IT tutorials
Applications Server

Overview of Oauth in Sharepoint 2013 : Introduction to OAuth

6/27/2014 4:36:34 AM
- Windows 10 Product Activation Keys Free 2019 (All Versions)
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire


OAuth is an open standard managed by the Internet Engineering Task Force and is designed to allow applications to access services in a Web-friendly manner on behalf of an application or user.

Some might ask, “Why not just give the caller my username and password?” This unfortunately poses some issues that OAuth avoids:

  • The app can do everything and anything your account can do. This means that if the calling code had your username and password it could, for example, change your password or do things that you would rather it didn’t have access to. Because the app has your username and password it is as if you are making the calls and the service has no idea who the real caller is.
  • To the service, all calls look the same whether it is you or the calling app making the calls. This means keeping an audit trail is almost pointless because there is no way to tell who the caller really was if the same username is being used each time. Additionally, if you give your username and password to multiple services and one of them deletes information, you have no way to know which one it was. Obviously, this could cause some problems if you are not careful.
  • You can’t revoke access to a particular service without changing your password. This means that you would need to update your password on all those services that you want to continue working. If a few services are involved this task can be error-prone and cumbersome.

Here is a simple analogy to help explain this concept. Imagine an office building that is secured using swipe cards. A lot of sensitive information is stored in this office building and many people work in it each day. Now imagine each of those workers were issued the exact same swipe card. From the door lock–system logs you couldn’t tell who was accessing the building and when. Additionally, if you fired a worker and she didn’t give her swipe card back you would need to reissue everyone one else a new key. This is the same as sharing your username and password.

To solve these issues, OAuth introduces the concept of an application identity or application principle. This is simply an identity given to an app much the same way a user has a username and password. It offers the ability to control and manage access to resources at an application level versus a user level, and therefore you don’t need to give an app your username and password to access any desired resources. Furthermore, this means an app’s access can be monitored, audited, and revoked if needed. For an app to gain access to a service the user must deliberately grant that specific application access to that specific service. Access is only granted once that app identity is checked and verified as valid with permissions to the resource. This access may be scoped to specific resources within the service. This means, for example, that the user could grant the app access to some data, but not to change the user’s password. This also means that a user may revoke an app’s access to the service at any time without needing to affect other applications’ access.

So, revisiting the analogy, if the building security system used an OAuth style access system, each worker in the building would be granted an ID, and then his swipe card with that ID on it would be granted access to the particular areas of the building that he was allowed to be in. When a worker is revoked access, the building owner simply revokes access for that worker’s ID in the system. That way when the worker tries to swipe in he is denied access. Or, in the case when a worker changes departments, the building owner simply signifies that for that particular ID the person is now denied access to Level 1, for example, and is allowed access to Level 2. It’s the same in OAuth. Each app (the equivalent of a person in the analogy) is granted an ID and a set of privileges. When the caller tries to access a resource, the ID is verified and a check is made to ensure he is allowed access to that particular resource. If access is allowed, the call proceeds and if not, the caller is denied.

OAuth is supported and used by many large services on the Internet today such as Facebook and Twitter. Numerous open source libraries exist for various languages to assist with the standard OAuth messages involved in authorizing and calling a service. The SharePoint 2013 app framework and tools also include many helper libraries and functions to wrap a lot of the underlying OAuth protocol exchanges. In many cases a developer might never be aware of the communication and messages OAuth uses behind the scenes.


SharePoint apps use OAuth to authorize calls to SharePoint APIs. When an app calls an API in SharePoint to, for example, get some list data, SharePoint checks that the app identity is valid and has permissions to the resource; for example, a list. Additionally, the app may pass information about what the calling user identity is so that SharePoint can also check that the user has access to the resource. When discussing OAuth in the context of SharePoint, the following standard naming conventions are commonly used and therefore worth understanding:

  • Content owner: The user who installs the app and grants the application access to particular resources.
  • Client app: The SharePoint app that uses an API to access and make calls to the content server (SharePoint).
  • Content server: The SharePoint environment that has the resources the client app wants to access.
  • Authentication server: A service that both the client app and content server trust that creates the various tokens used in the OAuth process. In SharePoint the Authentication server is either Azure Access Control Services (ACS) in the case of Office 365 or a Security Token Service (STS) hosted with SharePoint in the case of SharePoint on premises.

When you’re building SharePoint apps, the three different app types fall into two distinct categories in regard to authentication and authorization:

  • Internally authenticated apps: Includes SharePoint-hosted apps
  • Externally authenticated apps: Includes Autohosted and Provider-hosted apps

The key difference between these two categories is that externally authenticated apps must explicitly authenticate with SharePoint, whereas internally authenticated apps do not. Take, for example, the case of a SharePoint-hosted app with some client-side code that uses the JavaScript Client-Side Object Model (CSOM) to create a SharePoint list item. In this case the JS code doesn’t need to authenticate explicitly with SharePoint. This is considered internal authentication because the code is served from the SharePoint domain.

An externally authenticated app is one where the code runs outside of the security boundary of SharePoint. For example, when your app code is running in Azure, that code must authenticate with SharePoint using OAuth prior to making API calls. As part of this process several important IDs, secrets, and “tokens” are used to authenticate and authorize a user and calls to the APIs:

  • Client ID
  • Client secret
  • Context token
  • Access token

The client ID and client secret are pre-issued identifiers and secret strings that only SharePoint and the app know about. These are shared and are used to sign the various tokens involved in the process.

The context token includes information about who the caller is and the Security Token Service (STS) that signed and issues tokens for this server. It also includes a “refresh token” that is used to request access tokens.

The access token is a token passed when accessing an API and is requested from the STS by the app when it needs to make calls.

The following sections show you how to create and manage client IDs and secrets, how the various parts of the authentication flows work, and how apps are granted access to various SharePoint resources.

- Sharepoint 2013 : Upgrading to Sharepoint 2013 - Upgrade Considerations (part 3) - Don’t Upgrade Crap
- Sharepoint 2013 : Upgrading to Sharepoint 2013 - Upgrade Considerations (part 2) - What You Can’t Upgrade
- Sharepoint 2013 : Upgrading to Sharepoint 2013 - Upgrade Considerations (part 1) - What You Can Upgrade
- Active Directory 2008 : Managing OUs (part 3) - Delegating Control of OUs
- Active Directory 2008 : Managing OUs (part 2) - Administering Properties of OUs
- Active Directory 2008 : Managing OUs (part 1) - Moving, Deleting, and Renaming OUs
- Microsoft Lync Server 2013 : Installing the Director Role (part 3) - Install Server
- Microsoft Lync Server 2013 : Installing the Director Role (part 2) - Creating a Director Pool - Edit Topology, Publish Topology
- Microsoft Lync Server 2013 : Installing the Director Role (part 1) - Prerequisites
- Microsoft Exchange Server 2013 : Creating special-purpose mailboxes (part 10) - Creating public folder mailboxes
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
Popular tags
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS