Authorization and Authentication in SharePoint for apps

In SharePoint 2010, the authentication to the site is based on Classic or Claims based or Anonymous Access but in SharePoint 2013, Microsoft come up with the new mode of Authentication called as OAuth.

The OAuth is the new buzz in the world of SharePoint App development.  Just to remember, OAuth is not the protocol for authenticating users to access SharePoint. It would still be done by Claims Authentication. The OAuth comes into picture when we want to authenticate and authorize SharePoint 2013 Apps.

I’ll start with some briefing on OAuth and the key concepts that we need to understand about OAuth. OAuth is the internet protocol for creating and managing app identity. It is also a cross-platform mechanism for authentication and authorizing apps. The OAuth is also the emerging internet standard which is used by Facebook, Twitter and Google.

OAuth gives the power and flexibility of having app identity in addition to the user identity. Here are the some pointers about App Identity

• App should be granted permissions independently of user permission
• App can request specific permission from the user during installation
• App can be granted more permission than the user (Elevation)
• App is constrained to what it can do during and after installation

Here are some important concepts around OAuth

1. Content Owner – User who grants permission to content in a site

2. Client App – This is the remote App (running on a Cloud or Hosted environment) that needs permission to Site Content. In our case it is SharePoint 2013 App

3. Content Server – The web server that serves the content to be accessed by App. In our case it is SharePoint 2013 Server (Cloud or On-Premise)

4. Authentication Server – Trusted server that authenticates apps and creates OAuth tokens. In our case it is Azure ACS server or OAuth compatible authentication server.

In case of SP sites, OAuth Process Flow is as follows

User Signs in SP 2013–>Security Token is generated by Identity Provider–>Token is validated & allows the user to Sign in SP sites.

OAuth is an open protocol for authorization. OAuth enables secure authorization from desktop and web applications in a simple and standard way. OAuth enables users to approve an application to act on their behalf without sharing their user name and password. For example, it enables users to share their private resources or data (contact list, documents, photos, videos and so on) that are stored on one site with another site, without users having to provide their credentials (typically user name and password).

OAuth enables users to authorize the service provider (in this case, SharePoint 2013) to provide tokens instead of credentials (for example, user name and password) to their data that is hosted by a given service provider (that is, SharePoint 2013). Each token grants access to a specific site (for example, a SharePoint document repository) for specific resources (for example, documents from a folder) and for a defined duration (for example, 30 minutes). This enables a user to grant a third-party site access to information that is stored with another service provider (in this case, SharePoint), without sharing their user name and password and without sharing all the data that they have on SharePoint.

When is using OAuth required?:
The OAuth protocol is used to authenticate and authorize apps and services. The OAuth protocol is used:

·         To authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user.

·         To authenticate apps in the Office Store, an app catalog, or a developer tenant.

Access Tokens:

 In SharePoint 2013, an OAuth STS is used only for issuing tokens (that is, server-to-server and context tokens). An OAuth STS is not used for issuing sign-in tokens, that is, they are not used as identity providers. So, you will not see an OAuth STS listed in the user sign-in page, the Authentication Provider section in Central Administration, or the people picker in SharePoint 2013.

·         But, SharePoint 2013 administrators can use Windows PowerShell commands to enable or disable an OAuth STS. SharePoint administrators are able to enable or disable OAuth for a given web application, similar to how they can enable or disable trusted login providers in SharePoint 2010.

·         SharePoint 2013 implements the OAuth protocol to allow apps that are running external to SharePoint to access protected SharePoint resources on behalf of a resource owner. In the SharePoint incoming implementation of the protocol, the OAuth roles are played by the following components:

·         External apps take on the role of the client.

·         SharePoint users take on the role of resource owner.

·         SharePoint 2013 takes on the role of the resource server.

·         ACS takes on the role of the authorization server.

The OAuth authentication and authorization flow for a SharePoint 2013 cloud-hosted app is shown below

 1.      A user types a URL in a browser to go to a SharePoint page where a particular app is installed. In this case, the app is a Contoso.com app and the user interface element on the SharePoint page comes from the Contoso.com app.

