1

Who Are You and What Do You Want?Working with Oauth in SharePoint 2013

Eric ShuppsSharePoint MVP

2

Welcome to SharePoint Saturday Houston

• Please turn off all electronic devices or set them to vibrate• If you must take a phone call, please do so in the hall so as not

to disturb others• Special thanks to our Title Sponsor, ProSymmetry

Thank you for being a part of the 5th Annual SharePoint Saturday

for the greater Houston area!

3

Thanks to all our Sponsors!

4

Information• Speaker presentation slides should be available

from the SPSHOU website within a week or so

• The Houston SharePoint User Group will be having it’s next meeting Wednesday April 15th. Please join us at www.h-spug.org

5

About Me

CKS:DEV

TheSharePoint

Cowboy

Patterns&

Practices

Eric Shupps

www.sharepointcowboy.com eshupps@binarywave.comfacebook.com/

sharepointcowboy@eshupp

s

6

Introduction

Agenda

Fundamentals

Application

Implementation

7

INTRODUCTION

8

• Open standard for app integration and authorization

• Authentication independent

• “Valet Key”– Access– Permissions

What is OAuth?

9

What OAuth is NOT

Authentication

10

• Simplify credential management• Minimize vulnerabilities• Increase user control over application activities• Define explicit trust relationships• Expand interoperability• Decrease API complexity

Why do we need it?

11

• Designed for non-secure communications over HTTP– HTTPS also supported (and preferred by many)

• Digital signatures, identifiers, tokens and secrets• Risks– Man in the Middle– Private keys– Session fixation– Covert redirect

