Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authorize your Apps! - OAuth in SharePoint 2013

Daniel Lindemann
September 25, 2014
Programming
0
1.7k

Authorize your Apps! - OAuth in SharePoint 2013

Daniel Lindemann

September 25, 2014
Tweet

More Decks by Daniel Lindemann

See All by Daniel Lindemann
Meistern des Inner Dev Loop für .NET-Containerapplikationen
daniellindemann
0
21
Entwickler-Experience in einer containerisierten Applikationswelt
daniellindemann
0
11
Global Microsoft 365 Developer Bootcamp 2019 - SharePoint Framework - Berlin
daniellindemann
0
27
Ab auf's Boot - Container und Kubernetes in Azure
daniellindemann
0
18
SPFx Hands-on | Global Office 365 Developer Bootcamp Berlin/Saarbrücken
daniellindemann
0
46
SharePoint meets JavaScript v2
daniellindemann
0
2.2k
SharePoint meets Javascript
daniellindemann
0
1.8k
OAuth und die Office 365 API
daniellindemann
0
2.2k
SharePoint Hosting - Ist die Cloud schon geeignet dafür?
daniellindemann
0
2.7k

Other Decks in Programming

See All in Programming
ヘッドレスCMSのリッチエディタを支えるヘッドレス○○
microcms
1
180
デプロイ今昔物語 〜CGIからサーバーレスまで〜 / The deployment technics
mackee
9
4k
面倒なのは嫌なのでコンテナのマネージドサービスの極振りしたいと思います。
n1215
PRO
1
140
一緒にスクラム開発___GPT-4と人間が共創するプロダクトの進化.pdf
itohiro73
5
5.8k
Réinventer le composant Console de Symfony
chalasr
3
530
PHPで任意精度演算を行って「正しい」金額計算をする方法 / Perform arbitrary precision arithmetic in PHP to achieve "accurate" monetary calculations
hiro_y
1
260
新しいことに挑戦したい組織が考えるべきこと
headwaters
0
150
\ 祝!/AWS 大阪リージョン 2 周年の歩み
track3jyo
PRO
0
160
ngrokを使ったLINE Bot開発を超快適にする「linegrok」のご紹介
miso
0
110
PHPerKaigi2023|技術負債とプロジェクトと私たち(technical debt&project&us)
weddingpark
0
160
AWS移行を通して得られた知見と教訓
mthiroshi00excite
0
270
PHP8によるデザインパターン入門 / Introduction to Design Patterns with PHP8
fendo181
1
250

Featured

See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
13
2k
KATA
mclloyd
12
10k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
11
1.4k
Documentation Writing (for coders)
carmenintech
51
3k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
15
1.3k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
Building Flexible Design Systems
yeseniaperezcruz
314
35k
Testing 201, or: Great Expectations
jmmastey
25
5.8k
Debugging Ruby Performance
tmm1
67
11k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.2k

Transcript

  1. Daniel Lindemann | ITaCS GmbH
    Authorize your Apps!
    OAuth in SharePoint 2013

    View Slide

  2. Über mich
    Senior SharePoint Developer
    @ITaCS GmbH
    [email protected]
    www.itacs.de
    www.dlindemann.de/blog
    @daniellindemann
    Daniel Lindemann

    View Slide

  3. Agenda
    OAuth Allgemein
    OAuth in SharePoint
    Zusammenfassung / Fazit

    View Slide

  4. View Slide

  5. Zugriff einer Anwendung
    Oldschool
    Mails lesen,
    Mails schreiben,
    Mails löschen,
    Kalendereinträge lesen,
    Kalendereinträge bearbeiten,
    Kalendereinträge löschen,

    Mails lesen,
    Mails schreiben,
    Mails löschen,
    Kalendereinträge lesen,
    Kalendereinträge bearbeiten,
    Kalendereinträge löschen,

