SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePoint 2013

1

Welcome  to  SharePoint  Saturday  Houston

• Please  turn  off  all  electronic  devices  or  set  them  to  vibrate• If  you  must  take  a  phone  call,  please  do  so  in  the  hall  so  as  not  to  disturb  others• Special  thanks  to  our  Title  Sponsor,  ProSymmetry

Thank  you  for  being  a  part  of  the  5th Annual  SharePoint  Saturday  for  the  greater  Houston  area!

2

Thanks  to  all  our  Sponsors!

3

Information• Speaker  presentation  slides  should  be  available  from  the  SPSHOU  website  within  a  week  or  so

• The  Houston  SharePoint  User  Group  will  be  having  it’s  next  meeting  Wednesday  April  15th.    Please  join  us  at  www.h-­‐spug.org

4

About  Me

CKS:DEV

TheSharePoint

Cowboy

Patterns&

Practices

Eric Shupps

www.sharepointcowboy.com [email protected] facebook.com/sharepointcowboy @eshupps

5

Introduction

Agenda

Fundamentals

Application

Implementation

6

INTRODUCTION

7

• Open  standard  for  app  integration  and  authorization

• Authentication  independent

• “Valet  Key”– Access– Permissions

What  is  OAuth?

8

What  OAuth is  NOT

9

••••••

Why  do  we  need  it?

10

•

– HTTPS  also  supported  (and  preferred  by  many)

••–Man  in  the  Middle– Private  keys– Session  fixation– Covert  redirect

Security

11

Fundamentals

12

Roles

ResourceOwner

Grants access to a protected

resource

ResourceServer

Hosts the protected

resource and accepts access

requests

Client

Application making

protected resource

requests on behalf of the

resource owner

AuthorizationServer

Issues access tokens

13

Flow

Client

ResourceOwner

AuthorizationServer

ResourceServer

Authorization  Request

Authorization  Grant

Authorization  Grant

Access  Token

Access  Token

Protected  Resource

14

Three  Legged  Authorization

User App Provider

User  requests  access

App  requests  Request  Token

Provider  returns  Request  Token

App  builds  authlink  w/  Request  

Token

User  requests  URL  +  Request  Token

Provider  returns  access  token

User  requests  URL  +  Access  Token

App  validates  access  token

Access  token  validated

User  granted  access

1

2

3

15

Two  Legged  Authorization

User App Provider

User  requests  access

App  requests  Access  Token

Provider  returns  Access  Token

App  builds  authlink  w/  Access  

Token

User  requests  URL  +  Access  Token

App  validates  access  token

Access  token  validated

User  granted  access

1

2

16

Implementation

17

Overview

18

Manages  identity  information  for  principals  (STS)  Identity  Provider

Handles  requests  for  trusted  identity  claimsSecurity  Token  Service

Identity  provider  associated  with  a  web  applicationIdentity  Token  Issuer

Trusted  resource  (farm,  server,  etc.)Security  Token  Issuer

Resource  information  and  signing  certificate  (JSON)Metadata  Endpoint

Used  to  request  permission  to  protected  resourceRequest  Token

Used  by  App  to  access  resource  on  behalf  of  userAccess  Token

Operation  scope  for  authorizationRealm

Cloud-­‐based  security  token  service  (IP-­‐STS)Azure  ACS

Concepts

19

Scenarios

20

Platforms

21

Configuration  -­‐ Certificates

ConsumerExport Root & STS Certificates

Copy Certificates

Import root certificate(s) and create trusted root authority

Provider

Export Root Certificate

Copy Certificates

Import STS Certificate

Create Trusted Service Token Issuer

Import root certificate(s) and create trusted root authority

22

Configuration  -­‐ Metadata

Consumer Provider

Create Trusted Root Authority

Set Authentication Realm

Create Trusted Security Token Issuer

Create App Principals

Create Trusted Root Authority

Create Trusted Security Token Issuer

23

Application

24

SharePoint  Authorization  Process

25

Context

App  establishes  context

SP  validates  S2S  trust

App  requests  access  token  from  SP

Browser  POSTS  parameters  to  App

SP  returns  parameters

User  browses  to  App

On

Prem

ise

App  establishes  context

ACS  provides  access  token

App  requests  access  token  from  ACS

Browser  POSTS  request  token  to  app

SP  sends  request  tokens  to  browser

SP  gets  request  token  from  ACS

User  browses  to  app

Online

1

2 3

4

5

6

7

8 9

26

Token  ManagementO

n Pr

emis

e Online

Establish  client  context

Get  access  token  with  S2S  

Get  claims  from  Windows  identity

Get  request  parameters

Get  client  context  from  SP  with  access  token

Get  access  token

Read  and  validate  context  token

Parse  out  Context  Token

Get  POST  parameters  from  SP

27

On-­‐Premise  ACS  Trust  via  O365

28

DEMO

SharePoint  App  Authorization  Process

29

Request  Token{

"aud":  "c7f21d1e-­‐95df-­‐41df-­‐a2e0-­‐a2e29ad2f62b/localhost:44305@2ae1caa2-­‐a173-­‐4989-­‐b8f5-­‐9da45655b8f4",

