Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authorize your Apps! - OAuth in SharePoint 2013

Avatar for Daniel Lindemann Daniel Lindemann
September 25, 2014
Programming
0
2k

Authorize your Apps! - OAuth in SharePoint 2013

Avatar for Daniel Lindemann

Daniel Lindemann

September 25, 2014
Tweet

More Decks by Daniel Lindemann

See All by Daniel Lindemann
Passierschein, bitte – sichere und skalierbare Authentifizierung mit Microsoft Entra ID
Avatar for Daniel Lindemann daniellindemann
0
89
Zeitfresser gebändigt - Optimierung von Entwicklungsumgebungen
Avatar for Daniel Lindemann daniellindemann
0
68
Infrastructure-as-Code with Bicep - A Developer's Perspective - Basta Spring 2024
Avatar for Daniel Lindemann daniellindemann
0
110
Optimize Container Images for .NET Applications - Basta Spring 2024
Avatar for Daniel Lindemann daniellindemann
0
160
Optimize Container Images for .NET Applications
Avatar for Daniel Lindemann daniellindemann
0
55
Infrastructure-as-Code with Bicep
Avatar for Daniel Lindemann daniellindemann
0
67
Application Monitoring in Microsoft Azure
Avatar for Daniel Lindemann daniellindemann
0
76
Meistern des Inner Dev Loop für .NET-Containerapplikationen
Avatar for Daniel Lindemann daniellindemann
0
34
Entwickler-Experience in einer containerisierten Applikationswelt
Avatar for Daniel Lindemann daniellindemann
0
36

Other Decks in Programming

See All in Programming
状態と共に暮らす:ステートフルへの挑戦
Avatar for ypresto ypresto
3
1.3k
JAWS DAYS 2025 re_Cheers: WEB
Avatar for komakichi komakichi
0
130
インプロセスQAにおいて大事にしていること / In-process QA Meetup
Avatar for MEDLEY, INC. medley
0
190
実践Webフロントパフォーマンスチューニング
Avatar for しーぴー cp20
45
11k
The New Developer Workflow: How AI Transforms Ideas into Code
Avatar for Daniel Sogl danielsogl
0
140
Instrumentsを使用した アプリのパフォーマンス向上方法
Avatar for hinakko hinakko
0
260
Road to Ruby for A Linguistics Nerd
Avatar for Hayato Ishida hayat01sh1da
PRO
0
380
20250426 GDGoC 合同新歓 - GDGoC のススメ
Avatar for Yoshimura Naoya getty708
0
120
GitHub Copilot for Azureを使い倒したい
Avatar for Kento.Yamada ymd65536
1
350
fieldalignmentから見るGoの構造体
Avatar for kuro kuro_kurorrr
0
140
Cursor/Devin全社導入の理想と現実
Avatar for Ryoichi Saito saitoryc
29
22k
CursorとDevinが仲間!?AI駆動で新規プロダクト開発に挑んだ3ヶ月を振り返る / A Story of New Product Development with Cursor and Devin
Avatar for r-kagaya rkaga
5
1.4k

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
21k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
368
19k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
172
14k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
52
7.6k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
26k
A better future with KSS
Avatar for Kyle Neath kneath
239
17k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
41
2.3k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
329
39k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
49
7.9k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
231
18k
Faster Mobile Websites
Avatar for Dean Hume deanohume
307
31k
BBQ
Avatar for Matthew Crist matthewcrist
88
9.6k

Transcript

  1. Daniel Lindemann | ITaCS GmbH Authorize your Apps! OAuth in

    SharePoint 2013

  2. Über mich Senior SharePoint Developer @ITaCS GmbH [email protected] www.itacs.de www.dlindemann.de/blog

    @daniellindemann Daniel Lindemann

  3. Agenda OAuth Allgemein OAuth in SharePoint Zusammenfassung / Fazit

  4. None

  5. Zugriff einer Anwendung Oldschool Mails lesen, Mails schreiben, Mails löschen,

    Kalendereinträge lesen, Kalendereinträge bearbeiten, Kalendereinträge löschen, … Mails lesen, Mails schreiben, Mails löschen, Kalendereinträge lesen, Kalendereinträge bearbeiten, Kalendereinträge löschen, …

  6. Probleme Passwort wird an Drittanbieter herausgegeben Drittanbieter Applikation hat Zugriff

    auf alle Daten Drittanbieter muss Passwörter speichern Ändert der Benutzer sein Passwort hat der Drittanbieter keinen Zugriff mehr

  7. “Passwords are not confetti. Please stop throwing them around. (Especially

    if they’re not yours.)” Chris Messina – Mitbegründer OAuth-Protokoll

  8. Was ändert sich Passwörter werden durch Tokens ersetzt Tokens sind

    verschlüsselte Zeichenketten, die Zugriff auf eine API gewähren Zugriff steuerbar Es lässt sich festlegen auf welchen Teil einer API zugegriffen wird Client und Resource Server müssen sich vertrauen Selbe Ticketausstellungs-Stelle (Issuer)