    View Slide

  6. Probleme
    Passwort wird an Drittanbieter
    herausgegeben
    Drittanbieter Applikation hat Zugriff auf alle
    Daten
    Drittanbieter muss Passwörter speichern
    Ändert der Benutzer sein Passwort hat der
    Drittanbieter keinen Zugriff mehr

    View Slide

  7. “Passwords are not confetti.
    Please stop throwing them around.
    (Especially if they’re not yours.)”
    Chris Messina – Mitbegründer OAuth-Protokoll

    View Slide

  8. Was ändert sich
    Passwörter werden durch Tokens ersetzt
    Tokens sind verschlüsselte Zeichenketten, die Zugriff auf eine API gewähren
    Zugriff steuerbar
    Es lässt sich festlegen auf welchen Teil einer API zugegriffen wird
    Client und Resource Server müssen sich
    vertrauen
    Selbe Ticketausstellungs-Stelle (Issuer)

    View Slide

  9. Applikation registrieren
    Client ID und Client Secret

    View Slide

  10. Rollen
    Resource Owner
    Authorization
    Server
    Resource Server Client

    View Slide

  11. Tokens
    Authorization
    Token
    Access
    Token
    Refresh
    Token

    View Slide

  12. Scopes
    Beschreiben welche Daten der Consumer
    abrufen darf
    Wird beim Anfordern des Authorization
    Tokens definiert
    Beispiel:
    https://myservice.de/oauth/2/get_authorizationCode?client_id=123&response_type=cod
    e&scope=Profile.Read,News.Edit&redirect_uri=https%3A%2F%2Fmyservice.de%2Fapp_au
    thorized

    View Slide

  13. View Slide

  14. Zugriff einer Anwendung
    mit OAuth
    Mails lesen,
    Mails schreiben,
    Mails löschen,
    Kalendereinträge lesen,
    Kalendereinträge bearbeiten,
    Kalendereinträge löschen,

    Kalendereinträge lesen,
    Kalendereinträge bearbeiten,
    Kalendereinträge löschen

    View Slide

  15. View Slide

  16. DEMO
    Manuelles Registrieren einer SharePoint-App
    in SharePoint Online

    View Slide

  17. SharePoint implementiert OAuth genau wie
    in der Spezifikation beschrieben
    http://tools.ietf.org/html/rfc6749#page-24

    View Slide

  18. TokenHelper.cs und SharePointContext.cs

    View Slide

  19. Rollen in SharePoint
    Resource Owner
    Authorization
    Server
    Resource Server Client

    View Slide

  20. Rollen in SharePoint
    Browser / User
    STS / ACS
    SharePoint App

    View Slide

  21. App-Berechtigungen in
    SharePoint
    App-Berechtigungen werden in der
    AppManifest.xml konfiguriert
    Berechtigungserteilung bei Installtion
    Aufbau eines PermissionRequest
    Scope=http://sharepoint/content/sitecollection/web” Right="Manage" />
    Produkt Permission
    Provider
    Objekt Berechtigung

    View Slide

  22. SharePoint Scopes
    Scope URI Scope Alias Available Rights
    http://sharepoint/content/sitecollection Site Read, Write, Manage
    http://sharepoint/content/sitecollection/web Web Read, Write, Manage
    http://sharepoint/content/sitecollection/web/list List Read, Write, Manage
    http://sharepoint/content/tenant AllSites Read, Write, Manage
    http://sharepoint/bcs/connection None (currently not supported) Read
    http://sharepoint/search Search QueryAsUserIgnoreAppPrincipal
    http://sharepoint/projectserver ProjectAdmin Manage
    http://sharepoint/projectserver/projects Projects Read, Write
    http://sharepoint/projectserver/projects/project Project Read, Write
    http://sharepoint/projectserver/enterpriseresources ProjectResources Read, Write
    http://sharepoint/projectserver/statusing ProjectStatusing SubmitStatus
    http://sharepoint/projectserver/reporting ProjectReporting Read
    http://sharepoint/projectserver/workflow ProjectWorkflow Elevate
    http://sharepoint/social/tenant AllProfiles Read, Write, Manage
    http://sharepoint/social/core Social Read, Write, Manage
    http://sharepoint/social/microfeed Microfeed Read, Write, Manage
    http://sharepoint/taxonomy TermStore Read, Write

