2. Understanding app principals
The SharePoint 2013 implementation of the OAuth protocol requires
any app using external authentication to have an associated security
principal known as an app principal. You can think of an app principal
as a type of security account similar to a user account. The app
principal for a cloud-hosted app in the Office 365 environment must be
registered within the context of an Office 365 tenancy. A key point is
that the app principal is similar to a user account because it is used
to establish an identity during the app authentication process.
When you register an app principal within the context of an Office
365 tenancy, the SharePoint host environment tracks it in the App
Management Service database. As part of the same registration process,
the Office 365 environment also forwards information about the new app
principal to Windows Azure ACS. This makes it possible for Windows
Azure ACS to keep its configuration data for app principals in sync with each Office 365 tenancy.
The client ID is a GUID that is used to identify the app principal
associated with a cloud-hosted app. Note that the client ID is
sometimes referred to as the app ID.
Don’t be confused into thinking that the client ID and the app ID are
different. They are just two terms that are used to refer to the same
thing.
The title is a human-readable string for the app principal which is displayed to users within the Office 365 tenancy.
The app host domain is the base URL for the domain in which the
remote web is hosted. The registration of app host domain is important
because it makes it possible for both the hosting Office 365 tenancy
and Windows Azure ACS to ensure that calls from the remote web of an
app have originated from the well-known URL.
The redirect URL
is a property that is used for scenarios in which external applications
and external websites need to request permissions on the fly. This
property is optional. You can register an app principal without a
redirect URL.
Registering app principals
When it comes to registering the app principal for an autohosted
app, things are pretty easy. That’s because the app principal is
registered transparently behind the scenes as part of the app
installation process.
When it comes to registering the app principal for a provider-hosted
app, there are extra steps involved. The app principal must be
explicitly registered by a user that possesses administrative
permissions within the hosting Office 365 tenancy.
There are several ways by which you can register an app principal
for a provider-hosted app in an Office 365 tenancy. The easiest way to
do so is to use a standard application page named AppRegNew.aspx that was added to SharePoint 2013, as shown in Figure 1. As you can see, the AppRegNew.aspx page uses the terms App Id and App Secret
instead of client ID and client secret. However, you have already
learned that these are just different terms that refer to the client ID
and the client secret.
A second way to register an app principal for a provider-hosted app in the Office 365 environment involves using the SharePoint Online Windows PowerShell Library.
This is a Windows PowerShell library that you install on a local
computer that provides cmdlets with which you can create a remote
connection to your Office 365 tenancy. After you have established an
authenticated connection, the SharePoint Online Windows PowerShell
Library provides additional cmdlets with which you can manage various
aspects of your Office 365 tenancies, including creating and managing
app principals.
Understanding app authentication flow in Office 365
The OAuth 2.0 protocol involves passing various types of security
tokens between Windows Azure ACS, the hosting Office 365 tenancy, and
the remote web. The following list shows the different types of security tokens that are passed between the participants when authenticating an app by using OAuth.
-
Context token
-
Refresh token
-
Access token
-
Authorization code
The context token
is a security token that’s used to pass contextual information such as
the identity of the current user, the URL of the host web, and the ID
of the current tenancy. The context token is created by Windows Azure
ACS and initially passed to the SharePoint host environment. The
SharePoint host environment is then able to pass the context token to
the remote web, where it can be accessed and used by server-side code
in the remote web.
The refresh token is included within the context token that is
passed to the remote web. The value of the refresh token is that it can
be used by code in the remote web to obtain an access token from
Windows Azure ACS.
When a refresh token is created, it’s good for a period of 6 months,
whereas an access token is only good for 12 hours. Therefore, it often
makes sense for an app to store refresh tokens in a database from which they can be retrieved and reused to create access tokens on demand.
The access token is what the server-side code in the remote web
actually needs to execute authenticated calls back to the SharePoint
host environment by using CSOM or the REST API. Therefore, the remote
web requires code to explicitly call into Windows Azure ACS and obtain
access tokens when required.
An authorization code is a special type of security token used for a
scenario in which an external website that has never been installed as
a SharePoint app wants to acquire permissions on the fly to call in to
a SharePoint site.
Now that you have learned about the different types of security
tokens, you can understand how the app authentication flow works in a
typical scenario with a cloud-hosted app that has been installed in an
Office 365 tenancy. Figure 2
shows 10 different stages within the OAuth authentication flow as
security tokens are passed back and forth between the Office 365
tenancy, Windows Azure ACS, and the remote web of the cloud-hosted app.
Let’s begin with stage 1, when the user first accesses a page in a SharePoint site within an Office 365 tenancy.
The user is authenticated and a SAML token is created that contains
information about the user identity such as the user’s logon name.
In stage 2, the user navigates to the Site Contents page in which
the SharePoint host environment must display a tile that the user can
employ to launch the app.
When the SharePoint host environment needs to create a tile with an app
launcher, it must first call to Windows Azure ACS and request creation of a context token.
When the SharePoint host environment calls to Windows Azure ACS to
create a context token, it passes information about the current user,
the host web, and the current tenancy. Windows Azure ACS needs this
information because it must add information about the current user, the
host web, and the current tenancy inside the context token. In stage 3,
Windows Azure ACS creates the context token and returns it to the
SharePoint host environment.
In stage 4, the SharePoint host environment has the context token
returned from Windows Azure ACS. The SharePoint host environment makes
use of the context token by adding it into the JavaScript code for the app launcher on the Site Contents page.
Stage 5 occurs when the user clicks the tile for the app on the Site
Contents page and launches the app. The JavaScript code behind the app
launcher redirects the user to the app’s start page in the remote web
by using an HTTP POST request. When the HTTP POST request is executed, the context token is passed to the remote web by using a form variable named SPAppToken.
In stage 6 the client app retrieves the context token from SPAppToken
in the incoming request to the state page. The client app is then able
to read what’s inside the context token to obtain information about the
current user, the host web, and the current tenancy. The client app
also has the ability to extract the refresh token from the context
token.
Stage 6 is where the client app calls to Windows Azure ACS to
request an access token. When requesting an access token, the client
app must pass the refresh token. In stage 7, Windows Azure ACS creates
the access token from the refresh token and passes it back to the
client app. Note that Windows Azure creates an access token that has
both the identity of the app as well as the identity of the current
user.
Once the client app has obtained an access token from Windows Azure
ACS, it is finally at a point at which it can make an authenticated
call to the host web by using either CSOM or the REST API. Stage 8
shows the client app making a CSOM or REST API call on the host web.
When making this type of call, the client app must include explicit
programming to ensure that the access token is passed in each call
using an HTTP header.
In Stage 9, the SharePoint host environment is able to authenticate
the call from the app by using the access token. As long as the
SharePoint host environment is able to determine that the authenticated
app and the current user both have the proper permissions, it returns
content back to the client app.
In the final stage, stage 10, the client app is able to return a
page from the remote web that displays content from the host web that
was retrieved during stages 8 and 9.
You have now seen the end-to-end flow of authentication that’s used in an OAuth scenario.
