understanding authentication and permissions with apps for sharepoint and office
DESCRIPTION
Understanding Authentication and Permissions with Apps for SharePoint and Office. Kirk Evans Principal Premier Field Engineer, Microsoft Corporation 3-603. Kirk Evans. Expertise. Microsoft Principal Premier Field Engineer Microsoft Certified Master—SP2010 http://blogs.msdn.com/kaevans. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/1.jpg)
![Page 2: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/2.jpg)
Kirk EvansPrincipal Premier Field Engineer, Microsoft Corporation3-603
Understanding Authentication and Permissions with Apps for SharePoint and Office
![Page 3: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/3.jpg)
MicrosoftPrincipal Premier Field EngineerMicrosoft Certified Master—SP2010
http://blogs.msdn.com/kaevans
Kirk Evans
Please use Twitter! @kaevans #bldwin
15+ Years of Experience
Expertise
@kaevans
![Page 4: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/4.jpg)
Establishing trust.Types of app authentication.OAuth authentication.App authorization.Dynamic permission requests.
Agenda
Close Shave by SeaDave, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/
![Page 5: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/5.jpg)
Establishing trust
Dr. Garland prepares to fall by genvessel, Creative Commons Attribution 2.0 Generic, http://creativecommons.org/licenses/by/2.0/
![Page 6: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/6.jpg)
Contoso photo
Contoso
?
Kirk
![Page 7: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/7.jpg)
Contoso photo
Contoso
View
View, upload, tag, comment,
, upload, tag, comment,delete, change password.
delete, change password.
Kirk
![Page 8: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/8.jpg)
Kirk
Contoso photo
Contoso
View
View
, upload, tag, commentdelete, change password.
![Page 9: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/9.jpg)
App model: past, present, and future
SharePoint
SharePoint 2007
Sandbox
SharePoint 2010
SharePoint
Azure, IIS, LAMP, etc…
_api
SharePoint 2013
![Page 10: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/10.jpg)
Demo: SharePoint connect
![Page 11: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/11.jpg)
Types of app authentication
![Page 12: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/12.jpg)
SharePoint hosted app
SharePoint“Host” web
App Web JavaScript
SharePoint“AppWeb”
![Page 13: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/13.jpg)
Cross domain JavaScript library
SharePoint“Host” web
SharePoint“AppWeb”
JavaScript(cross domain)
![Page 14: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/14.jpg)
Cloud-hosted app
SharePoint“Host” web
SharePoint“AppWeb”
OAuth
![Page 15: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/15.jpg)
AuthenticationUser credentials
provided?Start
End
User only context
App only context
User + app context
Anonymous context
App tokenprovided?
App tokenIncludes user?
Yes
No
No
No
Yes Yes
Call is to an app web?
No
Yes
![Page 16: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/16.jpg)
Demo: basic app authentication
![Page 17: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/17.jpg)
OAuth authentication
![Page 18: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/18.jpg)
ClientResource server
Resource owner
Authorization server
![Page 19: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/19.jpg)
App.comSharePointBrowser
ACS
![Page 20: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/20.jpg)
1
App.comSharePointBrowser
ACS
1) User browses to a SharePoint page with an app part on it.
![Page 21: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/21.jpg)
1
App.comSharePointBrowser
ACS
2) SharePoint requests a context token.
2
![Page 22: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/22.jpg)
1
App.comSharePointBrowser
ACS
3) ACS returns a signed context token.
32
![Page 23: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/23.jpg)
2
1
App.comSharePointBrowser
ACS
4) SharePoint renders page with iframe which will POST the context token to App.com.
3
4
POST https://app.com/…SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e…
![Page 24: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/24.jpg)
2
1
App.comSharePointBrowser
ACS
5) iframe causes browser to request contents from App.com including the context token.
3
4
5
![Page 25: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/25.jpg)
2
1
App.comSharePointBrowser
ACS
6) App.com validates the signature on the context token, extracts the auth code, and uses its credentials to request an access token from ACS.
3
4
5
6
![Page 26: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/26.jpg)
2
App.comSharePointBrowser
ACS
7) Windows Azure Access Control Services (ACS) returns an access token.
3
1
4
5
6 7
![Page 27: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/27.jpg)
2
1
App.comSharePointBrowser
ACS
8) App.com calls SharePoint CSOM or REST API with access token.
