Date post: | 01-Apr-2015 |
Category: |
Documents |
Upload: | marley-blacklidge |
View: | 221 times |
Download: | 2 times |
Agenda
AuthZPrincipals
Intro
AuthNTrust
About Mads Damgård
10 years with SharePoint (7 in MS)
Work interests: Dev, Troubleshooting, Search, SQL, Training
Non-work: MTB, Watersports, Travel
Principals
Principals SharePoint has long had the notion of a User Principal: europe\madsd fbaMembers:madsd i:0e.t|aad|[email protected]
The methods for dealing with User Principals are well known: SharePoint groups Permission levels Adding attributes about the user (identity or claim) to one
of the above
What about App Principals though?
Contoso photo
Contoso
Contoso photo
?
Contoso
Contoso photo
Contoso
Contoso photo
View
View
Contoso
Contoso photo
View, Upload, Tag, Comment
View, Upload, Tag, Comment
Contoso
Contoso photo
View, Upload, Tag, Comment, Change Password
View, Upload, Tag, Comment, Change Password
Contoso
Contoso photo
View, Upload, Tag, Comment, Change Password
Contoso
Contoso photo
View, Upload, Tag, Comment, Change Password
View
Contoso
Contoso photo
User Principal and App Principal Context
User credentialsprovided?
Start
End
User only context
App only context
User + App
context
Anonymous context
App tokenprovided?
App tokenIncludes user?
Yes
No
No No
Yes Yes
Call is to an app web?
No
Yes
Apps Authentication
Two ways to access SharePoint Client Side
SharePoint Hosted Apps Cloud/Provider Hosted Apps (Client Side)= Direct Calls or Cross Domain Calls
Remote Server Side Cloud/Provider Hosted Apps= Access Token (Low Trust)
Server to Server= Access Token (High Trust)
Cross Domain Calls blocked by mostbrowsers
Examples are: Remote Web ->App Web App Web -> Host Web
Use SP.RequestExecutor.js Will post the requests through a hidden iFrame
Low Trust
ClientResource server
Resource owner
Authorization server
App.comSharePointBrowser
ACS
1
App.comSharePointBrowser
ACS
1) User browses to a SharePoint page with an app part on it.
1
App.comSharePointBrowser
ACS
2) SharePoint requests a context token.
2
1
App.comSharePointBrowser
ACS
3) ACS returns a signed context token.
32
2
1
App.comSharePointBrowser
ACS
4) SharePoint renders page with iframe which will POST the context token to App.com.
3
4
POST https://app.com/…SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e…
2
1
App.comSharePointBrowser
ACS
5) iframe causes browser to request contents from App.com including the context token.
3
4
5
2
1
App.comSharePointBrowser
ACS
6) App.com validates the signature on the context token, extracts the auth code, and uses its credentials to request an access token from ACS.
3
4
5
6
2
App.comSharePointBrowser
ACS
7) Windows Azure Access Control Services (ACS) returns an access token.
3
1
4
5
6 7
2
1
App.comSharePointBrowser
ACS
8) App.com calls SharePoint CSOM or REST API with access token.
3
4
5
6 7
8
2
App.comSharePointBrowser
ACS
9) SharePoint returns data from CSOM or REST API call.
3
1
4
5
6 7
8
9
2
1
App.comSharePointBrowser
ACS
10) App.com returns the iframe contents.
3
4
5
6 7
8
9
10
App.comSharePointBrowser
ACS
5
6 7
8
Context
Access /Refresh
Access
OAuth token summary
Context token format - Base 64 EncodedSPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJhZDY5NmU1NS0zZjMzLTQwNzgtYjM2Ny0yZTdiNzVkNjQ1ZjIvbG9jYWxob3N0OjQ0MzAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImlzcyI6IjAwMDAwMDAxLTAwMDAtMDAwMC1jMDAwLTAwMDAwMDAwMDAwMEAyYzQzOTMzMC02ODVlLTRjMTMtODE3Yi1lMDU3Yjk2MzdhZDAiLCJuYmYiOjEzNTI2NjU2NDUsImV4cCI6MTM1MjcwODg0NSwiYXBwY3R4c2VuZGVyIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImFwcGN0eCI6IntcIkNhY2hlS2V5XCI6XCJCU2lLOFNmQS9lVk5lTU10SUpjVkJPM2xJNUxYY1BjN0p3SUcyWGNqWDR3PVwiLFwiU2VjdXJpdHlUb2tlblNlcnZpY2VVcmlcIjpcImh0dHBzOi8vYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldC90b2tlbnMvT0F1dGgvMlwifSIsInJlZnJlc2h0b2tlbiI6IklBQUFBS0JDb1Bwby1FVm9PZ3dBMGZ3SDVQV3dyY29PR3BGSHdpVW1CMnpBZjRjMXdoeFFzOXlWRlVtcWNqNmYyZ2JTRF9CM3dPakktRXN2b2dWVWVQeXBtMjF5RlQ3VkxFdW5OSW1rT1RxeHFtb1BwSE9SU3F0c2pXaEhOdnUxM0ppVmNGZzh2UEFyMl9HbFFCNjBQVThQdEVUVlpjWXpCcExhY3hzNjNlVVdMajBTY0lQMGwzUW12dENTVEdidlRqUW1hR3RGaVZYQnZwLXhQN1RuZnlkRUJUUG9hTDNDcERoQXA5TVhMNXpsRVIxbUtBdDN6bEEtSXpQSzdRTmxyOVJ5RnVPTnJGZmtSRnhyRHNBTDJMS0hPZ2pkZVM5Y0VHWnpZdG9odkdWRFFiVWptaFlxM3FueHYyM09qX25idm9KNUNJQXBTOTVMUTNXVkwyaFJKQlltUHVIQ1Z3emhjZG12QlJJNURJZVNYb25RR2d5blNVYU9vUUtheUg2b1R6RzcwSWljaUtSNm5FMzJZYnhhaGJzdm1XOGszblpvaTV4TDdfa0JXSUZjQXh0Ny1sMUJxTEFockpoZEliZ0dVa1VpVGk5d3JJVm9KZ0RDTDNxSzZucGNHdm4xbGdRZWNBbFpkeG5qOGltcmdGVmRmNDVGa1EyQTZTOTJEakVjWE1odUZwakE2aHFpSzdHRU85ZnEwM0tER0tjIiwiaXNicm93c2VyaG9zdGVkYXBwIjoidHJ1ZSJ9.c4gAOr-4OsWo-M54t1WRT0OrjVHtl2c7jpK4N5Hbof4
