Apps AuthN + AuthZ

Mads DamgårdSenior Premier Field Engineermadsd@microsoft.com

Agenda

AuthZPrincipals

Intro

AuthNTrust

About Mads Damgård

10 years with SharePoint (7 in MS)

Work interests: Dev, Troubleshooting, Search, SQL, Training

Non-work: MTB, Watersports, Travel

Principals

Principals SharePoint has long had the notion of a User Principal: europe\madsd fbaMembers:madsd i:0e.t|aad|madsd@microsoft.com

The methods for dealing with User Principals are well known: SharePoint groups Permission levels Adding attributes about the user (identity or claim) to one

of the above

What about App Principals though?

Contoso photo

Contoso

Contoso photo

?

Contoso

Contoso photo

Contoso

Contoso photo

View

View

Contoso

Contoso photo

View, Upload, Tag, Comment

View, Upload, Tag, Comment

Contoso

Contoso photo

View, Upload, Tag, Comment, Change Password

View, Upload, Tag, Comment, Change Password

Contoso

Contoso photo

View, Upload, Tag, Comment, Change Password

Contoso

Contoso photo

View, Upload, Tag, Comment, Change Password

View

Contoso

Contoso photo

User Principal and App Principal Context

User credentialsprovided?

Start

End

User only context

App only context

User + App

context

Anonymous context

App tokenprovided?

App tokenIncludes user?

Yes

No

No No

Yes Yes

Call is to an app web?

No

Yes

Apps Authentication

Two ways to access SharePoint Client Side

SharePoint Hosted Apps Cloud/Provider Hosted Apps (Client Side)= Direct Calls or Cross Domain Calls

Remote Server Side Cloud/Provider Hosted Apps= Access Token (Low Trust)

Server to Server= Access Token (High Trust)

Cross Domain Calls blocked by mostbrowsers

Examples are: Remote Web ->App Web App Web -> Host Web

Use SP.RequestExecutor.js Will post the requests through a hidden iFrame

Low Trust

ClientResource server

Resource owner

Authorization server

App.comSharePointBrowser

ACS

1

App.comSharePointBrowser

ACS

1) User browses to a SharePoint page with an app part on it.

1

App.comSharePointBrowser

ACS

2) SharePoint requests a context token.

2

1

App.comSharePointBrowser

ACS

3) ACS returns a signed context token.

32

2

1

App.comSharePointBrowser

ACS

4) SharePoint renders page with iframe which will POST the context token to App.com.

3

4

POST https://app.com/…SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e…

2

1

App.comSharePointBrowser

ACS

5) iframe causes browser to request contents from App.com including the context token.

3

4

5

2

1

App.comSharePointBrowser

ACS

6) App.com validates the signature on the context token, extracts the auth code, and uses its credentials to request an access token from ACS.

3

4

5

6

2

App.comSharePointBrowser

ACS

7) Windows Azure Access Control Services (ACS) returns an access token.

3

1

4

5

6 7

2

1

App.comSharePointBrowser

ACS

8) App.com calls SharePoint CSOM or REST API with access token.

3

4

5

6 7

8

2

App.comSharePointBrowser

ACS

9) SharePoint returns data from CSOM or REST API call.

3

1

4

5

6 7

8

9

2

1

App.comSharePointBrowser

ACS

10) App.com returns the iframe contents.

