In SharePoint 2010, the authentication to the site is based on
Classic or Claims based or Anonymous Access but in SharePoint 2013, Microsoft
come up with the new mode of Authentication called as OAuth.
The OAuth is the new buzz in the world of SharePoint App
development. Just to remember, OAuth is not the protocol for
authenticating users to access SharePoint. It would still be done by Claims
Authentication. The OAuth comes into picture when we want to authenticate and
authorize SharePoint 2013 Apps.
I’ll start with some briefing on OAuth and the key concepts that
we need to understand about OAuth. OAuth is the internet protocol for creating
and managing app identity. It is also a cross-platform mechanism for
authentication and authorizing apps. The OAuth is also the emerging internet
standard which is used by Facebook, Twitter and Google.
OAuth gives the power and flexibility of having app identity in
addition to the user identity. Here are the some pointers about App Identity
- App
should be granted permissions independently of user permission
- App
can request specific permission from the user during installation
- App
can be granted more permission than the user (Elevation)
- App
is constrained to what it can do during and after installation
Here are some important concepts
around OAuth
1. Content Owner – User who grants
permission to content in a site
2. Client App – This is the remote
App (running on a Cloud or Hosted environment) that needs permission to Site Content.
In our case it is SharePoint 2013 App
3. Content Server – The web server
that serves the content to be accessed by App. In our case it is SharePoint
2013 Server (Cloud or On-Premise)
4. Authentication Server – Trusted
server that authenticates apps and creates OAuth tokens. In our case it is
Azure ACS server or OAuth compatible authentication server.
In case of SP sites, OAuth Process
Flow is as follows
User
Signs in SP 2013–>Security Token is generated by Identity Provider–>Token
is validated & allows the user to Sign in SP sites.
OAuth
is an open protocol for authorization. OAuth enables secure authorization from
desktop and web applications in a simple and standard way. OAuth enables users
to approve an application to act on their behalf without sharing their user
name and password. For example, it enables users to share their private
resources or data (contact list, documents, photos, videos and so on) that are
stored on one site with another site, without users having to provide their
credentials (typically user name and password).
OAuth
enables users to authorize the service provider (in this case, SharePoint 2013)
to provide tokens instead of credentials (for example, user name and password)
to their data that is hosted by a given service provider (that is, SharePoint
2013). Each token grants access to a specific site (for example, a SharePoint
document repository) for specific resources (for example, documents from a
folder) and for a defined duration (for example, 30 minutes). This enables a
user to grant a third-party site access to information that is stored with
another service provider (in this case, SharePoint), without sharing their user
name and password and without sharing all the data that they have on
SharePoint.
When is using OAuth required?:
The OAuth protocol is used to authenticate and authorize apps and services. The OAuth protocol is used:
The OAuth protocol is used to authenticate and authorize apps and services. The OAuth protocol is used:
·
To authorize requests by an app for
SharePoint to access SharePoint resources on behalf of a user.
·
To authenticate apps in the Office
Store, an app catalog, or a developer tenant.
Access
Tokens:
In SharePoint 2013, an OAuth STS is used only for issuing
tokens (that is, server-to-server and context tokens). An OAuth STS is not used
for issuing sign-in tokens, that is, they are not used as identity providers.
So, you will not see an OAuth STS listed in the user sign-in page, the
Authentication Provider section in Central Administration, or the people picker
in SharePoint 2013.
·
But, SharePoint 2013 administrators
can use Windows PowerShell commands to enable or disable an OAuth STS.
SharePoint administrators are able to enable or disable OAuth for a given web
application, similar to how they can enable or disable trusted login providers
in SharePoint 2010.
·
SharePoint 2013 implements the
OAuth protocol to allow apps that are running external to SharePoint to access
protected SharePoint resources on behalf of a resource owner. In the SharePoint
incoming implementation of the protocol, the OAuth roles are played by the
following components:
·
External apps take on the role of
the client.
·
SharePoint users take on the role
of resource owner.
·
SharePoint 2013 takes on the role
of the resource server.
·
ACS takes on the role of the
authorization server.
