Who Are You and What Do You Want? Working with OAuth in SharePoint 2013

CKS:DEV

TheSharePointCowboy

Patterns&

Practices

Eric Shupps

www.sharepointcowboy.com eshupps@binarywave.com facebook.com/sharepointcowboy @eshupps

Introduction

Farms

On PremiseApps

OAuth+

SharePoint

Servers

CloudApps

Agenda

INTRODUCTION

authorization

User requests access App requests Request Token

Provider returns Request Token

App builds auth link w/ Request Token

User requests URL + Request Token

Provider returns access token

User requests URL + Access Token

App validates access token

Access token validated

User granted access

1

2

3

User requests access App requests Request Token

Provider returns Request Token

App builds auth link w/ Request Token

User requests URL + Access Token

App validates access token

Access token validated

User granted access

1

2

OAuth in SharePoint 2013

Manages identity information for principals (STS) Identity ProviderHandles requests for trusted identity claimsSecurity Token ServiceIdentity provider associated with a web applicationIdentity Token IssuerTrusted resource (farm, server, etc.)Security Token IssuerResource information and signing certificate (JSON)Metadata EndpointUsed to request permission to protected resourceRequest TokenUsed by App to access resource on behalf of userAccess TokenOperation scope for authorizationRealmCloud-based security token service (IP-STS)Azure ACS

Farms

COLLABORATEMy Sites

Content

Distributed Roles

Enterprise Features

Managed Metadata

Search

Shared Service Applications

Request Management

ConsumerExport Root & STS Certificates

Copy Certificates

Import root certificate(s) and create trusted root authority

Provider

Export Root Certificate

Copy Certificates

Import STS Certificate

Create Trusted Service Token Issuer

Import root certificate(s) and create trusted root authority

Consumer Provider

Create Trusted Root Authority

Set Authentication Realm

Create Trusted Security Token Issuer

Create App Principals

Create Trusted Root Authority

Create Trusted Security Token Issuer

Servers

Other

Lync

Office Web Applications

Workflow

Servers

Exchange

Certificates MetadataCreate security token issuer

Assign app principal permissions

Install client components

Export/Import certificates

Create root authorities

Execute configuration scripts

Execute configuration scripts

Apps

App establishes context

SP validates S2S trust

App requests access token from SP

Browser POSTS parameters to App

SP returns parameters

User browses to App

User PermissionsApp behaves in context of user

Consistent across all requests

Specific access rights and scope requested by app

App Only Permissions

Granted on app installation

Establish client context

Get access token with S2S

Get claims from Windows identity

Get request parameters

CLOUD

App establishes context

ACS provides access token

App requests access token from ACS

Browser POSTS request token to app

SP sends request tokens to browser

SP gets request token from ACS

User browses to app

Get client context from SP with access token

Get access token

Read and validate context token

Parse out Context Token

Get POST parameters from SP

Description LinkOAuth Working Group http://oauth.net/

OAuth Resource Guide http://bit.ly/14CWPNb

Authorization and authentication for apps in SharePoint 2013 http://bit.ly/16f8WFh

Setting up an OAuth trust between farms in SharePoint 2013 http://bit.ly/12Yr7e3

Plan for server-to-server authentication in SharePoint 2013 http://bit.ly/1chAgFl

What’s new in authentication for SharePoint 2013 http://bit.ly/1e6KaYv

Creating High-Trust apps with S2S http://bit.ly/18RL8uL