    View Slide

  23. Benutzer-Berechtigungen werden durch
    Benutzung einer App nicht heraufgestuft.

    View Slide

  24. DEMO
    Benutzer-Berechtigung

    View Slide

  25. SharePoint App OAuth Flow
    1. Start App
    4. App Redirect (mit Token)
    8. Request mit Access Token
    9. Daten von SharePoint
    2. Anfrage
    Context Token
    3. Erhalt
    Context Token
    (signiert)
    5. Anfrage zur App-Startseite mit Context Token
    10. App-Startseite mit Content und SharePoint Daten
    7. Access Token
    6. Refresh Token

    View Slide

  26. Context Token
    {"typ":"JWT", "alg":"none"}.{
    "aud":"0794723a-ca7f-42b3-af6f-c424a222f02b/localhost:[email protected]",
    "iss":"[email protected]579d2696d",
    "nbf":"1411411418",
    "exp":"1411454618",
    "appctxsender":"[email protected]579d2696d",
    "appctx":"{
    \"CacheKey\":\"QTJ+bUnrMnsmsRCLh613QhpixdDTZY5WvqNWD9WtIUM=\",
    \"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\"
    }",
    "refreshtoken":"IAAAAO_y8wP5-
    onrc5xvPfEU9NT6393L1CZVYTcP5wccQAdtKk1npcQmQUG7eZ4OqknbI0PEacfwwaBFx7yF6L1nVGz408Zerh4v0
    847lw_9AX5XP7TU-LYYjrYHWHU-XiAIvyDdV-
    ZD30_5wev1fZwGAFAXein6BSVGgguyDbqvYOinESsHTfE5JC13vEdZ5JyPywWnwTxsNXAJIdlLB4ByEHEmbLbG1w
    QHLymSw09YQjUqN5fXsDe2w4GA3DbgfoitYPEvXHsxeQZ2DrmW2T4PomExTltG6H58VlKEdoDCq4wB0Xq2q9
    CWkrIRI7qhCtJoHRgRXj1GYfQBwaTcC7wyTPg",
    "isbrowserhostedapp":"true"
    }

    View Slide

  27. Context Token
    {"typ":"JWT", "alg":"none"}.{
    "aud":"0794723a-ca7f-42b3-af6f-c424a222f02b/localhost:[email protected]",
    "iss":"[email protected]579d2696d",
    "nbf":"1411411418",
    "exp":"1411454618",
    "appctxsender":"[email protected]579d2696d",
    "appctx":"{
    \"CacheKey\":\"QTJ+bUnrMnsmsRCLh613QhpixdDTZY5WvqNWD9WtIUM=\",
    \"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\"
    }",
    "refreshtoken":"IAAAAO_y8wP5-
    onrc5xvPfEU9NT6393L1CZVYTcP5wccQAdtKk1npcQmQUG7eZ4OqknbI0PEacfwwaBFx7yF6L1nVGz408Zerh4v0
    847lw_9AX5XP7TU-LYYjrYHWHU-XiAIvyDdV-
    ZD30_5wev1fZwGAFAXein6BSVGgguyDbqvYOinESsHTfE5JC13vEdZ5JyPywWnwTxsNXAJIdlLB4ByEHEmbLbG1w
    QHLymSw09YQjUqN5fXsDe2w4GA3DbgfoitYPEvXHsxeQZ2DrmW2T4PomExTltG6H58VlKEdoDCq4wB0Xq2q9
    CWkrIRI7qhCtJoHRgRXj1GYfQBwaTcC7wyTPg",
    "isbrowserhostedapp":"true"
    }
    Client ID App URL Tenant ID
    Azure ACS Tenant ID
    Start
    Ende
    User ID + Issuer + App + Realm
    Tenant ID
    SharePoint
    STS URL
    Refresh Token

