Transcript The The SharePoint SharePoint Cowboy Cowboy Eric Shupps CKS:DEV CKS:DEV Patterns Patterns & & Practices Practices www.sharepointcowboy.com www.sharepointcowboy.com [email protected] [email protected] facebook.com/sharepointcowboy slideshare.net/eshupps @eshupps authorization Resource Owner Resource Server Grants access to a protected resource Hosts the protected resource and accepts access requests Client Application making protected resource requests on behalf of the resource owner Authorization Server Issues access tokens.

The
The
SharePoint
SharePoint
Cowboy
Cowboy
Eric Shupps
CKS:DEV
CKS:DEV
Patterns
Patterns
&
&
Practices
Practices
www.sharepointcowboy.com
www.sharepointcowboy.com
[email protected]
[email protected]
facebook.com/sharepointcowboy
slideshare.net/eshupps
@eshupps
authorization
Resource
Owner
Resource
Server
Grants access to
a protected
resource
Hosts the
protected
resource and
accepts access
requests
Client
Application
making
protected
resource
requests on
behalf of the
resource owner
Authorization
Server
Issues access
tokens
Authorization Request
Authorization Grant
Resource
Owner
Authorization Grant
Client
Access Token
Authorization
Server
Access Token
Protected Resource
Resource
Server
1
User requests access
App requests
Request Token
App builds auth link
w/ Request Token
2
Provider returns
Request Token
User requests URL +
Request Token
Provider returns
access token
3
User requests URL +
Access Token
App validates access
token
User granted
access
Access token
validated
1
User requests access
App requests Access
Token
App builds auth link
w/ Access Token
2
User requests URL +
Access Token
Provider returns
Access Token
App validates access
token
User granted
access
Access token
validated
Identity Provider
Security Token Service
Manages identity information for principals (STS)
Handles requests for trusted identity claims
Identity Token Issuer
Identity provider associated with a web application
Security Token Issuer
Trusted resource (farm, server, etc.)
Metadata Endpoint
Resource information and signing certificate (JSON)
Request Token
Used to request permission to protected resource
Access Token
Used by App to access resource on behalf of user
Realm
Azure ACS
Operation scope for authorization
Cloud-based security token service (IP-STS)
User browses to App
SP gets request token from ACS
SP sends request tokens to browser
Browser POSTS parameters to App
Browser POSTS request token to app
App requests access token from SP
App requests access token from ACS
SP validates S2S trust
App establishes context
ACS provides access token
App establishes context
Online
On Premise
SP returns parameters
User browses to app
On Premise
Get POST parameters from SP
Get claims from Windows identity
Parse out Context Token
Get access token with S2S
Read and validate context token
Establish client context
Get access token
Get client context from SP with access token
Online
Get request parameters
Tenant ID
Start
End
Tenant ID
Client ID
App URL
Azure ACS
SharePoint
User ID + Issuer + App + Realm
IP-STS URL
Token sent to IP-STS (Azure ACS)
Browser or Event Receiver
Tenant ID
{
"typ":"JWT"
"alg":"RS256"
"x5t":"kriMPdmBvx68skT8-mPAB3BseeA"}.{"aud":"00000003-0000-0ff1-ce00SharePoint000000000000
Host Web
Tenant ID
/binarywaveinc.sharepoint.com@2ae1caa2-a173-4989-b8f5-9da45655b8f4"
"iss":"00000001-0000-0000-c000-000000000000@2ae1caa2-a173-4989-b8f5-9da45655b8f4"
Azure ACS
Tenant ID
Start
"nbf":1400013357
"exp":1400056557
End
"nameid":"1003000086ad02d6"
UPN
"actor":"c90047b7-392a-42e7-8c52-65afa92e5d0d@2ae1caa2-a173-4989-b8f5-9da45655b8f4"
Tenant ID
STS ID
"identityprovider":"urn:federation:microsoftonline“
}
Description
Link
OAuth Working Group
http://oauth.net/
OAuth Resource Guide
http://bit.ly/14CWPNb
Authorization and authentication for apps in SharePoint 2013
http://bit.ly/16f8WFh
Setting up an OAuth trust between farms in SharePoint 2013
http://bit.ly/12Yr7e3
Plan for server-to-server authentication in SharePoint 2013
http://bit.ly/1chAgFl
What’s new in authentication for SharePoint 2013
http://bit.ly/1e6KaYv
Creating High-Trust apps with S2S
http://bit.ly/18RL8uL
Using O365 to Authorize On-Premise Apps
http://bit.ly/1fvv1Bo
Explore
Play
Follow
Get Answers
Give Feedback
Patterns and practices
30+ Visual Studio projects
Common scenarios
Contribute
OFC-B254 Integrating Yammer and Microsoft SharePoint Using .NET
DEV-B230 Most Commonly Asked for On-Premises Customizations Reimagined as
Applications for SharePoint
DEV-B319 Get Started Developing Applications for Microsoft Office and
SharePoint Server 2013
DEV-B231 Office Power Hour: New Developer APIs and Features for
Applications for Office
DEV-B227 Anyone Can Build a SharePoint Application with Microsoft Access
OFC-B274 Implementing Microsoft SharePoint 2013 Hybrid for Search, Business
Connectivity Services, Microsoft OneDrive for Business and Yammer
DEV-B232 Creating Cloud Hosted Line-of-Business Applications with Apps for Office,
Microsoft Office 365, Microsoft Azure, and Windows Phone 8
OFC-B311 A Practical Use of External Data Sources
DEV-B357 Developing Office 365 Cloud Business Applications
DEV-B387 Deep Dive into Mail Compose Applications APIs
DEV-B386 Setting Up Your On-Premises Environment for App Development
DEV-B228 Build Connected Productivity Apps for SharePoint and Office
DEV-B390 SharePoint Power Hour: New Developer APIs and Features for Apps for
SharePoint
DEV-B389 Who Are You and What Do You Want? Working with OAuth in Microsoft
SharePoint 2013
EXM04 Exam Prep: 70-331 and 70-332
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn