IT tutorials
 
Technology
 

Sharepoint 2013 : SharePoint App Security - Establishing app identity by using OAuth (part 1) - Understanding app principals

2/7/2014 8:36:49 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

OAuth is a standard Internet protocol for authentication and authorization which provides a cross-platform mechanism for managing app identity and app permissions. Although the original version OAuth 1.0 is still being used by some software companies, a second version, OAuth 2.0, was created to simplify development while still providing app authentication and specific authorization flows for web apps, desktop applications, and mobile devices.

Today, the OAuth 2.0 protocol is used by software companies such as Microsoft, Google, Facebook, and Salesforce.com. When Microsoft began to design the external authentication infrastructure for provided-hosted apps and autohosted apps in Office 365, it made a decision to build its implementation on top of the OAuth 2.0 protocol. More specifically, it decided that access tokens used for external authentication in the Office 365 environment would be created in accordance with the OAuth 2.0 specification.

Microsoft’s implementation of OAuth 2.0 is built on top of the Windows Azure ACS. ACS is a cloud-hosted service on the Internet that is sponsored by Microsoft. The SharePoint host environment in Office 365 has been configured with a trust to ACS. This allows ACS to act as an S2S that creates access tokens that can be authenticated by Office 365. In most cases, the access tokens created by ACS will contain both app identity and user identity. However, ACS is also capable of creating access tokens with only app identity for scenarios in which an app requires app-only permissions.

Note that the OAuth 2.0 specification provides a way to add permissions into an access token. However, this aspect of the OAuth specification not used in the SharePoint 2013 implementation. SharePoint 2013 makes use of OAuth for app authentication but not for any type of authorization or permissions management. Instead, it tracks and manages app permissions independently of the app authentication scheme in use so that app permissions works the same way as you switch between internal app authentication and external app authentication using either OAuth or S2S authentication.

1. Understanding where OAuth fits in

Understanding where OAuth fits in

At a high level, it is fair to say that OAuth is primarily used for external app authentication in the Office 365 environment, whereas S2S authentication is used for external app authentication in on-premises farms. A common question is whether a company can use OAuth in on-premises farms. The answer to this question is—of course—it depends.

Although it is technically possible to configure OAuth support for external app authentication in an on-premises farm, you have to remember that the OAuth implementation in SharePoint 2013 is tightly coupled to Windows Azure ACS. The technical requirements for configuring OAuth support in an on-premises farm include obtaining an Office 365 tenancy from Microsoft and synchronizing user accounts between the on-premises farm and this Office 365 tenancy. Additional configuration is required to create trusts so that the local on-premises SharePoint farm and the remote web can both communicate with Windows Azure ACS.

The key takeaway is that OAuth is only supported in scenarios in which it is acceptable to have dependencies on Microsoft-hosted authentication servers in the cloud. OAuth cannot be used in a scenario in which you are required to avoid dependencies outside the LAN in which you are hosting an on-premises SharePoint farm and the remote web for a provider-hosted app.

Understanding OAuth terms and concepts

The OAuth 2.0 protocol defines a flow for app authentication, which involves the following four participants.

  1. Content owners

  2. Client app

  3. Content server

  4. Authentication server

Content owners represent the users who can grant access to the content in a site. In a SharePoint 2013 environment, a content owner has permissions to access objects such as sites, lists, and items, and can consequently grant these same permissions to an app.

The client app represents that part of a website that runs across the network. In a SharePoint 2013 environment, the client app is the portion of the app that runs in the remote web.

The content server is the web server that hosts the site with content. In a SharePoint 2013 environment, the content server is a web server hosted within the Office 365 environment that provides access to SharePoint sites within an Office 365 tenancy for a specific customer.

The authentication server is a server that creates access tokens used for app authentication. The authentication server must be trusted by both the content server and the client app. In a SharePoint 2013 environment, the authentication server is always Windows Azure ACS.

2. Understanding app principals

The SharePoint 2013 implementation of the OAuth protocol requires any app using external authentication to have an associated security principal known as an app principal. You can think of an app principal as a type of security account similar to a user account. The app principal for a cloud-hosted app in the Office 365 environment must be registered within the context of an Office 365 tenancy. A key point is that the app principal is similar to a user account because it is used to establish an identity during the app authentication process.

