Building end-to-end apps for SharePoint with Windows Azure and Windows 8

Building end-to-end apps for SharePoint with Windows Azure and Windows 8Rob Howard, Donovan FolletteSr. Program Manager, Sr. Technical Evangelist3-022

Demo end-to-end solutionIntroduction to _apiMeet the new App PrincipalRemote Event Receivers

Agenda

With the new cloud app model for SharePoint and its rich service APIs, your apps can now consume SharePoint better than ever before.

Key Takeaway

Scenario Overview

Business:Company wishes to create a mobile enabled toolset for sales personnel to efficiently respond to sales leads and win business

Technical:Company wants a 100% cloud-based solution and use desktop applications and mobile devices to access the toolset

Windows 8 Application

Microsoft Word with Apps For Office

Internal O365 SharePoint Site

Windows Azure Cloud Services

Windows Azure Workflow Server

Public O365 SharePoint Site Windows

Azure SQL Database

Clients (Desktop/Tablet/Mobile)

Cloud

• View / approve SOWs• Display Excel Services

charts in Word

• View client companies• View sales leads• Receive toast and tile

and raw notifications• View Excel Services

charts• Create estimates

• Contact internal sales personnel to follow up on requests for quotes

• Contact vendors to follow up on requests for quotes

• Approve SOWs• Display, Create, Update,

Delete Sales Leads• Store Excel Documents• Store SOWs• Host team sites for projects• BCS External List

• Submit requests for quote

• Send notifications• Create SOWs• Update data in Excel

documents• Create SharePoint project

sites

• Facilitate SOW creation, approval, submission, and follow up tasks

• Store sales request data

Windows AzureAccess Control Service• OAuth

Demo using Windows 8, Windows Azure SQL Database, Web Sites and Access Control Services

Lead Tracking app for SharePoint Online

Introduction to _api

Introducing the all new _api

_APIClient/Server/Mobile Symmetrical

OAuth Enabled2,000+ Classes

Declarative, Remote EventsFully Remote

6,000+ MembersODataJQuery Compatible

Private and Public Clouds

JSON

JavaScript Library

Silverlight Library

.Net CLR Library

Custom Client Code

ClientSharePoint

_api

SharePoint Foundatio

n

Execute Query

SharePoint 2013 and SharePoint Online _api

OData / REST

User Profile

Search

Taxonomy Feeds More…

Consistent Access to ServicesAPI REST URL Script Client NamespaceWeb http://weburl/_api/Web SP Microsoft.SharePoint.ClientSearch http://weburl/_api/Search SP.Search Microsoft.SharePoint.Client.Searc

hTaxonomy http://weburl/_api/

Taxonomy SP.Taxonomy

Microsoft.SharePoint.Client.Taxonomy

Social http://weburl/_api/Social SP.Social Microsoft.SharePoint.Client.Social

Consistent UsageREST/ODatahttps://contoso.sharepoint.com/_api/web/Title

Managed CodeClientContext ctx = new ClientContext("https://contoso.sharepoint.com");ctx.Load(ctx.Web.Title);ctx.ExecuteQuery();

JavaScriptvar ctx = new SP.ClientContext("https://contoso.sharepoint.com");ctx.load(ctx.get_web().get_title());ctx.executeQueryAsync();

Base endpoint GET http://<weburl>/_api

Get the web’s titleGET http://<weburl>/_api/Web/title

Get the collection of lists in the webGET http://<weburl>/_api/Web/lists

Get the lists in the web with a BaseTemplate of 104 (announcement lists)GET http://<weburl>/_api/Web/lists?$filter=BaseTemplate eq 104

Create a new listPOST http://<weburl>/_api/web/Lists

Body:

{ 'd' : {'__metadata': {'type': 'SP.List'},'Title': 'My New List,'Url': 'newlist','TemplateType': 101,'TemplateFeatureId': '00BFEA71-E717-4E80-AA17-D0C71B360101'}}

Sample REST / OData Calls

demo

SharePoint _API

Meet the App Principals

(Rob)

