Developing provider-hosted apps by using S2S trusts
Before you begin to develop a provider-hosted app with a S2S trust, you should first complete the following steps.
-
Create a .cer certificate file containing a public/private key pair.
-
Use the .cer file to register a trusted security token issuer.
-
Register an app principal with a client ID to help track app identity.
-
Export the private key to a password-protected .pfx file.
-
Make the .pfx file accessible on the server running the remote web.
After you have completed these steps, it is relatively simple to
create a new provider-hosted app with Visual Studio 2012 and configure
it to use an S2S trust. The first step is to update the app manifest
with the client ID of an app principal that has already been registered.
<AppPrincipal>
<RemoteWebApplication ClientId="22222222-2222-2222-2222-222222222222" />
</AppPrincipal>
The next step is to update the web.config file of the remote web with four appSettings
variables that track the IDs of the trusted security-token issuer and
the app principal as well as the file path and password required to
extract the private key from the .pfx file at run time. Note that these
four appSettings variables are used by Microsoft-supplied code in the TokenHelper class. The information in these four variables is used each time the TokenHelper class creates an S2S access token.
<appSettings>
<add key="ClientId" value="22222222-2222-2222-2222-222222222222" />
<add key="ClientSigningCertificatePath" value="C:\Certs\appserver.wingtip.com.pfx" />
<add key="ClientSigningCertificatePassword" value="Password1" />
<add key="IssuerId" value="11111111-1111-1111-1111-111111111111" />
</appSettings>
At this point, you have seen all the steps required to configure an
S2S trust. All that’s left to do is to write the code to create access tokens and to pass them to the SharePoint host environment in the Authentication header. The code in Example 5 demonstrates how to create an S2S access token by calling the GetS2SAccessTokenWithWindowsIdentity method of the TokenHelper class. After you have created an S2S access token string, you can add it as an Authorization header by using the exact same code as you would have in an app which uses OAuth.
Example 5. Creating an S2S access token
string hostWebUrl = Request.QueryString["SPHostUrl"];
Uri hostWebUri = new Uri(hostWebUrl);
WindowsIdentity currentUser = Request.LogonUserIdentity;
string accessTokenString =
TokenHelper.GetS2SAccessTokenWithWindowsIdentity(hostWebUri, currentUser);
// prepare HttpWebRequest to execute REST API call
HttpWebRequest request1 =
(HttpWebRequest)HttpWebRequest.Create(hostWebUrl.ToString() + "/_api/Web/
title");
// add access token string as Authorization header
request1.Headers.Add("Authorization", "Bearer " + accessTokenString);
// execute REST API call and inspect response
HttpWebResponse response1 = (HttpWebResponse)request1.GetResponse();
StreamReader reader1 = new StreamReader(response1.GetResponseStream());
XDocument doc1 = XDocument.Load(reader1);
string SiteTitle = doc1.Root.Value;