When you register an app principal within the context of an Office 365 tenancy, the SharePoint host environment tracks it in the App Management Service database. As part of the same registration process, the Office 365 environment also forwards information about the new app principal to Windows Azure ACS. This makes it possible for Windows Azure ACS to keep its configuration data for app principals in sync with each Office 365 tenancy.

The profile for an app principal contains five important properties:

  • Client ID

  • Client secret

  • Title

  • App host domain

  • Redirect URL

The client ID is a GUID that is used to identify the app principal associated with a cloud-hosted app. Note that the client ID is sometimes referred to as the app ID. Don’t be confused into thinking that the client ID and the app ID are different. They are just two terms that are used to refer to the same thing.

The client secret (also known as the app secret) is a security key created by using a Base64-encoded string which is used to perform symmetric encryption. The client secret is shared between the client app, the hosting Office 365 tenancy, and Windows Azure ACS. The client secret is an integral part of the app authentication process because it facilitates communication among these three parties in a way that makes it possible for messages to be encrypted and authenticated.

The title is a human-readable string for the app principal which is displayed to users within the Office 365 tenancy.

The app host domain is the base URL for the domain in which the remote web is hosted. The registration of app host domain is important because it makes it possible for both the hosting Office 365 tenancy and Windows Azure ACS to ensure that calls from the remote web of an app have originated from the well-known URL.

The redirect URL is a property that is used for scenarios in which external applications and external websites need to request permissions on the fly. This property is optional. You can register an app principal without a redirect URL.

Deploying the remote web by using Secure Sockets Layer

Note that the remote web associated with an app in a production should always be deployed by using Secure Sockets Layer (SSL). The reason for this is that SSL significantly lowers the risk of an attack by which the attacker calls to the Office 365 host environment pretending to originate from the app host domain when in fact it is being made from some other domain.

Registering app principals

When it comes to registering the app principal for an autohosted app, things are pretty easy. That’s because the app principal is registered transparently behind the scenes as part of the app installation process.

When it comes to registering the app principal for a provider-hosted app, there are extra steps involved. The app principal must be explicitly registered by a user that possesses administrative permissions within the hosting Office 365 tenancy.

There are several ways by which you can register an app principal for a provider-hosted app in an Office 365 tenancy. The easiest way to do so is to use a standard application page named AppRegNew.aspx that was added to SharePoint 2013, as shown in Figure 1. As you can see, the AppRegNew.aspx page uses the terms App Id and App Secret instead of client ID and client secret. However, you have already learned that these are just different terms that refer to the client ID and the client secret.

The AppRegNew.aspx page can be used to register an app principal for a provider-hosted app.

Figure 1. The AppRegNew.aspx page can be used to register an app principal for a provider-hosted app.

A second way to register an app principal for a provider-hosted app in the Office 365 environment involves using the SharePoint Online Windows PowerShell Library. This is a Windows PowerShell library that you install on a local computer that provides cmdlets with which you can create a remote connection to your Office 365 tenancy. After you have established an authenticated connection, the SharePoint Online Windows PowerShell Library provides additional cmdlets with which you can manage various aspects of your Office 365 tenancies, including creating and managing app principals.

Understanding app authentication flow in Office 365

The OAuth 2.0 protocol involves passing various types of security tokens between Windows Azure ACS, the hosting Office 365 tenancy, and the remote web. The following list shows the different types of security tokens that are passed between the participants when authenticating an app by using OAuth.

  1. Context token

  2. Refresh token

  3. Access token

  4. Authorization code

The context token is a security token that’s used to pass contextual information such as the identity of the current user, the URL of the host web, and the ID of the current tenancy. The context token is created by Windows Azure ACS and initially passed to the SharePoint host environment. The SharePoint host environment is then able to pass the context token to the remote web, where it can be accessed and used by server-side code in the remote web.

The refresh token is included within the context token that is passed to the remote web. The value of the refresh token is that it can be used by code in the remote web to obtain an access token from Windows Azure ACS.

When a refresh token is created, it’s good for a period of 6 months, whereas an access token is only good for 12 hours. Therefore, it often makes sense for an app to store refresh tokens in a database from which they can be retrieved and reused to create access tokens on demand.

The access token is what the server-side code in the remote web actually needs to execute authenticated calls back to the SharePoint host environment by using CSOM or the REST API. Therefore, the remote web requires code to explicitly call into Windows Azure ACS and obtain access tokens when required.

An authorization code is a special type of security token used for a scenario in which an external website that has never been installed as a SharePoint app wants to acquire permissions on the fly to call in to a SharePoint site.

