SlideShare a Scribd company logo

Securing SharePoint Apps with OAuth

Download as pptx, pdf
Kashif Imran
Kashif Imran

This document discusses securing SharePoint apps using OAuth authentication. It provides an overview of app authentication in SharePoint 2013, including the use of OAuth and app principals. The key points covered are: - SharePoint 2013 supports app authentication using OAuth or on-premise using security token service. - Apps are assigned a principal that is used to manage app permissions separately from user permissions. - The OAuth workflow involves apps obtaining access tokens from Azure Access Control Service to make calls to SharePoint on behalf of users. - App principals must be registered both with SharePoint and ACS, and include a client ID, client secret, and redirect URL.

1 of 31
Downloaded 41 times
Securing SharePoint Apps Using OAuth Kashif Imran kashif_imran@hotmail.com
Agenda • Issues with SharePoint Development/Security In the Past • SharePoint Apps • Security Primer • App Authentication in SharePoint 2013 • OAuth • OAuth Flow in SharePoint 2013 and Security Tokens • Managing App Principals • Questions
Issues with SharePoint Security • Farm Solutions • Runs within the SharePoint workerprocess (w3wp.exe) • Access to Server Object Model • By default runs with current user’s permission • Developer can use SPSecurity.RunWithElevatedPrivileges that reverts code to Windows identity of host application pool • Farm stability issues • Installation and upgrade (iisreset) • Upgrade farm to newer version of SharePoint • Sandboxed Solutions • SPUCWorkerProcess.exe • Access to Server Object Model • Feature activation has full access to content (runs as site administrator) • Always runs as current user, can not use SPSecurity.RunWithElevatedPrivileges • Deprecated in SharePoint 2013 in favor of developing apps for SharePoint
SharePoint Apps • A web application that is registered with SharePoint using an app manifest. • Customize and extend SharePoint without full-trust access • Get its own security principal • Interacts with SharePoint using Client Object Model/REST • Distributed as app package (.app) to the public marketplace or corporate app catalog • Installed at site or tenant scope • Any Programming language/technology that can communicate with SharePoint via REST and OAuth
Types of SharePoint Apps • SharePoint-hosted • App resources stored in child site known as (app web) • App can only have client-side code • Cloud-Hosted • App resources deployed on remote server known as remote web • App can have both client-side and server-side code • 2 Types of Cloud-Hosted Apps • Autohosted (Hosted in Azure) • Provider-hosted (Deployed by provider)
Security Primer • Authentication (AuthN) • Authentication establishes an identity • SP 2010 supports user authentication • SP 2013 supports user and app authentication • Authorization (AuthZ) • Based on ACL • Ensure current principal has the proper permissions • SP 2010 supports permission only for users • SP 2013 supports permission for users and apps • Security Principal • An entity that is understood by a security system • An entity on which you can configure permission for resources • Examples: User in AD, FBA User, AD Group or FBA Role, SharePoint App
Claims-based Identity Model • Way for applications to acquire the identity information about internal or external users • Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority” • Applications do not need to authenticate users, store user accounts or passwords, etc. • Original intention behind the claims-based identity model was to enable federation between organization, but claims are not just for federation • Claim • Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc. • Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up in some directory • Claims are NOT what a user can or can not do, they are what a user is or is not • Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer • Issuer, Type, Value => (Google, Email, darwaish@gmail.com) • Security Token • Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in) • Successful outcome of sign in • SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)
Relying Party and STS • Relying Party (RP) • An application that relies on claims • Claims aware application • Claims-based application • Security Token Service • Service component that builds, signs and issues security tokens • Implicit authN (no token, no party) • WS-Trust, WS-Fed, SAML • IP-STS: • authenticates a client and creates SAML token • Façade for one or more identity stores • RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS) • Transforms token issues by another STS • Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts • Façade for one boundary • Federation Patterns • Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies. • Active: Code to acquire tokens explicitly
Windows Identity Foundation (WIF) • .NET library encapsulating the inner workings of WS-Federation and WS-Trust • System.IdentityModel • System.IdentityModel.Services • IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType, IsAuthenicated, Name) • IClaimsPrincipal = IPrincipal + Identities • IClaimsIdentity = IIdentity + Claims • Claims: Property bag, Subject, issuer, originalissuer, claimtype, value, valuetype
SharePoint Claims
App Authentication in SharePoint 2013 • App are first class security principals and granted permissions separate from user permission • Granted as all or none and No hierarchy of permission • App authentication is only supported in CSOM and REST API end points • App authentication is NOT supported in custom web service entry points • Apps have Full rights against app web, can request permissions for other webs • Full Control permission can not be used for OfficeStore apps • Project Server permissions available if PWA is installed