Security

12

Fundamentals

13

Roles

ResourceOwner

Grants access to a protected resource

ResourceServer

Hosts the protected resource

and accepts access

requests

Client

Application making

protected resource

requests on behalf of the

resource owner

Authorization

Server

Issues access tokens

14

Flow

Client

ResourceOwner

Authorization

Server

ResourceServer

Authorization Request

Authorization Grant

Authorization Grant

Access Token

Access Token

Protected Resource

15

Three Legged Authorization

User App Provider

User requests access

App requests Request Token

Provider returns Request Token

App builds auth link w/ Request

Token

User requests URL + Request Token

Provider returns access token

User requests URL + Access Token

App validates access token

Access token validated

User granted access

1

2

3

16

Two Legged Authorization

User App Provider

User requests access

App requests Access Token

Provider returns Access Token

App builds auth link w/ Access

Token

User requests URL + Access Token

App validates access token

Access token validated

User granted access

1

2

17

Implementation

18

Overview

Provides integration without multiple logins

Enables server to server operations on behalf of users

Establishes trust relationships between diverse components

Supports App Model

19

Manages identity information for principals (STS) Identity Provider

Handles requests for trusted identity claimsSecurity Token Service

Identity provider associated with a web applicationIdentity Token Issuer

Trusted resource (farm, server, etc.)Security Token Issuer

Resource information and signing certificate (JSON)Metadata Endpoint

Used to request permission to protected resourceRequest Token

Used by App to access resource on behalf of userAccess Token

Operation scope for authorizationRealm

Cloud-based security token service (IP-STS)Azure ACS

Concepts

20

Scenarios

Farm to Farm Server to Server

.NET HTML PHP

Apps

21

Platforms

On Premise

High Trust

S2S

Farm to Farm

Server to Server

Apps

High Trust

Low Trust

Apps ACS

Online

Low Trust

Apps ACS

22

Configuration - Certificates

ConsumerExport Root & STS Certificates

Copy Certificates

Import root certificate(s) and create trusted root authority

Provider

Export Root Certificate

Copy Certificates

Import STS Certificate

Create Trusted Service Token Issuer

Import root certificate(s) and create trusted root authority

23

Configuration - Metadata

Consumer Provider

Create Trusted Root Authority

Set Authentication Realm

Create Trusted Security Token Issuer

Create App Principals

Create Trusted Root Authority

Create Trusted Security Token Issuer

24

Application

25

SharePoint Authorization Process

26

Context

App establishes context

SP validates S2S trust

App requests access token from SP

Browser POSTS parameters to App

SP returns parameters

User browses to App

On P

rem

ise

App establishes context

ACS provides access token

App requests access token from ACS

Browser POSTS request token to app

SP sends request tokens to browser

SP gets request token from ACS

User browses to app

Onlin

e1

2 3

4

5

6

7

8 9

27

Token ManagementO

n P

rem

ise

Onlin

e

Establish client context

Get access token with S2S

Get claims from Windows identity

Get request parameters

Get client context from SP with access token

Get access token

Read and validate context token

Parse out Context Token

Get POST parameters from SP

28

On-Premise ACS Trust via O365

29

DEMO

SharePoint App Authorization Process

30

Request Token{ "aud": "c7f21d1e-95df-41df-a2e0-a2e29ad2f62b/localhost:44305@2ae1caa2-a173-4989-b8f5-9da45655b8f4", "iss": "00000001-0000-0000-c000-000000000000@2ae1caa2-a173-4989-b8f5-9da45655b8f4", "nbf": 1398292956, "exp": 1398336156, "appctxsender": "00000003-0000-0ff1-ce00-000000000000@2ae1caa2-a173-4989-b8f5-9da45655b8f4", "appctx": "{\"CacheKey\":\"082e7cPwbER/1hDi2XQ9knd0+yBxexLQr4NGa2/OeQ8=\",\"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\"}", "refreshtoken": "IAAAAL-NR6oQnFU49avbpq7mAhglyGqBvmT3YF8_DGO88fIAIXioxAllnYe0XHr-rb_RDk8X8iqc4gmcyBjpV8E-uVgRG9d6j-IvQQ8qtk2acNXaJ3JpuFKNRhAJoOGOep1i3XGi5jX3Z1u5MzyjmHv2VBGJFEhYtc99TGlZTDIFTqlJmDcxcMAjLZWnY5sMBr-B5IRvl5Cw6l2hvqolj3R2hJ9mPDpVQ4l0l-v28wK6OLi57wPpKAUWlbcRCxmC6oGggdkkF2OEoxujZvZSCCG05YQaS2Z1w_Gphgu5kcYfwVU27bAYfsq3TcA8W0sIt_lUxvD3Lg3mGLr_X5JoTw-t28g", "isbrowserhostedapp": "true"}

Client ID App URLTenant ID

Tenant IDAzure ACS

StartEnd

SharePointTenant ID

User ID + Issuer + App + Realm

IP-STS URL

Browser or Event Receiver

Token sent to IP-STS (Azure ACS)

31

Access Token

{ "typ":"JWT" "alg":"RS256" "x5t":"kriMPdmBvx68skT8-mPAB3BseeA"}.{"aud":"00000003-0000-0ff1-ce00- 000000000000 /binarywaveinc.sharepoint.com@2ae1caa2-a173-4989-b8f5-9da45655b8f4" "iss":"00000001-0000-0000-c000-000000000000@2ae1caa2-a173-4989-b8f5-9da45655b8f4" "nbf":1400013357 "exp":1400056557 "nameid":"1003000086ad02d6" "actor":"c90047b7-392a-42e7-8c52-65afa92e5d0d@2ae1caa2-a173-4989-b8f5-9da45655b8f4" "identityprovider":"urn:federation:microsoftonline“}

SharePointHost Web

Tenant ID

Start

Azure ACSTenant ID

End

Tenant ID

UPNSTS ID

32

DEMO

Decoding Authorization Tokens

33

Resources

Description Link

OAuth Working Group http://oauth.net/

OAuth Resource Guide http://bit.ly/14CWPNb

Authorization and authentication for apps in SharePoint 2013 http://bit.ly/16f8WFh

Setting up an OAuth trust between farms in SharePoint 2013 http://bit.ly/12Yr7e3

Plan for server-to-server authentication in SharePoint 2013 http://bit.ly/1chAgFl

What’s new in authentication for SharePoint 2013 http://bit.ly/1e6KaYv

Creating High-Trust apps with S2S http://bit.ly/18RL8uL

Using O365 to Authorize On-Premise Apps http://bit.ly/1fvv1Bo

Demos http://bit.ly/1z6gohH

Slides http://bit.ly/1FygEIz

34

Please Leave Feedback During Q&ASpeakers: If you want to get feedback on your talk, put the shortened link and the QR code on this page. Instructions on how to get your link and QR code are at: bit.ly/spshou2015decktemplate

Also, please upload your completed deck to our Onedrive folder: bit.ly/spshou2015deckuploads