Now that you have learned about the different types of security tokens, you can understand how the app authentication flow works in a typical scenario with a cloud-hosted app that has been installed in an Office 365 tenancy. Figure 2 shows 10 different stages within the OAuth authentication flow as security tokens are passed back and forth between the Office 365 tenancy, Windows Azure ACS, and the remote web of the cloud-hosted app.

Apps use context tokens and access tokens to validate incoming calls and create outgoing calls.

Figure 2. Apps use context tokens and access tokens to validate incoming calls and create outgoing calls.

Let’s begin with stage 1, when the user first accesses a page in a SharePoint site within an Office 365 tenancy. The user is authenticated and a SAML token is created that contains information about the user identity such as the user’s logon name.

In stage 2, the user navigates to the Site Contents page in which the SharePoint host environment must display a tile that the user can employ to launch the app. When the SharePoint host environment needs to create a tile with an app launcher, it must first call to Windows Azure ACS and request creation of a context token.

When the SharePoint host environment calls to Windows Azure ACS to create a context token, it passes information about the current user, the host web, and the current tenancy. Windows Azure ACS needs this information because it must add information about the current user, the host web, and the current tenancy inside the context token. In stage 3, Windows Azure ACS creates the context token and returns it to the SharePoint host environment.

In stage 4, the SharePoint host environment has the context token returned from Windows Azure ACS. The SharePoint host environment makes use of the context token by adding it into the JavaScript code for the app launcher on the Site Contents page.

Stage 5 occurs when the user clicks the tile for the app on the Site Contents page and launches the app. The JavaScript code behind the app launcher redirects the user to the app’s start page in the remote web by using an HTTP POST request. When the HTTP POST request is executed, the context token is passed to the remote web by using a form variable named SPAppToken.

In stage 6 the client app retrieves the context token from SPAppToken in the incoming request to the state page. The client app is then able to read what’s inside the context token to obtain information about the current user, the host web, and the current tenancy. The client app also has the ability to extract the refresh token from the context token.

Stage 6 is where the client app calls to Windows Azure ACS to request an access token. When requesting an access token, the client app must pass the refresh token. In stage 7, Windows Azure ACS creates the access token from the refresh token and passes it back to the client app. Note that Windows Azure creates an access token that has both the identity of the app as well as the identity of the current user.

Once the client app has obtained an access token from Windows Azure ACS, it is finally at a point at which it can make an authenticated call to the host web by using either CSOM or the REST API. Stage 8 shows the client app making a CSOM or REST API call on the host web. When making this type of call, the client app must include explicit programming to ensure that the access token is passed in each call using an HTTP header.

In Stage 9, the SharePoint host environment is able to authenticate the call from the app by using the access token. As long as the SharePoint host environment is able to determine that the authenticated app and the current user both have the proper permissions, it returns content back to the client app.

In the final stage, stage 10, the client app is able to return a page from the remote web that displays content from the host web that was retrieved during stages 8 and 9.

You have now seen the end-to-end flow of authentication that’s used in an OAuth scenario.
 
Others
 
- Sharepoint 2013 : SharePoint App Security - Managing app permissions
- InfoPath with SharePoint 2010 : Dynamically Populate a Repeating Table - Clear Previous Entries
- InfoPath with SharePoint 2010 : Dynamically Populate a Repeating Table - Loop Through the Secondary Data Source , Populate the Repeating Table
- InfoPath with SharePoint 2010 : Dynamically Populate a Repeating Table - Create a Namespace Variable, Access the Secondary Data Source
- InfoPath with SharePoint 2010 : Dynamically Populate a Repeating Table - Create a Changed Event Method
- InfoPath with SharePoint 2010 : Dynamically Populate a Repeating Table - Set Up the Initial Form
- Windows 7 : Managing Application Compatibility (part 6) - Installing and Configuring the Application Compatibility Toolkit
- Windows 7 : Managing Application Compatibility (part 5) - Using the Application Compatibility Toolkit - Compatibility Administrator , Internet Explorer Compatibility Test Tool
- Windows 7 : Managing Application Compatibility (part 4) - Using the Application Compatibility Toolkit - Application Compatibility Manager
- Windows 7 : Managing Application Compatibility (part 3) - Using the Program Compatibility Troubleshooter , Suppressing Compatibility Controls Using Group Policy
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us