    View Slide

  28. Access Token
    {
    "typ":"JWT",
    "alg":"RS256",
    "x5t":"kriMPdmBvx68skT8-mPAB3BseeA"
    }.{
    "aud":"00000003-0000-0ff1-ce00-000000000000/dlindemann.sharepoint.com
    @3eef8910-0332-4feb-9436-8c4579d2696d",
    "iss":"[email protected]579d2696d",
    "nbf":1411414034,
    "exp":1411457234,
    "nameid":"1003000080fd1db2",
    "actor":"[email protected]579d2696d",
    "identityprovider":"urn:federation:microsoftonline"
    }

    View Slide

  29. Access Token
    {
    "typ":"JWT",
    "alg":"RS256",
    "x5t":"kriMPdmBvx68skT8-mPAB3BseeA"
    }.{
    "aud":"00000003-0000-0ff1-ce00-000000000000/dlindemann.sharepoint.com
    @3eef8910-0332-4feb-9436-8c4579d2696d",
    "iss":"[email protected]579d2696d",
    "nbf":1411414034,
    "exp":1411457234,
    "nameid":"1003000080fd1db2",
    "actor":"[email protected]579d2696d",
    "identityprovider":"urn:federation:microsoftonline"
    }
    SharePoint Host Web
    Tenant ID
    Azure ACS Tenant ID
    Start
    Ende
    UPN
    STS ID Tenant ID
    Identity Provider

    View Slide

  30. DEMO
    Token dekodieren

    View Slide

  31. User-Context vs. App-Context

    Scope=http://sharepoint/content/sitecollection/web
    Right="Manage" />

    View Slide

  32. Start
    User credentials
    provided?
    Set user
    context
    OAuth token
    present?
    Is endpoint CSOM?
    Does the token
    include user info?
    End
    Is endpoint outside
    of an app web?
    Set app and
    user
    context
    Use
    anonymous
    context
    Set App-
    Only
    context
    No
    Yes Yes
    No
    Yes Yes Yes
    No
    No
    No

    View Slide

  33. DEMO
    User und App Token

    View Slide

  34. OAuth in SharePoint
    Apps
    Office Web
    Apps Workflows

    View Slide

  35. Warum sollte ICH über OAuth Bescheid
    wissen?

    View Slide

  36. Angriffsmöglichkeiten
    Man in the middle
    Replay Attack
    Übertragen von (Authentifizierungs-)
    Informationen im Klartext
    http://thehackernews.com/2014/07/facebook-sdk-vulnerability-puts.html

    View Slide

  37. Fazit
    Auf den ersten Blick sehr komplex
    Standardisiertes Protokoll
    Entwicklung wird durch das IETF weiter
    vorangetrieben
    Bildet den Kern neuer Technologien
    Open ID Connect

    View Slide

  38. Links und weitere Infos
    http://oauth.net/
    http://hueniverse.com/oauth/
    http://msdn.microsoft.com/en-
    us/library/office/fp142384%28v=office.15%29.aspx
    Authorization and
    authentication of apps for
    SharePoint 2013
    http://blogs.technet.com/b/speschka/archive/2013/07/29/
    security-in-sharepoint-apps-part-1.aspx
    Security in SharePoint Apps
    http://www.oreilly.de/catalog/9781449311605/index.html
    Buch
    Getting Stated with OAuth
    2.0
    http://technet.microsoft.com/en-us/library/jj219758.aspx
    What's new in authentication
    for SharePoint 2013
    http://msdn.microsoft.com/en-
    us/library/office/dn155905%28v=office.15%29.aspx
    Use an Office 365 to
    authorize apps on an on-
    premises SharePoint site

    View Slide

  39. @brandmysp BrandMySharePoint
    http://bit.ly/brandmysp
    http://www.brandmysharepoint.de

    View Slide