  9. Applikation registrieren Client ID und Client Secret

  10. Rollen Resource Owner Authorization Server Resource Server Client

  11. Tokens Authorization Token Access Token Refresh Token

  12. Scopes Beschreiben welche Daten der Consumer abrufen darf Wird beim

    Anfordern des Authorization Tokens definiert Beispiel: https://myservice.de/oauth/2/get_authorizationCode?client_id=123&response_type=cod e&scope=Profile.Read,News.Edit&redirect_uri=https%3A%2F%2Fmyservice.de%2Fapp_au thorized
  13. None

  14. Zugriff einer Anwendung mit OAuth Mails lesen, Mails schreiben, Mails

    löschen, Kalendereinträge lesen, Kalendereinträge bearbeiten, Kalendereinträge löschen, … Kalendereinträge lesen, Kalendereinträge bearbeiten, Kalendereinträge löschen
  15. None

  16. DEMO Manuelles Registrieren einer SharePoint-App in SharePoint Online

  17. SharePoint implementiert OAuth genau wie in der Spezifikation beschrieben http://tools.ietf.org/html/rfc6749#page-24

  18. TokenHelper.cs und SharePointContext.cs

  19. Rollen in SharePoint Resource Owner Authorization Server Resource Server Client

  20. Rollen in SharePoint Browser / User STS / ACS SharePoint

    App

  21. App-Berechtigungen in SharePoint App-Berechtigungen werden in der AppManifest.xml konfiguriert Berechtigungserteilung

    bei Installtion Aufbau eines PermissionRequest <AppPermissionRequest Scope=http://sharepoint/content/sitecollection/web” Right="Manage" /> Produkt Permission Provider Objekt Berechtigung

  22. SharePoint Scopes Scope URI Scope Alias Available Rights http://sharepoint/content/sitecollection Site

    Read, Write, Manage http://sharepoint/content/sitecollection/web Web Read, Write, Manage http://sharepoint/content/sitecollection/web/list List Read, Write, Manage http://sharepoint/content/tenant AllSites Read, Write, Manage http://sharepoint/bcs/connection None (currently not supported) Read http://sharepoint/search Search QueryAsUserIgnoreAppPrincipal http://sharepoint/projectserver ProjectAdmin Manage http://sharepoint/projectserver/projects Projects Read, Write http://sharepoint/projectserver/projects/project Project Read, Write http://sharepoint/projectserver/enterpriseresources ProjectResources Read, Write http://sharepoint/projectserver/statusing ProjectStatusing SubmitStatus http://sharepoint/projectserver/reporting ProjectReporting Read http://sharepoint/projectserver/workflow ProjectWorkflow Elevate http://sharepoint/social/tenant AllProfiles Read, Write, Manage http://sharepoint/social/core Social Read, Write, Manage http://sharepoint/social/microfeed Microfeed Read, Write, Manage http://sharepoint/taxonomy TermStore Read, Write

  23. Benutzer-Berechtigungen werden durch Benutzung einer App nicht heraufgestuft.

  24. DEMO Benutzer-Berechtigung

  25. SharePoint App OAuth Flow 1. Start App 4. App Redirect

    (mit Token) 8. Request mit Access Token 9. Daten von SharePoint 2. Anfrage Context Token 3. Erhalt Context Token (signiert) 5. Anfrage zur App-Startseite mit Context Token 10. App-Startseite mit Content und SharePoint Daten 7. Access Token 6. Refresh Token

  26. Context Token {"typ":"JWT", "alg":"none"}.{ "aud":"0794723a-ca7f-42b3-af6f-c424a222f02b/localhost:44309@3eef8910-0332-4feb-9436-8c4579d2696d", "iss":"00000001-0000-0000-c000-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d", "nbf":"1411411418", "exp":"1411454618", "appctxsender":"00000003-0000-0ff1-ce00-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d", "appctx":"{

    \"CacheKey\":\"QTJ+bUnrMnsmsRCLh613QhpixdDTZY5WvqNWD9WtIUM=\", \"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\" }", "refreshtoken":"IAAAAO_y8wP5- onrc5xvPfEU9NT6393L1CZVYTcP5wccQAdtKk1npcQmQUG7eZ4OqknbI0PEacfwwaBFx7yF6L1nVGz408Zerh4v0 847lw_9AX5XP7TU-LYYjrYHWHU-XiAIvyDdV- ZD30_5wev1fZwGAFAXein6BSVGgguyDbqvYOinESsHTfE5JC13vEdZ5JyPywWnwTxsNXAJIdlLB4ByEHEmbLbG1w QHLymSw09YQjUqN5fXsDe2w4GA3DbgfoitYPEvXHsxeQZ2DrmW2T4PomExTltG6H58VlKEdoDCq4wB0Xq2q9 CWkrIRI7qhCtJoHRgRXj1GYfQBwaTcC7wyTPg", "isbrowserhostedapp":"true" }