3
4
5
6 7
8
![Page 28: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/28.jpg)
2
App.comSharePointBrowser
ACS
9) SharePoint returns data from CSOM or REST API call.
3
1
4
5
6 7
8
9
![Page 29: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/29.jpg)
2
1
App.comSharePointBrowser
ACS
10) App.com returns the iframe contents.
3
4
5
6 7
8
9
10
![Page 30: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/30.jpg)
App.comSharePointBrowser
ACS
5
6 7
8
Context
Refresh
Access
OAuth token summary
![Page 31: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/31.jpg)
Context token format—Base 64 EncodedSPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJhZDY5NmU1NS0zZjMzLTQwNzgtYjM2Ny0yZTdiNzVkNjQ1ZjIvbG9jYWxob3N0OjQ0MzAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImlzcyI6IjAwMDAwMDAxLTAwMDAtMDAwMC1jMDAwLTAwMDAwMDAwMDAwMEAyYzQzOTMzMC02ODVlLTRjMTMtODE3Yi1lMDU3Yjk2MzdhZDAiLCJuYmYiOjEzNTI2NjU2NDUsImV4cCI6MTM1MjcwODg0NSwiYXBwY3R4c2VuZGVyIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImFwcGN0eCI6IntcIkNhY2hlS2V5XCI6XCJCU2lLOFNmQS9lVk5lTU10SUpjVkJPM2xJNUxYY1BjN0p3SUcyWGNqWDR3PVwiLFwiU2VjdXJpdHlUb2tlblNlcnZpY2VVcmlcIjpcImh0dHBzOi8vYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldC90b2tlbnMvT0F1dGgvMlwifSIsInJlZnJlc2h0b2tlbiI6IklBQUFBS0JDb1Bwby1FVm9PZ3dBMGZ3SDVQV3dyY29PR3BGSHdpVW1CMnpBZjRjMXdoeFFzOXlWRlVtcWNqNmYyZ2JTRF9CM3dPakktRXN2b2dWVWVQeXBtMjF5RlQ3VkxFdW5OSW1rT1RxeHFtb1BwSE9SU3F0c2pXaEhOdnUxM0ppVmNGZzh2UEFyMl9HbFFCNjBQVThQdEVUVlpjWXpCcExhY3hzNjNlVVdMajBTY0lQMGwzUW12dENTVEdidlRqUW1hR3RGaVZYQnZwLXhQN1RuZnlkRUJUUG9hTDNDcERoQXA5TVhMNXpsRVIxbUtBdDN6bEEtSXpQSzdRTmxyOVJ5RnVPTnJGZmtSRnhyRHNBTDJMS0hPZ2pkZVM5Y0VHWnpZdG9odkdWRFFiVWptaFlxM3FueHYyM09qX25idm9KNUNJQXBTOTVMUTNXVkwyaFJKQlltUHVIQ1Z3emhjZG12QlJJNURJZVNYb25RR2d5blNVYU9vUUtheUg2b1R6RzcwSWljaUtSNm5FMzJZYnhhaGJzdm1XOGszblpvaTV4TDdfa0JXSUZjQXh0Ny1sMUJxTEFockpoZEliZ0dVa1VpVGk5d3JJVm9KZ0RDTDNxSzZucGNHdm4xbGdRZWNBbFpkeG5qOGltcmdGVmRmNDVGa1EyQTZTOTJEakVjWE1odUZwakE2aHFpSzdHRU85ZnEwM0tER0tjIiwiaXNicm93c2VyaG9zdGVkYXBwIjoidHJ1ZSJ9.c4gAOr-4OsWo-M54t1WRT0OrjVHtl2c7jpK4N5Hbof4
![Page 32: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/32.jpg)
Context token format—Decoded JSON{ "aud":ad696e55-3f33-4078-b367-2e7b75d645f2/localhost:44300@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-11 20:27:25Z (11/11/2012 12:27:25 PM) - 1352665645 "exp":2012-11-12 08:27:25Z (11/12/2012 12:27:25 AM) - 1352708845 "appctxsender":00000003-0000-0ff1-ce00-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "appctx":{ "CacheKey":"BSiK8SfA/eVNeMMtIJcVBO3lI5LXcPc7JwIG2XcjX4w=“ "SecurityTokenServiceUri":"https://accounts.accesscontrol.windows.net/tokens/OAuth/2" } "refreshtoken":IAAAAKBCoPpo-EVoOgwA0fwH5PWw… "isbrowserhostedapp":true}
![Page 33: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/33.jpg)
App Authorization
![Page 34: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/34.jpg)
Permission requestsApps request the permissions they require to run:
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"> <Property Name="BaseTemplateId" Value="101"/> </AppPermissionRequest> <AppPermissionRequest Scope="http://sharepoint/social/microfeed" Right="Manage"/> <AppPermissionRequest Scope="http://sharepoint/search" Right="Query"/></AppPermissionRequests>
![Page 35: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/35.jpg)
Permission requests<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/>
ProductPermission ProviderSpecific component Capability
![Page 36: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/36.jpg)
Available app permissionsScope Scope Alias Right
