Transcript
Page 1: Oauth and SharePoint 2013 Provider Hosted apps

630 Freedom Business Center Drive3rd FloorKing of Prussia, PA 19406

©2013 CapTech Ventures

www.captechconsulting.com

Tri-State SharePointSharePoint 2013 Auth – Giving an app a first class identityJames Tramel

May 14, 2013

Page 2: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

CapTech

• Philadelphia, DC, Richmond and Charlotte Based

• Practices – MC/SI/DMBI - thought leadership

• Technology agnostic, several MS folks in SI practice

• We’re local and community focused

• Philadbundance, Run to Rebuild, United Way

Page 2

Page 3: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Agenda

Clouds and SharePoint, Clouds and Apps, Clouds and You

Oauth – small demo

Authorization vs Authentication

Oauth, Apps and Identity

Hosting and Trust

Demo

Page 4: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Cloudy with a chance of meatballs

Page 4

Page 5: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

The Cloud – compute as a service utility

• Bing Maps Data Center in a minute: http://www.youtube.com/watch?v=XbKunHnuIcA

• Modular Data Center Overview: http://www.youtube.com/watch?v=LiMq_5L1MQg

• Inside a Modular Data Center: http://www.youtube.com/watch?v=nIliMskAHro

Page 5

Page 6: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

What is SharePoint?

• Application or platform?

• What’s the difference between these things:

-Office 365, BPOS

- SharePoint Online

- SharePoint on Premise

- SharePoint Hybrid

- SharePoint 2010

- SharePoint 2013

- Foundation, Server and Enterprise

- SharePoint in Azure, AWS, RackSpace, CloudsharePage 6

Page 7: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

What is SharePoint in relation to the cloud

Page 7

Page 8: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Cloud Continuum

Page 8

Page 9: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

IaaS vs PaaS vs SaaS

Page 9

Page 10: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

IaaS vs PaaS vs Saas

Page 10

Page 11: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Iaas vs PaaS vs SaaS

Page 11

Page 12: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

5-3-2 Cloud

Page 12

Page 13: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

What does this have to do with apps?

Page 13

Page 14: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

What does this have to do with apps?

• Apps in the cloud

• Making systems and apps more robust

• Tying to the cloud, but you don’t have to

• Services working together

• How do you make this work?

Page 14

Page 15: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

What else is going on in the web?

• Twitter

• Tumblr

• Bitly

• Facebook

• Instagram

• Wordpress

• Geolocation

Page 15

Page 16: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Demo

Page 16

Page 17: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Oauth

• OAuth is an open standard for authorization

• OAuth is not OpenID (authentication/digital ID)

• Valet Key

• Access Token

• Scopes

Page 17

Page 18: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

What's your P@ssword!

• Last time you changed your password?

• Benefits of the valet?

Page 18

Page 19: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Authentication vs Authorization

Page 19

Authentication is the verification of the credentials of the connection attempt• Who is the user? • Is the user really who he/she represents himself to

be?

Authorization is the verification that the connection attempt is allowed• Is user X authorized to access resource R? • Is user X authorized to perform operation P? • Is user X authorized to perform operation P on

resource R?

Page 20: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

SharePoint 2010 Authentication

• Authentication

- Windows (NT, Kerberos, Anonymous, Basic, Digest)

- Forms (LDAP, SQL, Custom)

- SAML (ADFS, Custom, LDAP)

• Development

- Farm (full trust)

- Sandbox (some trust)

- Rest/API (no trust – except where given, COM)

Page 20

Page 21: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

SP 2013 Auth

Claims, Claims, Claims• Classic is no more, or on its way out• Distributed Cache

Server to Server• Exchange, Lync

App Authentication (App Model / App Catalog / CSOM)• Create apps that use Oauth or other identity provider• App Permission Policies (User/App, App Only, User Only)

Page 21

Page 22: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Oauth Terms

• Client app

- Remote app that needs site perms

• Content owner

- User who grants perms to content

• Content Server

- Web server where content is

• Auth Server

- Trusted server that authenticates apps and creates oauth tokens

Page 22

Page 23: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

The Dance – how this works for Apps

Page 23

Page 24: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Low Trust Apps in SharePoint 2013

Page 24

Page 25: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

BCS Hybrid and Oauth – The Dance (Example)

Page 25

Page 26: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Apps are people too

• Apps have permission like users

• App principle is like a user identify – a security principle

• Apps are granted perms

- Differ than users

- All or nothing / No hierarchy

• Apps have default perms

- App can run app web

- App can include permissions

- Install grants / denies permission

Page 26

Page 27: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Access Tokens

• Access tokens are issued by the OAuth security token service (STS).