Contoso photo

Contoso photo

Contoso

?Contoso photo

Contoso

Contoso photo

Contoso

View

View

Contoso photo

Contoso

View, Upload, Tag, Comment

View, Upload, Tag, Comment

Contoso photo

Contoso

View, Upload, Tag, Comment, Change Password


Contoso photo

Contoso


Contoso photo

Contoso


Contoso photo

Contoso


Contoso photo

Contoso


View

Contoso photo

Contoso


View

Contoso photo

Contoso

SharePoint

SharePoint 2007

Sandbox

SharePoint 2010

SharePoint

Azure, IIS, LAMP, etc…

_api

SharePoint 2013

App Model: Past, Present and Future

What: The protocol to handle the authorization flow.Based on existing internet implementations

Why:Functionality

App and User identitiesEstablished model for granting app accessSimple

OtherEngineering efficienciesGood adoption

Clear architectural roadmap

OAuth 2.0

32

User credentialsprovided?Start

End

User only context

App only context

User + App

context

Anonymous context

App tokenprovided?

App tokenIncludes user?

AuthenticationYes

No

No No

Yes Yes

SharePoint Context Token

SharePoint Server

App.com

Browser

Browser

SharePoint Server

App.com

STS (ACS)

Browser

SharePoint Server

1

App.com

STS (ACS)

1) User browses to a SharePoint page with an app from app.com on it

https://rhoward.sharepo

Browser

SharePoint Server

1

App.com

2

STS (ACS)

2) SharePoint asks ACS to create and sign a token which contains context information (e.g. the current user) and an auth code


Browser

SharePoint Server

1

App.com

2

STS (ACS)

3

3) ACS returns the signed context token


Browser

SharePoint Server

1

App.com

2

STS (ACS)

3

4

4) SharePoint renders the page including an iframe, which will POST the context token to app.com

SP API Reviewhttps://rhoward.sharepo

POST https://app.com/…SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e…

Browser

SharePoint Server

1

5

App.com

2

STS (ACS)

3

4

5) The iframe causes the browser to request a page from app.com including the context token


Browser

SharePoint Server

1

5

App.com

2

STS (ACS)

3

4

6

6) App.com validates the signature on the context token, extracts the auth code, and uses its credentials to request an access token from ACS


Browser

SharePoint Server

1

5

App.com

2

STS (ACS)

3

4

6

7

7) Windows Azure Access Control Service (ACS) returns an access token


Browser

SharePoint Server

1

5

8

App.com

2

STS (ACS)

3

4

6

7

8) App.com makes a web service request to SharePoint, passing the access token


Browser

SharePoint Server

1

5

8

9

App.com

2

STS (ACS)

3

4

6

7

9) SharePoint returns information to App.com


Browser

SharePoint Server

1

10

5

8

9

App.com

2

STS (ACS)

3

4

6

7

10) App.com renders the iframe contents


7 Unassigned Changes21 Pending Reviews17 Active API BugsNag Mail

Nag Mail

Auto-Assign

demo

A basic remote app

The OAuth 2.0 Authorization ProtocolThe OAuth 2.0 Authorization Protocol: Bearer TokensJSON Web Token (JWT)IETF OAuth WG homepage

OAuth Standards Resources

http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/

http://datatracker.ietf.org/doc/draft-ietf-oauth-v2-bearer/

http://datatracker.ietf.org/doc/draft-ietf-oauth-v2-bearer/

http://datatracker.ietf.org/doc/draft-jones-json-web-token/

http://datatracker.ietf.org/wg/oauth/

SharePoint 2013 & Windows Azure Workflow

People

Content

Events

Collab

Visu

al S

tudi

o

Shar

ePoi

nt D

esig

ner

SharePointWF3 Host

SharePoint OM_API

Workflow Services Manager

MTW

AzureService Bus

AzureWorkflow

AzureAccess Control

OAuth2

Instances Interop

Deployment Messaging

WF4 Service Application Proxy

Remote Event Receivers


App Server

Remote Event

Push Notifications

demo


SharePoint 2013 has a broad, powerful set of service APIs available to clients of a comprehensive set of technologiesSharePoint 2013 independently authenticates both users and app principals Using the deep set of APIs and standard web technologies you can build a new class of innovative productivity solutions by accessing SharePoint as a service

