Understanding SharePoint 2013 authentication (part 3) - Understanding app authentication flow in SharePoint 2013

2.3 Understanding app authentication flow in SharePoint 2013

Now that you have learned about the fundamental differences between internal authentication and external authentication, it’s time to walk through the authentication flow used by the SharePoint host environment.

Remember that app authentication is only supported in endpoints based on CSOM and the REST API. Therefore, the SharePoint host environment uses only standard user authentication for any request that is not based on CSOM or the REST API. This includes scenarios for page requests from both the host web and the app web.

When the SharePoint host environment processes a CSOM call or a REST API call, it must do more work to determine which type of authentication to use. The diagram in Figure 2 shows a flow chart that details the complexity and the factors that the SharePoint host environment uses to choose the correct type of authentication.

Figure 2. The SharePoint host environment looks at the tokens contained in the incoming call as well as the endpoint to determine whether to setup a user and app context.

The first question the SharePoint host environment asks after starting the authentication process for a CSOM call or REST API call is whether the call carries a SAML token with a user identity. If the incoming call does carry a SAML token, the next question is whether the request targets an app web or not. If the call does not target an app web, the SharePoint host environment uses standard user authentication and sets up the call context with just the user identity. Note that this is exactly what SharePoint does for any request that does not target a CSOM or REST API endpoint.

When an incoming call with a SAML token targets the domain of an app web, the SharePoint host environment determines that it must authenticate the app that is associated with that app web. It then uses internal authentication to authenticate the app and it sets up the call context with app identity as well as with the user identity it finds in the SAML token.

When an incoming call carries an access token instead of a SAML token, the SharePoint host environment determines that the call is from an app and it must use external authentication to authenticate it. The SharePoint host environment starts the external authentication process by determining whether the access token is an OAuth token or an S2S token and then validating the authenticity of the access token.

After the access token has been validated, the SharePoint host environment can then extract information about the identity of the app. The SharePoint host environment also inspects the access token to see if it carries information about the identity of the current user. If it does, the SharePoint host environment sets up the call context with both app identity and user identity. If the access token does not contain information about the identity of a user, it sets up the call context only with app identity.

The last scenario involves a request that carries neither a SAML token nor an access token. In this case, the SharePoint host environment can establish neither app identity nor user identity. This leads to the SharePoint host environment setting up the call context by using anonymous access. A call executing under anonymous access will experience an access denied error in all scenarios except the case for which the site has been configured to allow CSOM and REST API calls from the anonymous user.