Demo App Permissions
SP Permission Policies • App + User Policy • Both user and app require permission on the resource • App-Only Policy • Only app needs permissions on resource • Allow app code to elevate above permission of current user • Only supported for server-side code in cloud-hosted apps • AllowAppOnlyPolicy=“true” in AppManifest.xml • Permission granted during install (all or nothing) • User Policy • Not used when app makes a call to SharePoint
SP 2013 AuthN Flow for CSOM/REST Endpoint
Types of App Authentication in SharePoint • 3 basic types of app authentication • Internal authentication • External authentication using OAuth • Office 365 • External authentication using S2S • On-premise
Internal Authentication • Used in Client-side calls from pages in app web or remote web which use cross domain library • Incoming calls require a SAML token holding an established user identity • Call targets unique domain of app web associated with an app • SharePoint maps target URL to instance of an app • App code is not required to create and manage security tokens
App Web • App by default has full permissions to read/write content to app web • No default permissions on any location in the SharePoint host environment • App.master provides UI to go back to host web • Isolated in its own private domain • https://{ TenancyName}-{14 char App UID}. sharepoint.com/ sites/{ ParentSiteName}/{ AppName}/ • http:// apps-{ UniqueID}. sp2013apps.local/ sites/{ ParentSiteName}/{ AppName}/ • Why Private Domain? • XSS: JavaScript code can not call back to host web • JavaScript do not run with the same established user identity as host web • SharePoint environment sees JavaScript callbacks from appweb with unique URLs and can authenticate apps • {StandardTokens}: { HostUrl}, {AppWebUrl}, { Language} • Use Internal Authentication: App is not required to create/manage security tokens
Demo App Web and Internal Authentication
External Authentication • Calls to SP from server-side code running in remote web • Used for both OAuth and S2S • Incoming calls require access token with app identity • Access token can optionally carry user identity as well • Call can target any CSOM or REST endpoint in any site • App code is required to create and manage security tokens
Demo External Authentication
OAuth • Manage app permission on the web • OAuth.net • Internet protocol/spec for creating/mapping app identity • A cross platform, open protocol for authenticating apps • Internet standard used by Google, Facebook, Twitter • Authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user • SP2013 uses OAuth 2.0 (very different from OAuth 1.0) • OAuth specs provides details on how to create access tokens • Used for external auth in Office 365 • Delegated authorization codes or access tokens are issues by OAuth STS (Windows Azure Control Services) • Remote web must communicate with ACS to obtain access tokens • Access tokens pass to SharePoint host in CSOM or REST API calls • WS-Federation STS and SAML passive sign-in STS are primarily intended to issue sign-in tokens • In SP2013, OAuth STS is uses only for issuing context tokens and not used as identity providers
OAuth Concepts • Content Owner(s) • SharePoint user(s) who can grant permissions to site content • Content Server • SharePoint web server that hosts site with the content that is to be accessed • Client App/ClientID/AppID • Remote web that needs permissions to access site content • Authentication Server • Trusted service that provides apps with access tokens allowing access to content • Windows Azure ACS in Sp2013 apps case
App Principals • Tenancy-scoped configuration for app identity • App principals must be registered with SharePoint and ACS • App Principal Properties • Client Id: GUID based identifier for app principal • Client Secret: Key to encrypt message between app and ACS • App Host Domain: Base URL of domain hosting remote web • Redirect URL: URL to a page used to configure security
Security Tokens used in OAuth • Context Token • Contextual information passed to app • JWT • Valid for 12 hours • Cache key: identify unique user (user, app, tenant) • Refresh Token • Used by client app to acquire an access token • Valid for 6 months • Access Token • Token passed to SharePoint to app when using external authentication • Valid for 12 hours
OAuth Workflow in Office 365
Context Token
Access Token
Steps to use OAuth in O365 • Create new Cloud-hosted app project • Register App Principal • Registration handled automatically in autohosted apps • Registration requires manual steps in provider hosted apps • Registration requires extra steps for apps published to Office Store. Have to get client id/secret from Seller Dashboard • App principal properties • Client ID: Guid or app principal • Clint secret: key used to encrypt message sent between app and ACS • App host domain: base url which defined hosting domain for remote web • Redirect URL: URL to a page used to configure on the fly security • Add code in remote web to manage tokens • Code required to retrieve access tokens from ACS • Explicit code required to add access token to csom and rest api calls
Demo OAuth Tokens and App Principal
Managing App Principals in O365 • /_layouts/15/… • AppRegNew.aspx • AppInv.aspx • AppPrincipals.aspx • PowerShell for SPOnline to administer SharePoint apps and app principals
Questions • ???
Ad