Takeaways

• Today 12:00 PM – B92 Stinger – Developing an App for SharePoint Autohosted…

Related Sessions

• http://dev.office.com• http://blogs.msdn.com/b/office

apps

• http://dev.windows.com• http://windowsazure.com

Office, SharePoint & More Resources Please submit sessions evals on the Build Windows 8 App

or at http://aka.ms/BuildSessions

http://dev.office.com/

http://blogs.msdn.com/b/officeapps

http://blogs.msdn.com/b/officeapps

http://dev.windows.com/

http://windowsazure.com/

http://aka.ms/BuildSessions

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Overflow

Two Aspects to Access ControlAuthenticationverifying a claim made by a subject that it should be allowed to act on behalf of a given principal

Authorizationverifying that an authenticated subject has permission to perform certain operations or access specific resources

SharePoint“Host” Web

App Web JavaScript

App Authentication

SharePoint“AppWeb”


App Authentication

JavaScript(cross domain) SharePoint

“AppWeb”


App Authentication

OAuth

SharePoint“AppWeb”

App Identity Online and On-PremIn the cloudWindows Azure Active Directory (AD) comes with O365Apps use ‘3-legged’ OAuth

Azure AD

App Office 365

Cloud

App Identity Online and On-PremIn the cloudWindows Azure AD comes with O365Apps use ‘3-legged’ OAuthOn-PremisesCert-based trustOn-prem to on-prem

App SharePoint

On-Prem

Azure AD

App Office 365

Cloud

App Identity Online and On-PremIn the cloudWindows Azure AD comes with O365Apps use ‘3-legged’ OAuthOn-PremisesCert-based trustOn-prem to on-premHybridUse O365 Azure AD with on-prem SPSupports marketplace and on-prem apps

Azure AD

App Office 365

App SharePoint

CloudOn-Prem

Authorization

Apps have Identity (separate from Users)Ex: Printing App is distinct from the user using the Printing app

Access is based on GrantsGrants are available to AccessCheckGrants have scopes and rightsEx: Printing App has READ right on “Picture Library”

AccessCheck makes a decision usingIdentities (User, Application)Resource Attributes (ACLs)Policies

User OnlyApp & UserApp Only

Authorization Logical Model

Apps must request the permissions they require to run

Permission Requests

<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"> <Property Name="BaseTemplateId" Value="101"/> </AppPermissionRequest> <AppPermissionRequest Scope="http://sharepoint/social/microfeed" Right="Manage"/> <AppPermissionRequest Scope="http://sharepoint/search" Right="Query"/></AppPermissionRequests>

Permission RequestsScope="http://sharepoint/content/sitecollection" Right="Read"/>

Product Permission ProviderSpecific component Capability

Consent

App Name Here

Available App PermissionsScope Right

http://sharepoint/content/tenant Read;Write;Manage;FullControlhttp://sharepoint/content/sitecollection Read;Write;Manage;FullControlhttp://sharepoint/content/sitecollection/web Read;Write;Manage;FullControlhttp://sharepoint/content/sitecollection/web/list Read;Write;Manage;FullControlhttp://sharepoint/bcs/connection Readhttp://sharepoint/search QueryAsUserIgnoreAppPrincip

alhttp://sharepoint/projectserver Managehttp://sharepoint/projectserver/projects Read;Writehttp://sharepoint/projectserver/projects/project Read;Writehttp://sharepoint/projectserver/enterpriseresources Read;Writehttp://sharepoint/projectserver/statusing SubmitStatushttp://sharepoint/projectserver/reporting Readhttp://sharepoint/projectserver/workflow Elevatehttp://sharepoint/social/tenant Read;Write;Manage;FullControlhttp://sharepoint/social/core Read;Write;Manage;FullControlhttp://sharepoint/social/microfeed Read;Write;Manage;FullControlhttp://sharepoint/taxonomy Read;Write