  27. Context Token {"typ":"JWT", "alg":"none"}.{ "aud":"0794723a-ca7f-42b3-af6f-c424a222f02b/localhost:44309@3eef8910-0332-4feb-9436-8c4579d2696d", "iss":"00000001-0000-0000-c000-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d", "nbf":"1411411418", "exp":"1411454618", "appctxsender":"00000003-0000-0ff1-ce00-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d", "appctx":"{

    \"CacheKey\":\"QTJ+bUnrMnsmsRCLh613QhpixdDTZY5WvqNWD9WtIUM=\", \"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\" }", "refreshtoken":"IAAAAO_y8wP5- onrc5xvPfEU9NT6393L1CZVYTcP5wccQAdtKk1npcQmQUG7eZ4OqknbI0PEacfwwaBFx7yF6L1nVGz408Zerh4v0 847lw_9AX5XP7TU-LYYjrYHWHU-XiAIvyDdV- ZD30_5wev1fZwGAFAXein6BSVGgguyDbqvYOinESsHTfE5JC13vEdZ5JyPywWnwTxsNXAJIdlLB4ByEHEmbLbG1w QHLymSw09YQjUqN5fXsDe2w4GA3DbgfoitYPEvXHsxeQZ2DrmW2T4PomExTltG6H58VlKEdoDCq4wB0Xq2q9 CWkrIRI7qhCtJoHRgRXj1GYfQBwaTcC7wyTPg", "isbrowserhostedapp":"true" } Client ID App URL Tenant ID Azure ACS Tenant ID Start Ende User ID + Issuer + App + Realm Tenant ID SharePoint STS URL Refresh Token

  28. Access Token { "typ":"JWT", "alg":"RS256", "x5t":"kriMPdmBvx68skT8-mPAB3BseeA" }.{ "aud":"00000003-0000-0ff1-ce00-000000000000/dlindemann.sharepoint.com @3eef8910-0332-4feb-9436-8c4579d2696d", "iss":"00000001-0000-0000-c000-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d",

    "nbf":1411414034, "exp":1411457234, "nameid":"1003000080fd1db2", "actor":"0794723a-ca7f-42b3-af6f-c424a222f02b@3eef8910-0332-4feb-9436-8c4579d2696d", "identityprovider":"urn:federation:microsoftonline" }

  29. Access Token { "typ":"JWT", "alg":"RS256", "x5t":"kriMPdmBvx68skT8-mPAB3BseeA" }.{ "aud":"00000003-0000-0ff1-ce00-000000000000/dlindemann.sharepoint.com @3eef8910-0332-4feb-9436-8c4579d2696d", "iss":"00000001-0000-0000-c000-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d",

    "nbf":1411414034, "exp":1411457234, "nameid":"1003000080fd1db2", "actor":"0794723a-ca7f-42b3-af6f-c424a222f02b@3eef8910-0332-4feb-9436-8c4579d2696d", "identityprovider":"urn:federation:microsoftonline" } SharePoint Host Web Tenant ID Azure ACS Tenant ID Start Ende UPN STS ID Tenant ID Identity Provider

  30. DEMO Token dekodieren

  31. User-Context vs. App-Context <AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope=http://sharepoint/content/sitecollection/web Right="Manage" /> </AppPermissionRequests>

  32. Start User credentials provided? Set user context OAuth token present?

    Is endpoint CSOM? Does the token include user info? End Is endpoint outside of an app web? Set app and user context Use anonymous context Set App- Only context No Yes Yes No Yes Yes Yes No No No

  33. DEMO User und App Token

  34. OAuth in SharePoint Apps Office Web Apps Workflows

  35. Warum sollte ICH über OAuth Bescheid wissen?

  36. Angriffsmöglichkeiten Man in the middle Replay Attack Übertragen von (Authentifizierungs-)

    Informationen im Klartext http://thehackernews.com/2014/07/facebook-sdk-vulnerability-puts.html

  37. Fazit Auf den ersten Blick sehr komplex Standardisiertes Protokoll Entwicklung

    wird durch das IETF weiter vorangetrieben Bildet den Kern neuer Technologien Open ID Connect

  38. Links und weitere Infos http://oauth.net/ http://hueniverse.com/oauth/ http://msdn.microsoft.com/en- us/library/office/fp142384%28v=office.15%29.aspx Authorization and

    authentication of apps for SharePoint 2013 http://blogs.technet.com/b/speschka/archive/2013/07/29/ security-in-sharepoint-apps-part-1.aspx Security in SharePoint Apps http://www.oreilly.de/catalog/9781449311605/index.html Buch Getting Stated with OAuth 2.0 http://technet.microsoft.com/en-us/library/jj219758.aspx What's new in authentication for SharePoint 2013 http://msdn.microsoft.com/en- us/library/office/dn155905%28v=office.15%29.aspx Use an Office 365 to authorize apps on an on- premises SharePoint site

  39. @brandmysp BrandMySharePoint http://bit.ly/brandmysp http://www.brandmysharepoint.de