http://sharepoint/content/tenant AllSites Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection Site Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web Web Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web/list List Read;Write;Manage;FullContr
olhttp://sharepoint/bcs/connection None (not currently
supported) Read
http://sharepoint/search Search QueryAsUserIgnoreAppPrincipal
http://sharepoint/projectserver ProjectAdmin Managehttp://sharepoint/projectserver/projects Projects Read;Writehttp://sharepoint/projectserver/projects/project Project Read;Writehttp://sharepoint/projectserver/enterpriseresources ProjectResources Read;Writehttp://sharepoint/projectserver/statusing ProjectStatusing SubmitStatushttp://sharepoint/projectserver/reporting ProjectReporting Readhttp://sharepoint/projectserver/workflow ProjectWorkflow Elevatehttp://sharepoint/social/tenant AllProfiles Read;Write;Manage;FullContr
olhttp://sharepoint/social/core Social Read;Write;Manage;FullContr
olhttp://sharepoint/social/microfeed Microfeed Read;Write;Manage;FullContr
olhttp://sharepoint/taxonomy TermStore Read;Write
![Page 37: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/37.jpg)
Consent
![Page 38: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/38.jpg)
Demo: app permissions
![Page 39: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/39.jpg)
Dynamic app permission requests
![Page 40: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/40.jpg)
App.comSharePointBrowser
ACS
1) User browses to a web page on App.com.
1
![Page 41: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/41.jpg)
App.comSharePointBrowser
ACS
2) Browser is redirected to OAuthAuthorize.aspx
1
2
2
![Page 42: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/42.jpg)
App.comSharePointBrowser
ACS
3) SharePoint looks up the app principal based on the client_id.
1
2
2
/_layouts/15/OAuthAuthorize.aspx?IsDlg=1&client_id=3ca819d1-0ef8-4cbf-aa76-9ae45fd78b14&scope=Web.Write&response_type=code
3 3
![Page 43: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/43.jpg)
App.comSharePointBrowser
ACS
4) User grants permission, browser is redirected to App.com with code.
1
3
2
3
4
24
https://localhost:44301/Default.aspx?code=IAAAACn2TwEi67U76rep34e...S4NLsp4mi2IR2g&IsDlg=1
![Page 44: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/44.jpg)
App.comSharePointBrowser
ACS
5) App.com requests access token using code.
1
3
2
3
4
5
24
![Page 45: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/45.jpg)
App.comSharePointBrowser
ACS
6) Microsoft Azure Access Control Services returns an Access token.
1
3
2
3
4
5 6
24
![Page 46: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/46.jpg)
App.comSharePointBrowser
ACS
7) App.com requests data from SharePoint using access token.
1
3
2
3
4
5 6
7
24
![Page 47: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/47.jpg)
App.comSharePointBrowser
ACS
8) Data is returned from SharePoint and page is rendered.
1
3
2
3
4
5 6
7
8
24
8
![Page 48: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/48.jpg)
Demo: SPLister
![Page 49: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/49.jpg)
Establishing trust.Types of app authentication.OAuth authentication.App authorization.Dynamic permission requests.
Summary
![Page 50: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/50.jpg)
Resourceshttp://dev.office.comhttp://blogs.msdn.com/kaevans
![Page 51: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/51.jpg)
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!
![Page 52: Understanding Authentication and Permissions with Apps for SharePoint and Office](https://reader036.vdocuments.mx/reader036/viewer/2022081420/56816167550346895dd0f114/html5/thumbnails/52.jpg)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.