2. SharePoint processes the page and detects that there is a component from the Contoso.com app on the page. SharePoint must get a context token that it can send to the Contoso.com app. SharePoint asks ACS to create and sign a context token that contains context information (for example, the current user, what web is being rendered on SharePoint, and other context information) and an authorization code. This context token can be used later by Contoso.com to request an access token from ACS. The Contoso.com server can use the access token to talk back to SharePoint if the Contoso.com app wants to make a web service call to SharePoint later.

3. ACS returns the signed context token to SharePoint. The signed context token is signed with a client secret that only ACS and the Contoso.com app share.

4. SharePoint renders the page, including an IFRAME pointing to the app host server” in this case, Contoso.com. When SharePoint renders the page, it also passes the context token to the IFRAME.

5. The IFRAME causes the browser to request a page from the Contoso.com server. The context token is included in the browser request that is sent to the Contoso.com server.

6. The Contoso.com server gets the context token. Contoso.com validates the signature on the context token. The token is signed with an client secret that only Contoso.com and ACS share. Contoso.com can validate that the token is really intended for it and that it is not a random request from some random server. It knows that it is part of a SharePoint request.

7. If the Contoso.com server wants to talk back to SharePoint, there is a refresh token in the context token that Contoso.com can extract, so that it can include that information in the request to ACS for an access token. Contoso.com uses the refresh token that it extracted from the context token, the context token that it got from SharePoint, and its credentials (which are its client Id value and its client secret value) to request an access token from ACS so that it can talk back to SharePoint.

8. ACS returns an access token to the Contoso.com server. Contoso.com can cache this access token. That way, the Contoso.com server doesn’t have to ask ACS for an access token every time that it talks back to SharePoint. (Or, Contoso.com can make an access token request every time and not cache the access token.) By default, access tokens are good for a few hours at a time. Each access token is specific to the user account that is specified in the original request for authorization, and grants access only to the services that are specified in that request. Your app should store the access token securely, because it is required for all access to a user’s data.

9. Contoso.com can use the access token to make a web service call or CSOM request to SharePoint, passing the OAuth access token in the HTTP Authorization header.

10. SharePoint returns the information that Contoso.com requested to Contoso.com. The Contoso.com app renders the IFRAME contents as a per-user request in step 1. This completes the OAuth transaction process. The user now sees the SharePoint page fully rendered.

Typical App Usage Scenario :

User Sign-in to SharePoint 2013 and is authenticated àUser then uses either Office Store (SharePoint Apps Marketplace) or Catalogue App (On Premises) à The user grant permission to the App to access SharePoint resources on behalf of User à A SharePoint site has an app launch à When user launches an app, SharePoint 2013 posts a context token to the app à The app then give call back to SharePoint 2013 to access SharePoint resources on behalf of the user by using the access token

What is Context Token -? : When SharePoint identifies that an App requires an access to SharePoint resources, SharePoint must get a Context Token from ACS (Identity Provider) and send the context token to the app

What is Access Token -?: If app want to talk to SharePoint /make a web service call then app need Access token. App uses context token to request the access token. ACS returns the access token to app which can be cached by the app that way App doesn’t need to ask for the access token every time it talks back to SharePoint. By default access tokens are good for few hours at a time. Each access token is specific to the users account

What is Refresh Token? : If app want to talk back to SharePoint there is a Refresh token is inside the Context token which can be used to request an access by the app. By default refresh tokens are good for one year. So the same refresh token can be redeemed for new access token from ACS for about a year.

Apps can be authenticated in multiple ways :

1)    When a call is made to App Web the call is attributed to the app web along with authenticated user (This is not a case for OAuth Call)

2)    If it is an OAuth call then SharePoint uses Windows Azure Control Service (ACS) as an app identity provider

Authorization remains consistent across all apps. Authorization verifies if the app or the user acting on behalf of App (We can call it as a Subject) has permission to perform certain actions or if the Subject has an access to the resource

Hope this help someone Cheers... J