Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authorize your Apps! - OAuth in SharePoint 2013

Daniel Lindemann
September 25, 2014
Programming
0
1.9k

Authorize your Apps! - OAuth in SharePoint 2013

Daniel Lindemann

September 25, 2014
Tweet

More Decks by Daniel Lindemann

See All by Daniel Lindemann
Infrastructure-as-Code with Bicep - A Developer's Perspective - Basta Spring 2024
daniellindemann
0
40
Optimize Container Images for .NET Applications - Basta Spring 2024
daniellindemann
0
92
Optimize Container Images for .NET Applications
daniellindemann
0
34
Infrastructure-as-Code with Bicep
daniellindemann
0
23
Application Monitoring in Microsoft Azure
daniellindemann
0
57
Meistern des Inner Dev Loop für .NET-Containerapplikationen
daniellindemann
0
25
Entwickler-Experience in einer containerisierten Applikationswelt
daniellindemann
0
20
Global Microsoft 365 Developer Bootcamp 2019 - SharePoint Framework - Berlin
daniellindemann
0
48
Ab auf's Boot - Container und Kubernetes in Azure
daniellindemann
0
27

Other Decks in Programming

See All in Programming
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
760
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
260
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
920
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
370
Node.js v22 で変わること
yosuke_furukawa
PRO
9
3.2k
Hanami and htmx
bkuhlmann
0
210
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
0
890
ONE WEDGE_company_guide
1wedge_one
0
470
スクラムガイドのスプリントレトロスペクティブを改めて読みかえしてみた / Re-reading the Sprint Retrospective Section in the Scrum Guide
mackey0225
3
410
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
270
Prepare for Jakarta EE 11 - Performance and Developer Productivity
ivargrimstad
0
750

Featured

See All Featured
Being A Developer After 40
akosma
57
580k
The Cult of Friendly URLs
andyhume
74
5.7k
[RailsConf 2023] Rails as a piece of cake
palkan
23
3.9k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Docker and Python
trallard
34
2.7k
What the flash - Photography Introduction
edds
64
11k
Web Components: a chance to create the future
zenorocha
305
41k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Music & Morning Musume
bryan
41
5.6k
Statistics for Hackers
jakevdp
789
220k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
Clear Off the Table
cherdarchuk
84
310k

Transcript

  1. Daniel Lindemann | ITaCS GmbH Authorize your Apps! OAuth in

    SharePoint 2013

  2. Über mich Senior SharePoint Developer @ITaCS GmbH [email protected] www.itacs.de www.dlindemann.de/blog

    @daniellindemann Daniel Lindemann

  3. Agenda OAuth Allgemein OAuth in SharePoint Zusammenfassung / Fazit

  4. None

  5. Zugriff einer Anwendung Oldschool Mails lesen, Mails schreiben, Mails löschen,

    Kalendereinträge lesen, Kalendereinträge bearbeiten, Kalendereinträge löschen, … Mails lesen, Mails schreiben, Mails löschen, Kalendereinträge lesen, Kalendereinträge bearbeiten, Kalendereinträge löschen, …

  6. Probleme Passwort wird an Drittanbieter herausgegeben Drittanbieter Applikation hat Zugriff

    auf alle Daten Drittanbieter muss Passwörter speichern Ändert der Benutzer sein Passwort hat der Drittanbieter keinen Zugriff mehr

  7. “Passwords are not confetti. Please stop throwing them around. (Especially

    if they’re not yours.)” Chris Messina – Mitbegründer OAuth-Protokoll

  8. Was ändert sich Passwörter werden durch Tokens ersetzt Tokens sind

    verschlüsselte Zeichenketten, die Zugriff auf eine API gewähren Zugriff steuerbar Es lässt sich festlegen auf welchen Teil einer API zugegriffen wird Client und Resource Server müssen sich vertrauen Selbe Ticketausstellungs-Stelle (Issuer)

  9. Applikation registrieren Client ID und Client Secret

  10. Rollen Resource Owner Authorization Server Resource Server Client

  11. Tokens Authorization Token Access Token Refresh Token

  12. Scopes Beschreiben welche Daten der Consumer abrufen darf Wird beim

    Anfordern des Authorization Tokens definiert Beispiel: https://myservice.de/oauth/2/get_authorizationCode?client_id=123&response_type=cod e&scope=Profile.Read,News.Edit&redirect_uri=https%3A%2F%2Fmyservice.de%2Fapp_au thorized
  13. None

  14. Zugriff einer Anwendung mit OAuth Mails lesen, Mails schreiben, Mails

    löschen, Kalendereinträge lesen, Kalendereinträge bearbeiten, Kalendereinträge löschen, … Kalendereinträge lesen, Kalendereinträge bearbeiten, Kalendereinträge löschen
  15. None

