Authorization and authentication for apps in SharePoint 2013
Authorization and authentication for apps in SharePoint 2013
OAuth in SharePoint 2013
In SharePoint 2010, the authentication to the site is based on Classic or Claims based or Anonymous Access but in SharePoint 2013, Microsoft come up with the new mode of Authentication called as OAuth.
In case of SP sites, OAuth Process Flow is as follows,
1. User Signs in SP 2013–>Security Token is generated by Identity Provider–>Token is validated & allows the user to Sign in SP sites.
OAuth is an open protocol for authorization. OAuth enables secure authorization from desktop and web applications in a simple and standard way. OAuth enables users to approve an application to act on their behalf without sharing their user name and password. For example, it enables users to share their private resources or data (contact list, documents, photos, videos and so on) that are stored on one site with another site, without users having to provide their credentials (typically user name and password).
OAuth enables users to authorize the service provider (in this case, SharePoint 2013) to provide tokens instead of credentials (for example, user name and password) to their data that is hosted by a given service provider (that is, SharePoint 2013). Each token grants access to a specific site (for example, a SharePoint document repository) for specific resources (for example, documents from a folder) and for a defined duration (for example, 30 minutes). This enables a user to grant a third-party site access to information that is stored with another service provider (in this case, SharePoint), without sharing their user name and password and without sharing all the data that they have on SharePoint.
In case of App authentication, SharePoint 2013 uses the Windows Azure Access Control Service (ACS) as the app identity provider.
2. When is using OAuth required?
The OAuth protocol is used to authenticate and authorize apps and services. The OAuth protocol is used:
- To authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user.
- To authenticate apps in the Office Store, an app catalog, or a developer tenant.
3. Access Tokens
In SharePoint 2013, an OAuth STS is used only for issuing tokens (that is, server-to-server and context tokens). An OAuth STS is not used for issuing sign-in tokens, that is, they are not used as identity providers. So, you will not see an OAuth STS listed in the user sign-in page, the Authentication Provider section in Central Administration, or the people picker in SharePoint 2013.
But, SharePoint 2013 administrators can use Windows PowerShell commands to enable or disable an OAuth STS. SharePoint administrators are able to enable or disable OAuth for a given web application, similar to how they can enable or disable trusted login providers in SharePoint 2010.
SharePoint 2013 implements the OAuth protocol to allow apps that are running external to SharePoint to access protected SharePoint resources on behalf of a resource owner. In the SharePoint incoming implementation of the protocol, the OAuth roles are played by the following components:
External apps take on the role of the client.
SharePoint users take on the role of resource owner.
SharePoint 2013 takes on the role of the resource server.
ACS takes on the role of the authorization server.
An app for SharePoint requests permissions to access SharePoint resources by doing the following:
An app for SharePoint requests the permissions that it needs during installation from the user who is installing it.
The developer of an app must request, through the app manifest file, the permissions an app needs.
5. For an app to be granted the permissions it requested, the following conditions must be fulfilled:
An app must be granted permissions by the user who is installing it.
Users can grant only the permissions that they have; the user installing the app must be able to grant all permissions required by the app, or app installation fails.
6. An app is granted the permissions it asked for when:
An app is installed by a website administrator.
An app is explicitly granted permission by a tenant administrator or website administrator.
An end user gives consent.
In the app manifest file, an app requests access to specific scopes (that is, locations on SharePoint 2013). An app for SharePoint uses a permission request to specify the permissions that it needs to function correctly. The permission requests specify both the rights that an app needs and the scope at which they need the rights. In short:
An app uses permission request scopes to specify the permissions that it needs.
The requests specify both the rights and the scope that the app needs.
Scopes indicate where in the SharePoint hierarchy a permission request applies. SharePoint supports four different content scopes: site collection, website, list, and tenancy. There are also feature scopes for performing search queries, accessing taxonomy data, social features, Microsoft Business Connectivity Services (BCS) features, and Project Server 2013 features.
7. Steps in the SharePoint 2013
The OAuth authentication and authorization flow for a SharePoint 2013 cloud-hosted app is shown in Figure 1.
- A user types a URL in a browser to go to a SharePoint page where a particular app is installed. In this case, the app is a Contoso.com app and the user interface element on the SharePoint page comes from the Contoso.com app.
2. SharePoint processes the page and detects that there is a component from the Contoso.com app on the page. SharePoint must get a context token that it can send to the Contoso.com app. SharePoint asks ACS to create and sign a context token that contains context information (for example, the current user, what web is being rendered on SharePoint, and other context information) and an authorization code. This context token can be used later by Contoso.com to request an access token from ACS. The Contoso.com server can use the access token to talk back to SharePoint if the Contoso.com app wants to make a web service call to SharePoint later.
3. ACS returns the signed context token to SharePoint. The signed context token is signed with an client secret that only ACS and the Contoso.com app share.
4. SharePoint renders the page, including an IFRAME pointing to the app host serverâin this case, Contoso.com. When SharePoint renders the page, it also passes the context token to the IFRAME.
5. The IFRAME causes the browser to request a page from the Contoso.com server. The context token is included in the browser request that is sent to the Contoso.com server.
6. The Contoso.com server gets the context token. Contoso.com validates the signature on the context token. The token is signed with an client secret that only Contoso.com and ACS share. Contoso.com can validate that the token is really intended for it and that it is not a random request from some random server. It knows that it is part of a SharePoint request.
7. If the Contoso.com server wants to talk back to SharePoint, there is a refresh token in the context token that Contoso.com can extract, so that it can include that information in the request to ACS for an access token. Contoso.com uses the refresh token that it extracted from the context token, the context token that it got from SharePoint, and its credentials (which are its client Id value and its client secret value) to request an access token from ACS so that it can talk back to SharePoint.
8. ACS returns an access token to the Contoso.com server. Contoso.com can cache this access token. That way, the Contoso.com server doesn’t have to ask ACS for an access token every time that it talks back to SharePoint. (Or, Contoso.com can make an access token request every time and not cache the access token.) By default, access tokens are good for a few hours at a time. Each access token is specific to the user account that is specified in the original request for authorization, and grants access only to the services that are specified in that request. Your app should store the access token securely, because it is required for all access to a user’s data.
9. Contoso.com can use the access token to make a web service call or CSOM request to SharePoint, passing the OAuth access token in the HTTP Authorizationheader.
10. SharePoint returns the information that Contoso.com requested to Contoso.com. The Contoso.com app renders the IFRAME contents as a per-user request in step 1. This completes the OAuth transaction process. The user now sees the SharePoint page fully rendered.