3

4

5

6 7

8

9

10

App.comSharePointBrowser

ACS

5

6 7

8

Context

Access /Refresh

Access

OAuth token summary

Context token format - Base 64 EncodedSPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJhZDY5NmU1NS0zZjMzLTQwNzgtYjM2Ny0yZTdiNzVkNjQ1ZjIvbG9jYWxob3N0OjQ0MzAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImlzcyI6IjAwMDAwMDAxLTAwMDAtMDAwMC1jMDAwLTAwMDAwMDAwMDAwMEAyYzQzOTMzMC02ODVlLTRjMTMtODE3Yi1lMDU3Yjk2MzdhZDAiLCJuYmYiOjEzNTI2NjU2NDUsImV4cCI6MTM1MjcwODg0NSwiYXBwY3R4c2VuZGVyIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDJjNDM5MzMwLTY4NWUtNGMxMy04MTdiLWUwNTdiOTYzN2FkMCIsImFwcGN0eCI6IntcIkNhY2hlS2V5XCI6XCJCU2lLOFNmQS9lVk5lTU10SUpjVkJPM2xJNUxYY1BjN0p3SUcyWGNqWDR3PVwiLFwiU2VjdXJpdHlUb2tlblNlcnZpY2VVcmlcIjpcImh0dHBzOi8vYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldC90b2tlbnMvT0F1dGgvMlwifSIsInJlZnJlc2h0b2tlbiI6IklBQUFBS0JDb1Bwby1FVm9PZ3dBMGZ3SDVQV3dyY29PR3BGSHdpVW1CMnpBZjRjMXdoeFFzOXlWRlVtcWNqNmYyZ2JTRF9CM3dPakktRXN2b2dWVWVQeXBtMjF5RlQ3VkxFdW5OSW1rT1RxeHFtb1BwSE9SU3F0c2pXaEhOdnUxM0ppVmNGZzh2UEFyMl9HbFFCNjBQVThQdEVUVlpjWXpCcExhY3hzNjNlVVdMajBTY0lQMGwzUW12dENTVEdidlRqUW1hR3RGaVZYQnZwLXhQN1RuZnlkRUJUUG9hTDNDcERoQXA5TVhMNXpsRVIxbUtBdDN6bEEtSXpQSzdRTmxyOVJ5RnVPTnJGZmtSRnhyRHNBTDJMS0hPZ2pkZVM5Y0VHWnpZdG9odkdWRFFiVWptaFlxM3FueHYyM09qX25idm9KNUNJQXBTOTVMUTNXVkwyaFJKQlltUHVIQ1Z3emhjZG12QlJJNURJZVNYb25RR2d5blNVYU9vUUtheUg2b1R6RzcwSWljaUtSNm5FMzJZYnhhaGJzdm1XOGszblpvaTV4TDdfa0JXSUZjQXh0Ny1sMUJxTEFockpoZEliZ0dVa1VpVGk5d3JJVm9KZ0RDTDNxSzZucGNHdm4xbGdRZWNBbFpkeG5qOGltcmdGVmRmNDVGa1EyQTZTOTJEakVjWE1odUZwakE2aHFpSzdHRU85ZnEwM0tER0tjIiwiaXNicm93c2VyaG9zdGVkYXBwIjoidHJ1ZSJ9.c4gAOr-4OsWo-M54t1WRT0OrjVHtl2c7jpK4N5Hbof4

Context token format - Decoded JSON{ "aud":ad696e55-3f33-4078-b367-2e7b75d645f2/localhost:44300@2c439330-685e-4c13-817b-e057b9637ad0 "iss":00000001-0000-0000-c000-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "nbf":2012-11-11 20:27:25Z (11/11/2012 12:27:25 PM) - 1352665645 "exp":2012-11-12 08:27:25Z (11/12/2012 12:27:25 AM) - 1352708845 "appctxsender":00000003-0000-0ff1-ce00-000000000000@2c439330-685e-4c13-817b-e057b9637ad0 "appctx":{ "CacheKey":"BSiK8SfA/eVNeMMtIJcVBO3lI5LXcPc7JwIG2XcjX4w=“ "SecurityTokenServiceUri":"https://accounts.accesscontrol.windows.net/tokens/OAuth/2" } "refreshtoken":IAAAAKBCoPpo-EVoOgwA0fwH5PWw… "isbrowserhostedapp":true}

The process for hooking up an on-premise farm to use low trust is: Create an o365 tenancy; it doesn’t need any user licenses Replace the token signing certificate for the local SharePoint STS Set up an Azure Service Application Proxy, SPTrustedSecurityTokenIssuer, and SPNs

for the MsolServicePrincipal

Good news! Just follow guide and run the script found here: http://msdn.microsoft.com/en-us/library/dn155905.aspx

