Embed Size (px)
Citation preview
Integrating Mail and Calendar experiences within Office 365 Matthias Leibmann and Rohit NagarmalProgram ManagerMicrosoft
SPC379
Overview on how to build apps using Windows Azure AD and Office 365
Introduction to new REST APIs for Mail/Calendar/Contact in Office 365
Sample of a Native App
What we will cover today
What we are building: Session Picker App1. Sign-On
to Office 365 using
an Organization Account
2. Retrieving a Session List from
SharePoint Online
3. Signing-up for Sessions by putting them on
Exchange Online
Calendar
Authentication to Office 365 APIs Preview
Office 365 Platform Contextual Apps
Robust O365 API’s Flexible Tools
Documents People | Groups
Mail Tasks
Calendars REST Web Services
Build your own Sign-On UX Capture Username/Password
and use NetworkCredential for requestNetworkCredential creds = new NetworkCredential(SecurelyStoredUserName,SecurelyStoredPassword);request.Credentials = creds;
Cache Username/Password securely for your Device or Web Site
Authentication to Office 365 Exchange Online before
Each Office 365 Workload API required different Authentication
One Authentication to Office 365 APIsSign-On experience using
Organizational AccountCombined Consent Across all
Office 365 APIs
One Auth Infrastructure for Office 365 Same AuthN/Authz code regardless of what API you are accessing;
mail, files, profile information, etc. Same flow works for all kinds of app; web apps, mobile apps etc. No more explicit credential management Granular permissions for the application Based on OAuth2 and OpenID Connect
Integrated in Windows Azure Active Directory using Organizational Accounts Same experience for your app like the native Office 365 apps Integration into Sign-On differentiators such as PhoneFactor Works for Hybrid with Federated Sign-On
Benefits
ISV Tenant Registers application with AAD Describes its Identity information Describes required permissions Make application available for other tenants
Windows Azure AD Application Model ADatum Tenant
Session Picker AppClientID: 4572d8c8-d6e9-4950-8f34-bb40d95ab92cClientSecret: <keys>RedirectUris: ms-app://<SID>Permissions: • SharePoint: AllSites.Read • Exchange: Calendar.Write Mail.Send• AAD: Profile.read Customer Tenants
Administrator or End-user consents to Application Consents creates a Service Principal for the App
in the customer tenant Consent is recorded
Web Apps: As permission in AAD Native Apps: In the refresh token
App Management Policies to allow consent for apps Web Apps within AAD portal* Native Apps with Device
Contoso Tenant Session Picker App Service Principal
Permission: [email protected], AllSites.Read …
Fabrikam Tenant Session Picker App Service Principal
Permission: [email protected], AllSites.Read …
*Application Management within Office 365 Portal coming soon
Sign-Up and Sign-In flows for Web Apps
https://sessionpicker.net
Azure AD
User consent experience
Request to authorization endpoint: client_id, redirect_uri, response_type=code
Azure AD
Admin consent experience
Request to authorization endpoint: client_id, redirectUri,
response_type=codeprompt=admin_consent
• Sign-Up using OAuth 2 Authorization Flows
• Admin and User consent-able permissions
• Sign-In can also use OpenID Connect in future
Demo: Registering the Session Picker App in Windows Azure AD
Basic Auth Protocol Flow with Office 365App
AAD OAuth2 serverAuthorization/Token Issuing endpoints
Office 365 Exchange
API endpoint
Use Code to get Exchange API Token
Token Response
Call API with Token
Use refresh token to get SharePoint API Token
Token Response
Call API with Token
Office 365 SharePoint
API endpoint
User
AuthorizationRequest
User Login & Consent
Code
Auth to multiple workloads in Office 365 Each Office 365 Workload API
requires a different AccessToken
AccessToken is workload (API) specific
RefreshToken is global Usage of the same
RefreshToken to acquire separate AccessTokens for each Office 365 Workload API
AccessToken• Relatively short lived: Valid for 1 hour• Best practice: App should handle 401
from Office 365 API and get new token
RefreshToken Long lived. Treat it is as “forever”.