Context token format - Decoded JSON{ "aud":ad696e55-3f33-4078-b367-2e7b75d645f2/localhost:44300@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-11 20:27:25Z (11/11/2012 12:27:25 PM) - 1352665645 "exp":2012-11-12 08:27:25Z (11/12/2012 12:27:25 AM) - 1352708845 "appctxsender":00000003-0000-0ff1-ce00-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "appctx":{ "CacheKey":"BSiK8SfA/eVNeMMtIJcVBO3lI5LXcPc7JwIG2XcjX4w=“ "SecurityTokenServiceUri":"https://accounts.accesscontrol.windows.net/tokens/OAuth/2" } "refreshtoken":IAAAAKBCoPpo-EVoOgwA0fwH5PWw… "isbrowserhostedapp":true}
The process for hooking up an on-premise farm to use low trust is: Create an o365 tenancy; it doesn’t need any user licenses Replace the token signing certificate for the local SharePoint STS Set up an Azure Service Application Proxy, SPTrustedSecurityTokenIssuer, and SPNs
for the MsolServicePrincipal
Good news! Just follow guide and run the script found here: http://msdn.microsoft.com/en-us/library/dn155905.aspx
Low Trust Plumbing
High Trust
Unlike low trust apps, you don’t get a context token
You have to use a certificate to sign the token your app sends to SharePoint
Register the certificate in SharePoint using PowerShell
High Trust Plumbing
Use the VS wizard and select provider-hosted, then select the cert (pfx), type its password, and enter the Issuer (App) ID
Place the cert in a directory that the web’s app pool has access rights
Create your client context using TokenHelper and enjoy the OAuth power that ensues!!
High Trust Plumbing – Building An App
It’s called high trust for a reason – YOU control what user identity is put in the token
That identity is “rehydrated” by finding a matching user in the UPA
It’s up to you to create a token with appropriate identifier value Account name (AKA nameId) SMTP UPN SIP
High Trust Management
You can choose to have each app use its own cert, or have apps share a cert
Each cert that’s used needs to be trusted by SharePoint using the New-SPTrustedSecurityTokenIssuer cmdlet
That is important if you ever want to stop trusting an app
If each app has it’s own cert, you just stop trusting that cert If apps share a cert, then you need to:
Stop trusting the cert Have all the other apps you still trust start using a new cert Configure SharePoint to start trusting the new cert
Using Certificates for High Trust Apps
Apps Authorization
Consent Form
Permission requestsApps request the permissions they require to run:
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"> <Property Name="BaseTemplateId" Value="101"/> </AppPermissionRequest> <AppPermissionRequest Scope="http://sharepoint/social/microfeed" Right="Manage"/> <AppPermissionRequest Scope="http://sharepoint/search" Right="Query"/></AppPermissionRequests>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/>
ProductPermission ProviderSpecific component Capability
Available app permissions
Scope Scope Alias Right
http://sharepoint/content/tenant AllSitesRead;Write;Manage;FullControl
http://sharepoint/content/sitecollection SiteRead;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web WebRead;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web/list
ListRead;Write;Manage;FullControl
http://sharepoint/bcs/connectionNone (not currently supported)
Read
http://sharepoint/search SearchQueryAsUserIgnoreAppPrincipal
http://sharepoint/projectserver ProjectAdmin Manage
http://sharepoint/projectserver/projects Projects Read;Writehttp://sharepoint/projectserver/projects/project
Project Read;Write
http://sharepoint/projectserver/enterpriseresources
ProjectResources Read;Write
http://sharepoint/projectserver/statusing ProjectStatusing SubmitStatus
http://sharepoint/projectserver/reporting ProjectReporting Read
http://sharepoint/projectserver/workflow ProjectWorkflow Elevate
http://sharepoint/social/tenant AllProfilesRead;Write;Manage;FullControl
http://sharepoint/social/core SocialRead;Write;Manage;FullControl
http://sharepoint/social/microfeed MicrofeedRead;Write;Manage;FullControl
http://sharepoint/taxonomy TermStore Read;Write
Permission Policies User Only
Same as SharePoint 2010
App + User Both User and App needs permission to execute Apps can be installed by Site Owner Most common
App Only Provider Hosted Only Site Collection or Tenant Admin permissions to
install Similar to ”RunWithElevatedPriv”
Recap Authentication
Depends on Client side or Server side call model Depends on Trust model
Authorization Depends on policy model Defined in AppManifest
Building SharePoint Apps: http://msdn.microsoft.com/en-us/library/office/jj163230.aspx
AuthN and AuthZ for Apps:http://msdn.microsoft.com/en-us/library/office/fp142384.aspx
Steve Peschkahttp://blogs.technet.com/b/speschka/
Kirk Evanshttp://blogs.msdn.com/b/kaevans/
Resources
Thank You!Questions?