Recommended

Building a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable FunctionsBuilding a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable Functions
Joonas Westlin
 
ECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web Applications
Eric Shupps
 
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerO365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
NCCOMMS
 
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
NCCOMMS
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You Want
NCCOMMS
 
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas VochtenOffice Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
ITProceed
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePoint
Alan Marshall
 
SPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsSPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web Applications
NCCOMMS
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on Azure
Mostafa
 
[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios
European Collaboration Summit
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
Microsoft TechNet - Belgium and Luxembourg
 
Azure staticwebapps
Azure staticwebappsAzure staticwebapps
Azure staticwebapps
Udaiappa Ramachandran
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
Michele Leroux Bustamante
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
Pavel Revenkov
 
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Nordic Infrastructure Conference
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An Introduction
Matthias Güntert
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
Joonas Westlin
 
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettCloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Brian T. Jackett
 
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentDEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
Felipe Prado
 
Introduction à Application Insights
Introduction à Application InsightsIntroduction à Application Insights
Introduction à Application Insights
MSDEVMTL
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directory
Krunal Trivedi
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
Michele Leroux Bustamante
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social Login
Michele Leroux Bustamante
 
[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It Literally[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It Literally
European Collaboration Summit
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
Stormpath
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
nelmedia
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
Joonas Westlin
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
James Tramel
 
OAuth in SharePoint 2013
OAuth in SharePoint 2013OAuth in SharePoint 2013
OAuth in SharePoint 2013
Dinusha Kumarasiri
 
Ad

More Related Content

What's hot (20)

Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on Azure
Mostafa
 
[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios
European Collaboration Summit
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
Microsoft TechNet - Belgium and Luxembourg
 
Azure staticwebapps
Azure staticwebappsAzure staticwebapps
Azure staticwebapps
Udaiappa Ramachandran
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
Michele Leroux Bustamante
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
Pavel Revenkov
 
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Nordic Infrastructure Conference
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An Introduction
Matthias Güntert
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
Joonas Westlin
 
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettCloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Brian T. Jackett
 
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentDEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
Felipe Prado
 
Introduction à Application Insights
Introduction à Application InsightsIntroduction à Application Insights
Introduction à Application Insights
MSDEVMTL
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directory
Krunal Trivedi
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
Michele Leroux Bustamante
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social Login
Michele Leroux Bustamante
 
[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It Literally[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It Literally
European Collaboration Summit
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
Stormpath
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
nelmedia
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
Joonas Westlin
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on Azure
Mostafa
 
[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios
European Collaboration Summit
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
Microsoft TechNet - Belgium and Luxembourg
 
Azure staticwebapps
Azure staticwebappsAzure staticwebapps
Azure staticwebapps
Udaiappa Ramachandran
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
Michele Leroux Bustamante
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
Pavel Revenkov
 
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Nordic Infrastructure Conference
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An Introduction
Matthias Güntert
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
Joonas Westlin
 