"iss":  "00000001-­‐0000-­‐0000-­‐c000-­‐000000000000@2ae1caa2-­‐a173-­‐4989-­‐b8f5-­‐9da45655b8f4",

"nbf":  1398292956,"exp":  1398336156,"appctxsender":  "00000003-­‐0000-­‐0ff1-­‐ce00-­‐000000000000@

2ae1caa2-­‐a173-­‐4989-­‐b8f5-­‐9da45655b8f4","appctx":  

"{\"CacheKey\":\"082e7cPwbER/1hDi2XQ9knd0+yBxexLQr4NGa2/OeQ8=\",\"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\"}",

"refreshtoken":  "IAAAAL-­‐NR6oQnFU49avbpq7mAhglyGqBvmT3YF8_DGO88fIAIXioxAllnYe0XHr-­‐rb_RDk8X8iqc4gmcyBjpV8E-­‐uVgRG9d6j-­‐IvQQ8qtk2acNXaJ3JpuFKNRhAJoOGOep1i3XGi5jX3Z1u5MzyjmHv2VBGJFEhYtc99TGlZTDIFTqlJmDcxcMAjLZWnY5sMBr-­‐B5IRvl5Cw6l2hvqolj3R2hJ9mPDpVQ4l0l-­‐v28wK6OLi57wPpKAUWlbcRCxmC6oGggdkkF2OEoxujZvZSCCG05YQaS2Z1w_Gphgu5kcYfwVU27bAYfsq3TcA8W0sIt_lUxvD3Lg3mGLr_X5JoTw-­‐t28g",

"isbrowserhostedapp":  "true"}

Client  ID App  URLTenant  ID

Tenant  IDAzure  ACS

StartEnd

SharePointTenant  ID

User  ID  +  Issuer  +  App  +  Realm

IP-­‐STS  URL

Browser  or  Event  Receiver

Token  sent  to  IP-­‐STS  (Azure  ACS)

30

Access  Token

{"typ":"JWT""alg":"RS256""x5t":"kriMPdmBvx68skT8-­‐mPAB3BseeA"}.{"aud":

"00000003-­‐0000-­‐0ff1-­‐ce00-­‐ 000000000000/binarywaveinc.sharepoint.com@

2ae1caa2-­‐a173-­‐4989-­‐b8f5-­‐9da45655b8f4""iss":"00000001-­‐0000-­‐0000-­‐c000-­‐000000000000@

2ae1caa2-­‐a173-­‐4989-­‐b8f5-­‐9da45655b8f4""nbf":1400013357"exp":1400056557"nameid":"1003000086ad02d6""actor":"c90047b7-­‐392a-­‐42e7-­‐8c52-­‐65afa92e5d0d@

2ae1caa2-­‐a173-­‐4989-­‐b8f5-­‐9da45655b8f4""identityprovider":"urn:federation:microsoftonline“

}

SharePointHost  Web

Tenant  ID

Start

Azure  ACSTenant  ID

End

Tenant  ID

UPNSTS  ID  

31

DEMO

Decoding  Authorization  Tokens

32

Resources

Description LinkOAuth Working  Group http://oauth.net/

OAuth Resource Guide http://bit.ly/14CWPNb

Authorization  and  authentication  for  apps  in  SharePoint  2013 http://bit.ly/16f8WFh

Setting  up  an  OAuth trust between  farms  in  SharePoint  2013 http://bit.ly/12Yr7e3

Plan for  server-­‐to-­‐server  authentication  in  SharePoint  2013 http://bit.ly/1chAgFl

What’s  new  in  authentication  for  SharePoint  2013 http://bit.ly/1e6KaYv

Creating  High-­‐Trust apps  with  S2S http://bit.ly/18RL8uL

Using  O365  to  Authorize  On-­‐Premise  Apps http://bit.ly/1fvv1Bo

Demos http://bit.ly/1z6gohH

Slides http://bit.ly/1IUADUN