Module 3: Hook into Apps for SharePoint

Office DEVCamp – Los Angeles

Registration for Los Angeles June 16 2015http://aka.ms/O365campLA

Course Agenda

Office Camp

Module 1: Introduction to the Day

Module 2: Setting up the Environments

Module 3: Hooking into Apps for SharePoint

Module 4: Hooking into Office 365 APIs

Module 5: Hooking into Apps for Office

Module 6: Hooking into SharePoint APIs with Android

Hooking into Apps for SharePoint

Ivan SandersSharePoint MVP/MCTivan@dimension-si.com@iasanders

IntroductionProgramming OAuthProgramming Cross-Domain Library

Agenda

Introduction

6

Architecture

Remote Web

Azure Data Market

Azure Web Sites

AppWeb1

HostWeb SharePoin

t Online

1App Web is optional

SQL Azure

7

Remote web always has full rights to app web

App permissions are the lesser of user and app permissions to the given resource

Provider-hosted app can utilize “app-only” permissions to “elevate” privileges.

App Permissions

8

Considers app permissions only, ignores user

Set AllowAppOnlyPolicy to true in AppManifest

Get an app-only token

App-Only Permissions

9

Web ProjectASP.NET Web FormsMVC 5

AuthorizationAzure Access Control ServicesServer-to-Server High Trust

ProgrammabilitySharePointContextProvider classManaged CSOM or RESTJavaScript Cross-Domain Library

Creating Provider-Hosted Apps

Programming OAuth

11

Simple mechanism to grant a third party access to a user’s resources without sharing the user’s password.

Cross platform app authorization

Internet Standard supported by Azure, Facebook, Google, Twitter, and more

What is OAuth 2.0?

12

Context TokenInformation about the Resources Owner and Client that can be used to get an Access Token later.

Refresh TokenA token used to get an Access Token from the Authorization Server.

Access TokenA token passed to the Resource Server authorizing the Client to access resources.

Authorization CodeA code that can be used to register an app on-the-fly.

OAuth 2.0 Tokens

13

Apps must be registered with SharePoint onlineClient ID – generated during the registration processClient Secret – generated during the registration processApp Host Domain – the domain of the Azure web site hosting the appRedirect URL – the URL of the return page after permissions are granted

SharePoint provides registration management pagesAppRegNew.aspx – for registering a new appAppInv.aspx – for updating registered appsAppPrincipals.aspx – lists all registered apps

App Principals

14

Registering a New App

Generated value

Generated value

Free text value

Azure domain (e.g., myapp.azurewebsites.net)Web address (e.g., https://myapp.azurewebsites.net)

15

User has Organizational Account

App registered with SharePoint Online

App deployed to SharePoint Online

Remote Web deployed as an Azure Website

Client ID and Client Secret defined in AAD

Provider-Hosted App Flow Scenario

16

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

17

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

User launches app

18

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

Request Context token for user

19

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

Context Token returned

20

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

Context Token returnedand user redirected to app

21

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

App extracts Refresh Token from Context Token

22

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

App requests Access Tokenusing refresh Token

23

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

Access Token returned

24

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

Access Token presentedAlong with request

25

OAuth 2.0 Flow Provider-Hosted App

End User(Resource Owner)

Azure ACS(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

Response returned

26

Checks for valid Context TokenRedirects if it does not exist

Simplifies the management of contextProvides an ACS or STS contextContext exposes properties for key values like Host Web URL

Simplifies the management of tokensContext exposes methods to retrieve tokens

SharePointContextProvider Class

SharePointAcsContext Class• Inherits SharePointContext• Provides specific properties and methods for

dealing with context and access tokens• CSOM

CreateAppOnlyClientContextForSPAppWeb CreateAppOnlyClientContextForSPHost CreateUserClientContextForSPAppWeb CreateUserClientContextForSPHost

• REST AppOnlyAccessTokenForSPAppWeb AppOnlyAccessTokenForSPHost UserAccessTokenForSPAppWeb UserAccessTokenForSPHost

Making REST Calls with OAuth

Making CSOM Calls with OAuth

30

Validating Context TokenWeb Forms

MVC 5

31

SharePointContextProvider GetSharePointContextReturns SharePointAcsContext in cloudReturns SharePointHighTrustContext on premises

PropertiesSPAppWebUrlSPClientTagSPHostUrlSPLanguageSPProductNumber

Managing SharePoint Context

32

CSOMCreateAppOnlyClientContextForSPAppWebCreateAppOnlyClientContextForSPHostCreateUserClientContextForSPAppWebCreateUserClientContextForSPHost

RESTAppOnlyAccessTokenForSPAppWebAppOnlyAccessTokenForSPHostUserAccessTokenForSPAppWebUserAccessTokenForSPHost

Managing Security Tokens

33

Managed CSOM

34

Managed REST

Programming Cross-Domain Library

36

Same-domain policy prevents JavaScript from making direct calls to either the app web or host web from the remote web

Required to make JavaScript calls to both the

app web and host web

Cross Domain Library

37

SP.RequestExecutor.js located in LAYOUTS directory

Option 1: Copy and include directly in your app

Option 2: Load Dynamically using jQuery

Loading the Cross-Domain Library

38

Cross-Domain Library Architecture

Remote Web SharePoint

Web Page

SP.RequestExecutor.js

IFRAME App Web

AppWebProxy.aspxAppWebProxy.aspx

39

Cross-Domain REST Calls

Call targeting App Web

Call targeting Host Web

40

Cross-Domain CSOM Calls

Call targeting App Web

Call targeting Host Web

IntroductionProgramming OAuthProgramming Cross-Domain Library

Summary

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.