Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | lisandro-kellett |
View: | 231 times |
Download: | 1 times |
Kirk EvansPrincipal Premier Field Engineer, Microsoft Corporation3-603
Understanding Authentication and Permissions with Apps for SharePoint and Office
MicrosoftPrincipal Premier Field EngineerMicrosoft Certified Master—SP2010
http://blogs.msdn.com/kaevans
Kirk Evans
Please use Twitter! @kaevans #bldwin
15+ Years of Experience
Expertise
@kaevans
Establishing trust.Types of app authentication.OAuth authentication.App authorization.Dynamic permission requests.
Agenda
Close Shave by SeaDave, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/
Establishing trust
Dr. Garland prepares to fall by genvessel, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/
Contoso photo
Contoso
View
View, upload, tag, comment,
, upload, tag, comment,
delete, change password.
delete, change password.
Kirk
App model: past, present, and future
SharePoint
SharePoint 2007
Sandbox
SharePoint 2010
SharePoint
Azure, IIS, LAMP, etc…
_api
SharePoint 2013
Authentication
User credentialsprovided?Start
End
User only context
App only context
User + app context
Anonymous context
App tokenprovided?
App tokenIncludes user?
Yes
No
No
No
Yes Yes
Call is to an app web?
No
Yes
2
1
App.comSharePointBrowser
ACS
4) SharePoint renders page with iframe which will POST the context token to App.com.
3
4
POST https://app.com/…SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e…
2
1
App.comSharePointBrowser
ACS
5) iframe causes browser to request contents from App.com including the context token.
3
4
5
2
1
App.comSharePointBrowser
ACS
6) App.com validates the signature on the context token, extracts the auth code, and uses its credentials to request an access token from ACS.
3
4
5
6
2
App.comSharePointBrowser
ACS
7) Windows Azure Access Control Services (ACS) returns an access token.
3
1
4
5
6 7
2
1
App.comSharePointBrowser
ACS
8) App.com calls SharePoint CSOM or REST API with access token.
3
4
5
6 7
8
2
App.comSharePointBrowser
ACS
9) SharePoint returns data from CSOM or REST API call.
3
1
4
5
6 7
8
9
Context token format—Base 64 EncodedSPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJhZDY5NmU1NS0zZjMzLTQwNzgtYjM2Ny0yZTdiNzVkNjQ1ZjIvbG9jYWxob3N0OjQ0MzAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImlzcyI6IjAwMDAwMDAxLTAwMDAtMDAwMC1jMDAwLTAwMDAwMDAwMDAwMEAyYzQzOTMzMC02ODVlLTRjMTMtODE3Yi1lMDU3Yjk2MzdhZDAiLCJuYmYiOjEzNTI2NjU2NDUsImV4cCI6MTM1MjcwODg0NSwiYXBwY3R4c2VuZGVyIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImFwcGN0eCI6IntcIkNhY2hlS2V5XCI6XCJCU2lLOFNmQS9lVk5lTU10SUpjVkJPM2xJNUxYY1BjN0p3SUcyWGNqWDR3PVwiLFwiU2VjdXJpdHlUb2tlblNlcnZpY2VVcmlcIjpcImh0dHBzOi8vYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldC90b2tlbnMvT0F1dGgvMlwifSIsInJlZnJlc2h0b2tlbiI6IklBQUFBS0JDb1Bwby1FVm9PZ3dBMGZ3SDVQV3dyY29PR3BGSHdpVW1CMnpBZjRjMXdoeFFzOXlWRlVtcWNqNmYyZ2JTRF9CM3dPakktRXN2b2dWVWVQeXBtMjF5RlQ3VkxFdW5OSW1rT1RxeHFtb1BwSE9SU3F0c2pXaEhOdnUxM0ppVmNGZzh2UEFyMl9HbFFCNjBQVThQdEVUVlpjWXpCcExhY3hzNjNlVVdMajBTY0lQMGwzUW12dENTVEdidlRqUW1hR3RGaVZYQnZwLXhQN1RuZnlkRUJUUG9hTDNDcERoQXA5TVhMNXpsRVIxbUtBdDN6bEEtSXpQSzdRTmxyOVJ5RnVPTnJGZmtSRnhyRHNBTDJMS0hPZ2pkZVM5Y0VHWnpZdG9odkdWRFFiVWptaFlxM3FueHYyM09qX25idm9KNUNJQXBTOTVMUTNXVkwyaFJKQlltUHVIQ1Z3emhjZG12QlJJNURJZVNYb25RR2d5blNVYU9vUUtheUg2b1R6RzcwSWljaUtSNm5FMzJZYnhhaGJzdm1XOGszblpvaTV4TDdfa0JXSUZjQXh0Ny1sMUJxTEFockpoZEliZ0dVa1VpVGk5d3JJVm9KZ0RDTDNxSzZucGNHdm4xbGdRZWNBbFpkeG5qOGltcmdGVmRmNDVGa1EyQTZTOTJEakVjWE1odUZwakE2aHFpSzdHRU85ZnEwM0tER0tjIiwiaXNicm93c2VyaG9zdGVkYXBwIjoidHJ1ZSJ9.c4gAOr-4OsWo-M54t1WRT0OrjVHtl2c7jpK4N5Hbof4
