requests for trusted identity claimsSecurity Token Service

Identity provider associated with a web applicationIdentity Token Issuer

Trusted resource (farm, server, etc.)Security Token Issuer

Resource information and signing certificate (JSON)Metadata Endpoint

Used to request permission to protected resourceRequest Token

Used by App to access resource on behalf of userAccess Token

Operation scope for authorizationRealm

Cloud-based security token service (IP-STS)Azure ACS

App establishes context

SP validates S2S trust

App requests access token from SP

Browser POSTS parameters to App

SP returns parameters

User browses to App

On

Pre

mis

e

App establishes context

ACS provides access token

App requests access token from ACS

Browser POSTS request token to app

SP sends request tokens to browser

SP gets request token from ACS

User browses to app

On

line

On

Pre

mis

eO

nlin

e

Establish client context

Get access token with S2S

Get claims from Windows identity

Get request parameters

Get client context from SP with access token

Get access token

Read and validate context token

Parse out Context Token

Get POST parameters from SP

Client ID App URL

Tenant ID

Tenant IDAzure ACS

StartEnd

SharePoint

Tenant ID

User ID + Issuer + App + Realm

IP-STS URL

Browser or Event Receiver

Token sent to IP-STS (Azure ACS)

{

"typ":"JWT"

"alg":"RS256"

"x5t":"kriMPdmBvx68skT8-mPAB3BseeA"}.{"aud":"00000003-0000-0ff1-ce00- 000000000000

/binarywaveinc.sharepoint.com@2ae1caa2-a173-4989-b8f5-9da45655b8f4"

"iss":"00000001-0000-0000-c000-000000000000@2ae1caa2-a173-4989-b8f5-9da45655b8f4"

"nbf":1400013357

"exp":1400056557

"nameid":"1003000086ad02d6"

"actor":"c90047b7-392a-42e7-8c52-65afa92e5d0d@2ae1caa2-a173-4989-b8f5-9da45655b8f4"

"identityprovider":"urn:federation:microsoftonline“

}

SharePoint

Host Web Tenant ID

Start

Azure ACS Tenant ID

End

Tenant ID

UPN

STS ID

Description Link

OAuth Working Group http://oauth.net/

OAuth Resource Guide http://bit.ly/14CWPNb

Authorization and authentication for apps in SharePoint 2013 http://bit.ly/16f8WFh

Setting up an OAuth trust between farms in SharePoint 2013 http://bit.ly/12Yr7e3

Plan for server-to-server authentication in SharePoint 2013 http://bit.ly/1chAgFl

What’s new in authentication for SharePoint 2013 http://bit.ly/1e6KaYv

Creating High-Trust apps with S2S http://bit.ly/18RL8uL

Using O365 to Authorize On-Premise Apps http://bit.ly/1fvv1Bo

Explore

Give Feedback

Get Answers

Play

Follow

Patterns and practices

30+ Visual Studio projectsCommon scenarios

Contribute

OFC-B254 Integrating Yammer and Microsoft SharePoint Using .NET

DEV-B230 Most Commonly Asked for On-Premises Customizations Reimagined as Applications for SharePoint

DEV-B319 Get Started Developing Applications for Microsoft Office and SharePoint Server 2013

DEV-B231 Office Power Hour: New Developer APIs and Features for Applications for Office

DEV-B227 Anyone Can Build a SharePoint Application with Microsoft Access

OFC-B274 Implementing Microsoft SharePoint 2013 Hybrid for Search, Business Connectivity Services, Microsoft OneDrive for Business and Yammer

DEV-B232 Creating Cloud Hosted Line-of-Business Applications with Apps for Office, Microsoft Office 365, Microsoft Azure, and Windows Phone 8

OFC-B311 A Practical Use of External Data Sources

DEV-B357 Developing Office 365 Cloud Business Applications

DEV-B387 Deep Dive into Mail Compose Applications APIs

DEV-B386 Setting Up Your On-Premises Environment for App Development

DEV-B228 Build Connected Productivity Apps for SharePoint and Office

DEV-B390 SharePoint Power Hour: New Developer APIs and Features for Apps for SharePoint

DEV-B389 Who Are You and What Do You Want? Working with OAuth in Microsoft SharePoint 2013

EXM04 Exam Prep: 70-331 and 70-332

www.microsoft.com/learning

http://microsoft.com/msdn http://microsoft.com/technet

http://channel9.msdn.com/Events/TechEd