  16. DEMO Manuelles Registrieren einer SharePoint-App in SharePoint Online

  17. SharePoint implementiert OAuth genau wie in der Spezifikation beschrieben http://tools.ietf.org/html/rfc6749#page-24

  18. TokenHelper.cs und SharePointContext.cs

  19. Rollen in SharePoint Resource Owner Authorization Server Resource Server Client

  20. Rollen in SharePoint Browser / User STS / ACS SharePoint

    App

  21. App-Berechtigungen in SharePoint App-Berechtigungen werden in der AppManifest.xml konfiguriert Berechtigungserteilung

    bei Installtion Aufbau eines PermissionRequest <AppPermissionRequest Scope=http://sharepoint/content/sitecollection/web” Right="Manage" /> Produkt Permission Provider Objekt Berechtigung

  22. SharePoint Scopes Scope URI Scope Alias Available Rights http://sharepoint/content/sitecollection Site

    Read, Write, Manage http://sharepoint/content/sitecollection/web Web Read, Write, Manage http://sharepoint/content/sitecollection/web/list List Read, Write, Manage http://sharepoint/content/tenant AllSites Read, Write, Manage http://sharepoint/bcs/connection None (currently not supported) Read http://sharepoint/search Search QueryAsUserIgnoreAppPrincipal http://sharepoint/projectserver ProjectAdmin Manage http://sharepoint/projectserver/projects Projects Read, Write http://sharepoint/projectserver/projects/project Project Read, Write http://sharepoint/projectserver/enterpriseresources ProjectResources Read, Write http://sharepoint/projectserver/statusing ProjectStatusing SubmitStatus http://sharepoint/projectserver/reporting ProjectReporting Read http://sharepoint/projectserver/workflow ProjectWorkflow Elevate http://sharepoint/social/tenant AllProfiles Read, Write, Manage http://sharepoint/social/core Social Read, Write, Manage http://sharepoint/social/microfeed Microfeed Read, Write, Manage http://sharepoint/taxonomy TermStore Read, Write

  23. Benutzer-Berechtigungen werden durch Benutzung einer App nicht heraufgestuft.

  24. DEMO Benutzer-Berechtigung

  25. SharePoint App OAuth Flow 1. Start App 4. App Redirect

    (mit Token) 8. Request mit Access Token 9. Daten von SharePoint 2. Anfrage Context Token 3. Erhalt Context Token (signiert) 5. Anfrage zur App-Startseite mit Context Token 10. App-Startseite mit Content und SharePoint Daten 7. Access Token 6. Refresh Token

  26. Context Token {"typ":"JWT", "alg":"none"}.{ "aud":"0794723a-ca7f-42b3-af6f-c424a222f02b/localhost:44309@3eef8910-0332-4feb-9436-8c4579d2696d", "iss":"00000001-0000-0000-c000-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d", "nbf":"1411411418", "exp":"1411454618", "appctxsender":"00000003-0000-0ff1-ce00-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d", "appctx":"{

    \"CacheKey\":\"QTJ+bUnrMnsmsRCLh613QhpixdDTZY5WvqNWD9WtIUM=\", \"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\" }", "refreshtoken":"IAAAAO_y8wP5- onrc5xvPfEU9NT6393L1CZVYTcP5wccQAdtKk1npcQmQUG7eZ4OqknbI0PEacfwwaBFx7yF6L1nVGz408Zerh4v0 847lw_9AX5XP7TU-LYYjrYHWHU-XiAIvyDdV- ZD30_5wev1fZwGAFAXein6BSVGgguyDbqvYOinESsHTfE5JC13vEdZ5JyPywWnwTxsNXAJIdlLB4ByEHEmbLbG1w QHLymSw09YQjUqN5fXsDe2w4GA3DbgfoitYPEvXHsxeQZ2DrmW2T4PomExTltG6H58VlKEdoDCq4wB0Xq2q9 CWkrIRI7qhCtJoHRgRXj1GYfQBwaTcC7wyTPg", "isbrowserhostedapp":"true" }

  27. Context Token {"typ":"JWT", "alg":"none"}.{ "aud":"0794723a-ca7f-42b3-af6f-c424a222f02b/localhost:44309@3eef8910-0332-4feb-9436-8c4579d2696d", "iss":"00000001-0000-0000-c000-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d", "nbf":"1411411418", "exp":"1411454618", "appctxsender":"00000003-0000-0ff1-ce00-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d", "appctx":"{