Context token format—Decoded JSON
{ "aud":ad696e55-3f33-4078-b367-2e7b75d645f2/localhost:44300@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-11 20:27:25Z (11/11/2012 12:27:25 PM) - 1352665645 "exp":2012-11-12 08:27:25Z (11/12/2012 12:27:25 AM) - 1352708845 "appctxsender":00000003-0000-0ff1-ce00-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "appctx":{ "CacheKey":"BSiK8SfA/eVNeMMtIJcVBO3lI5LXcPc7JwIG2XcjX4w=“ "SecurityTokenServiceUri":"https://accounts.accesscontrol.windows.net/tokens/OAuth/2" } "refreshtoken":IAAAAKBCoPpo-EVoOgwA0fwH5PWw… "isbrowserhostedapp":true}
Permission requestsApps request the permissions they require to run:
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"> <Property Name="BaseTemplateId" Value="101"/> </AppPermissionRequest> <AppPermissionRequest Scope="http://sharepoint/social/microfeed" Right="Manage"/> <AppPermissionRequest Scope="http://sharepoint/search" Right="Query"/></AppPermissionRequests>
Permission requests
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/>
ProductPermission ProviderSpecific component Capability
Available app permissionsScope Scope Alias Right
http://sharepoint/content/tenant AllSites Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection Site Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web Web Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web/list List Read;Write;Manage;FullContr
ol
http://sharepoint/bcs/connection None (not currently supported) Read
http://sharepoint/search Search QueryAsUserIgnoreAppPrincipal
http://sharepoint/projectserver ProjectAdmin Manage
http://sharepoint/projectserver/projects Projects Read;Write
http://sharepoint/projectserver/projects/project Project Read;Writehttp://sharepoint/projectserver/enterpriseresources ProjectResources Read;Write
http://sharepoint/projectserver/statusing ProjectStatusing SubmitStatus
http://sharepoint/projectserver/reporting ProjectReporting Read
http://sharepoint/projectserver/workflow ProjectWorkflow Elevate
http://sharepoint/social/tenant AllProfiles Read;Write;Manage;FullControl
http://sharepoint/social/core Social Read;Write;Manage;FullControl
http://sharepoint/social/microfeed Microfeed Read;Write;Manage;FullControl
http://sharepoint/taxonomy TermStore Read;Write
App.comSharePointBrowser
ACS
3) SharePoint looks up the app principal based on the client_id.
1
2
2
/_layouts/15/OAuthAuthorize.aspx?IsDlg=1&client_id=3ca819d1-0ef8-4cbf-aa76-9ae45fd78b14&scope=Web.Write&response_type=code
3 3
App.comSharePointBrowser
ACS
4) User grants permission, browser is redirected to App.com with code.
1
3
2
3
4
2
4
https://localhost:44301/Default.aspx?code=IAAAACn2TwEi67U76rep34e...S4NLsp4mi2IR2g&IsDlg=1
App.comSharePointBrowser
ACS
6) Microsoft Azure Access Control Services returns an Access token.
1
3
2
3
4
5 6
2
4
App.comSharePointBrowser
ACS
7) App.com requests data from SharePoint using access token.
1
3
2
3
4
5 6
7
2
4
App.comSharePointBrowser
ACS
8) Data is returned from SharePoint and page is rendered.
1
3
2
3
4
5 6
7
8
2
4
8
Establishing trust.Types of app authentication.OAuth authentication.App authorization.Dynamic permission requests.
Summary
Resources
http://dev.office.comhttp://blogs.msdn.com/kaevans
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.