Low Trust Plumbing

High Trust

Unlike low trust apps, you don’t get a context token

You have to use a certificate to sign the token your app sends to SharePoint

Register the certificate in SharePoint using PowerShell

High Trust Plumbing

Use the VS wizard and select provider-hosted, then select the cert (pfx), type its password, and enter the Issuer (App) ID

Place the cert in a directory that the web’s app pool has access rights

Create your client context using TokenHelper and enjoy the OAuth power that ensues!!

High Trust Plumbing – Building An App

It’s called high trust for a reason – YOU control what user identity is put in the token

That identity is “rehydrated” by finding a matching user in the UPA

It’s up to you to create a token with appropriate identifier value Account name (AKA nameId) SMTP UPN SIP

High Trust Management

You can choose to have each app use its own cert, or have apps share a cert

Each cert that’s used needs to be trusted by SharePoint using the New-SPTrustedSecurityTokenIssuer cmdlet

That is important if you ever want to stop trusting an app

If each app has it’s own cert, you just stop trusting that cert If apps share a cert, then you need to:

Stop trusting the cert Have all the other apps you still trust start using a new cert Configure SharePoint to start trusting the new cert

Using Certificates for High Trust Apps

Apps Authorization

Consent Form

Permission requestsApps request the permissions they require to run:

<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"> <Property Name="BaseTemplateId" Value="101"/> </AppPermissionRequest> <AppPermissionRequest Scope="http://sharepoint/social/microfeed" Right="Manage"/> <AppPermissionRequest Scope="http://sharepoint/search" Right="Query"/></AppPermissionRequests>

<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/>

ProductPermission ProviderSpecific component Capability

Available app permissions

Scope Scope Alias Right

http://sharepoint/content/tenant AllSitesRead;Write;Manage;FullControl

http://sharepoint/content/sitecollection SiteRead;Write;Manage;FullControl

http://sharepoint/content/sitecollection/web WebRead;Write;Manage;FullControl

http://sharepoint/content/sitecollection/web/list

ListRead;Write;Manage;FullControl

http://sharepoint/bcs/connectionNone (not currently supported)

Read

http://sharepoint/search SearchQueryAsUserIgnoreAppPrincipal

http://sharepoint/projectserver ProjectAdmin Manage

http://sharepoint/projectserver/projects Projects Read;Writehttp://sharepoint/projectserver/projects/project

Project Read;Write

http://sharepoint/projectserver/enterpriseresources

ProjectResources Read;Write

http://sharepoint/projectserver/statusing ProjectStatusing SubmitStatus

http://sharepoint/projectserver/reporting ProjectReporting Read

http://sharepoint/projectserver/workflow ProjectWorkflow Elevate

http://sharepoint/social/tenant AllProfilesRead;Write;Manage;FullControl

http://sharepoint/social/core SocialRead;Write;Manage;FullControl

http://sharepoint/social/microfeed MicrofeedRead;Write;Manage;FullControl

http://sharepoint/taxonomy TermStore Read;Write

Permission Policies User Only

Same as SharePoint 2010

App + User Both User and App needs permission to execute Apps can be installed by Site Owner Most common

App Only Provider Hosted Only Site Collection or Tenant Admin permissions to

install Similar to ”RunWithElevatedPriv”

Recap Authentication

Depends on Client side or Server side call model Depends on Trust model

Authorization Depends on policy model Defined in AppManifest

Building SharePoint Apps: http://msdn.microsoft.com/en-us/library/office/jj163230.aspx

AuthN and AuthZ for Apps:http://msdn.microsoft.com/en-us/library/office/fp142384.aspx

Steve Peschkahttp://blogs.technet.com/b/speschka/

Kirk Evanshttp://blogs.msdn.com/b/kaevans/

Resources

Thank You!Questions?