    \"CacheKey\":\"QTJ+bUnrMnsmsRCLh613QhpixdDTZY5WvqNWD9WtIUM=\", \"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\" }", "refreshtoken":"IAAAAO_y8wP5- onrc5xvPfEU9NT6393L1CZVYTcP5wccQAdtKk1npcQmQUG7eZ4OqknbI0PEacfwwaBFx7yF6L1nVGz408Zerh4v0 847lw_9AX5XP7TU-LYYjrYHWHU-XiAIvyDdV- ZD30_5wev1fZwGAFAXein6BSVGgguyDbqvYOinESsHTfE5JC13vEdZ5JyPywWnwTxsNXAJIdlLB4ByEHEmbLbG1w QHLymSw09YQjUqN5fXsDe2w4GA3DbgfoitYPEvXHsxeQZ2DrmW2T4PomExTltG6H58VlKEdoDCq4wB0Xq2q9 CWkrIRI7qhCtJoHRgRXj1GYfQBwaTcC7wyTPg", "isbrowserhostedapp":"true" } Client ID App URL Tenant ID Azure ACS Tenant ID Start Ende User ID + Issuer + App + Realm Tenant ID SharePoint STS URL Refresh Token

  28. Access Token { "typ":"JWT", "alg":"RS256", "x5t":"kriMPdmBvx68skT8-mPAB3BseeA" }.{ "aud":"00000003-0000-0ff1-ce00-000000000000/dlindemann.sharepoint.com @3eef8910-0332-4feb-9436-8c4579d2696d", "iss":"00000001-0000-0000-c000-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d",

    "nbf":1411414034, "exp":1411457234, "nameid":"1003000080fd1db2", "actor":"0794723a-ca7f-42b3-af6f-c424a222f02b@3eef8910-0332-4feb-9436-8c4579d2696d", "identityprovider":"urn:federation:microsoftonline" }

  29. Access Token { "typ":"JWT", "alg":"RS256", "x5t":"kriMPdmBvx68skT8-mPAB3BseeA" }.{ "aud":"00000003-0000-0ff1-ce00-000000000000/dlindemann.sharepoint.com @3eef8910-0332-4feb-9436-8c4579d2696d", "iss":"00000001-0000-0000-c000-000000000000@3eef8910-0332-4feb-9436-8c4579d2696d",

    "nbf":1411414034, "exp":1411457234, "nameid":"1003000080fd1db2", "actor":"0794723a-ca7f-42b3-af6f-c424a222f02b@3eef8910-0332-4feb-9436-8c4579d2696d", "identityprovider":"urn:federation:microsoftonline" } SharePoint Host Web Tenant ID Azure ACS Tenant ID Start Ende UPN STS ID Tenant ID Identity Provider

  30. DEMO Token dekodieren

  31. User-Context vs. App-Context <AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope=http://sharepoint/content/sitecollection/web Right="Manage" /> </AppPermissionRequests>

  32. Start User credentials provided? Set user context OAuth token present?

    Is endpoint CSOM? Does the token include user info? End Is endpoint outside of an app web? Set app and user context Use anonymous context Set App- Only context No Yes Yes No Yes Yes Yes No No No

  33. DEMO User und App Token

  34. OAuth in SharePoint Apps Office Web Apps Workflows

  35. Warum sollte ICH über OAuth Bescheid wissen?

  36. Angriffsmöglichkeiten Man in the middle Replay Attack Übertragen von (Authentifizierungs-)

    Informationen im Klartext http://thehackernews.com/2014/07/facebook-sdk-vulnerability-puts.html

  37. Fazit Auf den ersten Blick sehr komplex Standardisiertes Protokoll Entwicklung

    wird durch das IETF weiter vorangetrieben Bildet den Kern neuer Technologien Open ID Connect

  38. Links und weitere Infos http://oauth.net/ http://hueniverse.com/oauth/ http://msdn.microsoft.com/en- us/library/office/fp142384%28v=office.15%29.aspx Authorization and

    authentication of apps for SharePoint 2013 http://blogs.technet.com/b/speschka/archive/2013/07/29/ security-in-sharepoint-apps-part-1.aspx Security in SharePoint Apps http://www.oreilly.de/catalog/9781449311605/index.html Buch Getting Stated with OAuth 2.0 http://technet.microsoft.com/en-us/library/jj219758.aspx What's new in authentication for SharePoint 2013 http://msdn.microsoft.com/en- us/library/office/dn155905%28v=office.15%29.aspx Use an Office 365 to authorize apps on an on- premises SharePoint site

  39. @brandmysp BrandMySharePoint http://bit.ly/brandmysp http://www.brandmysharepoint.de