Best practice: App should handle “invalid_grant” return form token issuing endpoint and redirect to authorization endpoint
Application only needs to maintain single RefreshToken
• Admin consent – record that the organization has signed up (tenant ID)
• User consent – record that the user has signed up (UPN, display name and object ID)
What’s In A JWT token and using that in the Sign-Up flow
15
Claim Example Intended Purpose
Tenant ID [tid] 09f9ea02-9be8-4597-86b9-32935a17723e
Immutable tenant identifier
UPN [upn] [email protected] Display only
First Name [given_name]
Matthias Display only
Last Name [family_name]
Leibmann Display only
Object ID [oid] b6e5ea27-e04a-49b6-9677-e404d87d0b9e
Immutable security identifier
Go here for more information on MSDN
Demo: OAuth Sandbox
Understanding the Protocol Flow for Office 365 APIs
ADAL Client libraries implement the OAuth2 protocol Dependent on platform* provide additional features such as caching of tokens
Available for various platforms Windows RT, Windows .net Framework via NuGet Android and iOS via github
ADAL provides lots of features* otherwise App has to implement itself Calls AcquireToken using the OAuth2 protocol Initiates user prompting to authenticate ADAL caches Access Token and Refresh Token ADAL reaches into cache and finds Access Token for subsequent API calls If Access Token is near expiry, ADAL drops it and gets a new one via Refresh Token Provided the Refresh Token is still valid, EvoSTS returns a new Access Token and no interaction is required
by the user
Native Client Apps
*Features are dependent on platform, see ADAL documentation for more information
Initialize the Auth context AuthenticationContext authenticationContext = new
AuthenticationContext(“https://login.windows.net/common”);
Get the first AccessToken AuthenticationResult authenticationResult = await
authenticationContext.AcquireTokenAsync(“https://outlook.office365.com/”, AppSettings.ClientID);
string accessToken = authenticationResult.AccessToken;
Attach AccessToken to WebRequest webRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
Get more AccessTokens AuthenticationResult authenticationResult = await
authenticationContext.AcquireTokenAsync(“https://contoso.sharepoint.com/”, AppSettings.ClientID);
string accessToken = authenticationResult.AccessToken;
Sample code using ADAL
Demo: Adding Auth to the Session Picker App
Summary of development steps1. Register application with Azure AD in your Dev tenant. Requires tenant with an Azure subscription and O365 subscription.
2. Configure your application registration with the permissions it needs, using Azure Management Portal
3. Build app code – decide on user sign up, admin sign up or both. Use OAuth flow for sign up, and get back info on the signed up user/tenant and store in your app profile database.
4. Test consent flow using a set of test directory tenants (easily created)
5. Test revocation for admin and user (through the app access panel – coming soon)
4. Deploy and maintain
Build
Test and Deploy
Visual Studio Tooling available to integrate apps with AAD and Office 365 APIs
Introducing:Mail, Calendar, Contact REST APIs Preview
Powerful, easy way to access and manipulate Exchange Data
Based on open standards – OAuth 2.0, ODATA 4.0, JSON
Granular, tightly scoped permissions to access user data.
Web friendly Api’s to enable web and mobile app developers
Why?
Features: Mail, Calendar and Contacts Rich Service Metadata.
Lists all Entities, Collections, Actions, Complex Types, Enums and their Properties.
https://outlook.office365.com/EWS/OData /$metadata
Top Level Entity User
https://outlook.office365.com/EWS/ODATA/Users(‘[email protected]’)/
Me = Users(‘<authenticated user’s email address>’)https://outlook.office365.com/EWS/ODATA/Me
What?
Service Root
Available Today!!
When?
LIVE NOW: https://outlook.office365.com/ews/odata/
What we are building?
1. Calendar – Create or Update an
Event
2. Calendar – Delete an
Event
Permissions Read, Read+Write
Entities, Collections, Actions
Samples https://outlook.office365.com/EWS/OData/Me/Calendar https://outlook.office365.com/EWS/OData/Me/Calendar/Events?$top=1
Calendar - Coffee @ 4?
Entity Collection ActionsCalendarGroup CalendarGroups Calendar Calendars
Event Events CRUD, Accept, Decline, TentativelyAccept
Attachment Attachments CRUD
Collection
Entity
Demo: Add, Update an Event in the Session Picker App
What we are building!
