Transcript                                                    It just works   



















































 It just works











start
authentication
does request target a
CSO M/REST endpoint?
no
yes
does request carry
a claims token?
does request target
URL of an app web?
yes
no
does request carry
an access token?
no
User Authentication
yes
yes
does access token
Carry user identity?
yes
App Authentication
(app and user
identity)
no
no
No Authentication
(anonymous access)
App Only
Authentication
end
aut hentication


















<AppPermissionRequests>
<AppPermissionRequest
Scope="http://sharepoint/content/sitecollection/web"
Right="Write" />
<AppPermissionRequest
Scope="http://sharepoint/content/sitecollection"
Right="Read" />
</AppPermissionRequests>






AllowAppOnlyPolicy




<AppPermissionRequest
Scope="http://sharepoint/content/sitecollection" Right="Read" />
Product
Permission
Provider
Target
Object
Capability

















Client ID
Client Secret
App Host Domain
Redirect URL
















On-premises Farm
S2S STS
1
3
4
2
SSL Cert
Public/Private key
pair (.pfx)





































AppRegNew.aspx
Register-SPAppPrincipal
SPAppPrincipalManager










Authorization

 GetS2SClientContextWithWindowsIdentity
 GetS2SAccessTokenWithWindowsIdentity























1
2
1
2
4
3
3
4
5
6
8
9
7
5
6
8
10
7
9
10














High trust apps (S2S)
Marketplace apps
Roadmap:
• Online services
• Org high trust LOB apps
•
•
•
•
OAuth Native Client
SharePoint hosted apps
Azure hosted apps
Provider-hosted apps
(Oauth 3-legged)
• Native apps running on
mobile devices
• Admin controlled but wide
options of apps





Sponsored by