- An example of OAuth STS is Windows Azure Access Control Service (ACS) OAuth endpoints.

- In contrast, the WS-Federation STS and the Security Assertion Markup Language (SAML) passive sign-in STS are primarily intended to issue sign-in tokens

• What’s a token?

Page 27

Page 28: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Identity

Page 28

Page 29: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

When is using OAuth required?

• To authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user.

• To authenticate apps in the Office Store, an app catalog, or a developer tenant.

Page 29

Page 30: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Plan for App Authentication

App authentication is the validation of an external app for SharePoint's identity and the authorization of both the app and an associated user when the app requests access to a secured SharePoint resource

• Verify that the requesting app is trusted.

• Verify that the type of access that the app is requesting is authorized.

Page 30

Page 31: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Types of Hosting options

Page 31

Page 32: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Types of hosting

Page 32

Page 33: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Trust Relationships for hosting optoins

• Autohosted

- Autohosted apps run as a web role in Windows Azure and use the Windows Azure Access Control Service (ACS) to obtain the access token.

• Provider-hosted

- Provider-hosted apps run on their own servers on the Internet or your intranet, are registered with Windows Azure, and use ACS to obtain the access token.

• SharePoint-hosted

- Sharepoint hosted apps run in an appweb, can have client side code but not server side code. Developer must use certificates or create their own trust

Page 33

Page 34: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

High Trust vs Low Trust

• High-trust apps

- High-trust apps run on stand-alone servers on your intranet and use a signing certificate to digitally sign the access tokens that the app generates. Typically server to server.

• Low-Trust apps

- Low trust apps can run anywhere and run on an Oauth code flow to delegate limited rights to apps to act as users. SharePoint and client application must trust and communicate with an authentication provider such as azure active directory.

Page 34

Page 35: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Demo

• Setting up a provider hosted app to run in Azure

Page 35

Page 36: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

References

• MSDN, Technet, Microsoft, Wikipedia

• Robert G Carter, Duke Uniersity OIT

• Connecting a PaaS Application to an IaaS application with a Virtual Network – Yung Chou, MS Tech Evangelist

• Introduction to Windows Azure Virtual Machines – Keith Mayer, MS Developer Evangelist

• Creating a SharePoint Server 2013 Environment for Development and Testing – Critical Path

• SharePoint 2013 Developer Ramp Up – Plural Sight, Andrew Connell

• David Aiken & Dan Wesley SharePoint 2013 on Windows Azure Infrastructure_v1 http://www.microsoft.com/en-us/download/details.aspx?id=38428

• Step-by-Step: Build a FREE SharePoint 2013 Lab in the Cloud with Windows Azure Infrastructure Services http://blogs.technet.com/b/keithmayer/archive/2013/01/07/step-by-step-build-a-free-sharepoint-2013-lab-in-the-cloud-with-windows-azure-31-days-of-servers-in-the-cloud-part-7-of-31.aspx

Page 36

Page 37: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Yes You can

• Premium Subscriber

• Free Account in Azure

Page 37

Page 38: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

Do it

• Client

- Powershell

• Azure cmdlets

• Import azure module

• Get/set azure publishing settings

- Visual Studio 2012

• Azure toolkit

• Office Developer Tools

Page 38

Azure• Affinity Group• Storage• DNS• Network• Active Directory

Page 39: Oauth and SharePoint 2013 Provider Hosted apps

©2012 CapTech Ventures, Inc. All rights reserved.

SharePoint Demo

Page 39


Recommended