The OAuth authentication and
authorization flow for a SharePoint 2013 cloud-hosted app is shown below
2. SharePoint
processes the page and detects that there is a component from the Contoso.com
app on the page. SharePoint must get a context token that it can send to the
Contoso.com app. SharePoint asks ACS to create and sign a context token that
contains context information (for example, the current user, what web is being
rendered on SharePoint, and other context information) and an authorization
code. This context token can be used later by Contoso.com to request an access
token from ACS. The Contoso.com server can use the access token to talk back to
SharePoint if the Contoso.com app wants to make a web service call to
SharePoint later.
3. ACS
returns the signed context token to SharePoint. The signed context token is
signed with a client secret that only ACS and the Contoso.com app share.
4. SharePoint
renders the page, including an IFRAME pointing to the app host server in this
case, Contoso.com. When SharePoint renders the page, it also passes the context
token to the IFRAME.
5. The
IFRAME causes the browser to request a page from the Contoso.com server. The
context token is included in the browser request that is sent to the
Contoso.com server.
6. The
Contoso.com server gets the context token. Contoso.com validates the signature
on the context token. The token is signed with an client secret that only
Contoso.com and ACS share. Contoso.com can validate that the token is really
intended for it and that it is not a random request from some random server. It
knows that it is part of a SharePoint request.
7. If
the Contoso.com server wants to talk back to SharePoint, there is a refresh
token in the context token that Contoso.com can extract, so that it can include
that information in the request to ACS for an access token. Contoso.com uses
the refresh token that it extracted from the context token, the context token
that it got from SharePoint, and its credentials (which are its client Id value
and its client secret value) to request an access token from ACS so that it can
talk back to SharePoint.
8. ACS
returns an access token to the Contoso.com server. Contoso.com can cache this
access token. That way, the Contoso.com server doesn’t have to ask ACS for an
access token every time that it talks back to SharePoint. (Or, Contoso.com can
make an access token request every time and not cache the access token.) By
default, access tokens are good for a few hours at a time. Each access token is
specific to the user account that is specified in the original request for
authorization, and grants access only to the services that are specified in
that request. Your app should store the access token securely, because it is
required for all access to a user’s data.
9. Contoso.com
can use the access token to make a web service call or CSOM request to
SharePoint, passing the OAuth access token in the HTTP Authorization header.
10. SharePoint
returns the information that Contoso.com requested to Contoso.com. The
Contoso.com app renders the IFRAME contents as a per-user request in step 1.
This completes the OAuth transaction process. The user now sees the SharePoint
page fully rendered.
Typical App Usage Scenario :
User
Sign-in to SharePoint 2013 and is authenticated àUser then uses either Office
Store (SharePoint Apps Marketplace) or Catalogue App (On Premises) à The user
grant permission to the App to access SharePoint resources on behalf of User à
A SharePoint site has an app launch à When user launches an app, SharePoint
2013 posts a context token to the app à The app then give call back to
SharePoint 2013 to access SharePoint resources on behalf of the user by using
the access token
What is Context Token -? : When
SharePoint identifies that an App requires an access to SharePoint resources,
SharePoint must get a Context Token from ACS (Identity Provider) and send the context
token to the app
What is Access Token -?: If
app want to talk to SharePoint /make a web service call then app need Access
token. App uses context token to request the access token. ACS returns the
access token to app which can be cached by the app that way App doesn’t need to
ask for the access token every time it talks back to SharePoint. By default
access tokens are good for few hours at a time. Each access token is specific
to the users account
What is Refresh Token? : If
app want to talk back to SharePoint there is a Refresh token is inside the
Context token which can be used to request an access by the app. By default
refresh tokens are good for one year. So the same refresh token can be redeemed
for new access token from ACS for about a year.
Apps can be authenticated in
multiple ways :
1) When a call is
made to App Web the call is attributed to the app web along with authenticated
user (This is not a case for OAuth Call)
2) If it is an
OAuth call then SharePoint uses Windows Azure Control Service (ACS) as an app
identity provider
Authorization remains consistent
across all apps. Authorization verifies if the app or the user acting on behalf
of App (We can call it as a Subject) has permission to perform certain actions
or if the Subject has an access to the resource
Hope this help someone Cheers... J