3. Mail - Send a Message
Permissions Read, Read+Write, Send
Entities, Collections, Actions
Samples https://outlook.office365.com/EWS/OData/Me/Inbox https://outlook.office365.com/EWS/OData/Me/Inbox/Messages?$top=1
You’ve got Mail!
Entity Collection ActionsFolder Folders CRUD, Copy, Move
Message Messages
CRUD, Copy, MoveReply, ReplyAll, Forward, SendCreateReply, CreateReplyAll, CreateForward
Attachment Attachments CRUD
Collection
Entity
Demo: Send Email in the Session Picker App
Permissions Read, Read+Write
Entities, Collections, Actions
Samples https://outlook.office365.com/EWS/OData/Me/ContactFolders(
'Contacts')/ https://outlook.office365.com/EWS/OData/Me/ContactFolders(
'Contacts')/Contacts
Contacts – Your number again?
Entity Collection Actions
ContactFolder ContactFolders
Contact Contacts CRUD
Note: Use Azure Active Directory Graph API to find users in an Org.
Rich Query Syntax using ODATAScenario URL
Get 5 messages from Inbox https://outlook.office365.com/EWS/OData/Me/Inbox/Messages?$top=5
Get the next 10 messages https://outlook.office365.com/EWS/OData/Me/Inbox/Messages?$top=10&$skip=5
Get top 10 messages sorted by DateTimeCreated
https://outlook.office365.com/EWS/OData/Me/Inbox/Messages?$top=10&$skip=10&$orderby=DateTimeCreated
Get selective properties on messages https://outlook.office365.com/EWS/OData/Me/Inbox/Messages?$top=5&$select=From,DateTimeCreated,Subject
Get Events starting after a particular DateTime
https://outlook.office365.com/EWS/OData/Me/Events?$top=5&$select=Subject,Start,End&$filter=Start ge 2014-03-04T20:00:00Z
Get Contacts where Display Name contains ‘Rohit’ https://outlook.office365.com/EWS/OData/Me/Contacts?$top=
10&$filter=contains(DisplayName,’Rohit’)
Demo: Sample Queries
Summary and Key Takeaways Office 365 APIs use the
same Auth model based on Windows Azure AD
Don’t use Basic Auth anymore to Office 365 Exchange Online
ADAL client libraries do a lot of heavy lifting for your App
APIs that allows you to create end to end O365 apps with targeted scopes
Lightweight and quick to learn and develop
Auth to Office 365 APIsMail, Calendar, Contacts Rest
API
Feedback and ReferencesRecommended
Sessions SharePoint Power Hour - New developer APIs and
features for Apps for SharePoint (Recorded)
Build SharePoint Solutions for Mobile Devices (Wednesday 10:45, Ballroom I,J)
More References: Overview of the Common Consent Integration Fra
mework How to integrate O365 with a web server app usi
ng Common Consent Framework CodePlex/code-gallary:
Templates for Offcie365/AAD MVC and Win8 App
Session Picker Demo App AAD: http://msdn.microsoft.com/aad. ADAL: http://
msdn.microsoft.com/en-us/library/windowsazure/dn151135.aspx.
ADAL library for Android and iOS
Recommended Sessions Use OData to get more from Office and Power BI
(Wed, 3.15 pm, Ballroom K,L) SharePoint App best practices using OData and the
SharePoint REST API (Wed, 5pm, Ballroom A-H)
OneDrive for Business extensibility: building great apps solutions (Recorded)
More References: Using the Mail, Calendar, and Contact REST APIs to
work with emails, calendar items, and contacts ODATA Reference and libraries
Auth to Office 365 APIsMail, Calendar, Contacts
Rest API
Feedback [email protected], [email protected]
Explore our new Preview APIs
In-depth articles on MSDNSubject to change; not for production use
Connect with the community
Speak your mind at OfficeSPDev.UserVoice.ComSolve your roadblocks on StackOverflow
[Office] and [SharePoint]
Build using our toolsUnleash your development skills with Office Dev Tools for Visual Studio 2013 and Office 365 API Tools for Visual Studio 2013
Calls to Action
MySPCSponsored by
connect. reimagine. transform.
Evaluate sessionson MySPC using yourlaptop or mobile device:myspc.sharepointconference.com
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