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettCloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Brian T. Jackett
 
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentDEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
Felipe Prado
 
Introduction à Application Insights
Introduction à Application InsightsIntroduction à Application Insights
Introduction à Application Insights
MSDEVMTL
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directory
Krunal Trivedi
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
Michele Leroux Bustamante
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social Login
Michele Leroux Bustamante
 
[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It Literally[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It Literally
European Collaboration Summit
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
Stormpath
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
nelmedia
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
Joonas Westlin
 

Viewers also liked (15)

Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
James Tramel
 
OAuth in SharePoint 2013
OAuth in SharePoint 2013OAuth in SharePoint 2013
OAuth in SharePoint 2013
Dinusha Kumarasiri
 
CVNUG - Share Point Development
CVNUG - Share Point DevelopmentCVNUG - Share Point Development
CVNUG - Share Point Development
ryanaoliveira
 
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Geoff Varosky
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
SharePoint Permissions Overview
SharePoint Permissions OverviewSharePoint Permissions Overview
SharePoint Permissions Overview
Francois Pienaar
 
SharePoint Security A to Z
SharePoint Security A to ZSharePoint Security A to Z
SharePoint Security A to Z
Steve Goldberg
 
Solving business problems: No-code approach with SharePoint designer workflow...
Solving business problems: No-code approach with SharePoint designer workflow...Solving business problems: No-code approach with SharePoint designer workflow...
Solving business problems: No-code approach with SharePoint designer workflow...
Bhakthi Liyanage
 
SharePoint Development(Lesson 5)
SharePoint Development(Lesson 5)SharePoint Development(Lesson 5)
SharePoint Development(Lesson 5)
MJ Ferdous
 
SharePoint Permissions 101
SharePoint Permissions 101SharePoint Permissions 101
SharePoint Permissions 101
Thomas Duff
 
Governance of content, permissions & apps in sharepoint 2013
Governance of content, permissions & apps in sharepoint 2013Governance of content, permissions & apps in sharepoint 2013
Governance of content, permissions & apps in sharepoint 2013
Kashish Sukhija
 
SharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedSharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons Learned
Benjamin Niaulin
 
Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013
AntonioMaio2
 
SharePoint Permissions Worst Practices
SharePoint Permissions Worst PracticesSharePoint Permissions Worst Practices
SharePoint Permissions Worst Practices
Bobby Chang
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013
AntonioMaio2
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
James Tramel
 
OAuth in SharePoint 2013
OAuth in SharePoint 2013OAuth in SharePoint 2013
OAuth in SharePoint 2013
Dinusha Kumarasiri
 
CVNUG - Share Point Development
CVNUG - Share Point DevelopmentCVNUG - Share Point Development
CVNUG - Share Point Development
ryanaoliveira
 
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Geoff Varosky
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
SharePoint Permissions Overview
SharePoint Permissions OverviewSharePoint Permissions Overview
SharePoint Permissions Overview
Francois Pienaar
 
SharePoint Security A to Z
SharePoint Security A to ZSharePoint Security A to Z
SharePoint Security A to Z
Steve Goldberg
 
Solving business problems: No-code approach with SharePoint designer workflow...
Solving business problems: No-code approach with SharePoint designer workflow...Solving business problems: No-code approach with SharePoint designer workflow...
Solving business problems: No-code approach with SharePoint designer workflow...
Bhakthi Liyanage
 
SharePoint Development(Lesson 5)
SharePoint Development(Lesson 5)SharePoint Development(Lesson 5)
SharePoint Development(Lesson 5)
MJ Ferdous
 
SharePoint Permissions 101
SharePoint Permissions 101SharePoint Permissions 101
SharePoint Permissions 101
Thomas Duff
 
Governance of content, permissions & apps in sharepoint 2013
Governance of content, permissions & apps in sharepoint 2013Governance of content, permissions & apps in sharepoint 2013
Governance of content, permissions & apps in sharepoint 2013
Kashish Sukhija
 
SharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedSharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons Learned
Benjamin Niaulin
 
Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013
AntonioMaio2
 
SharePoint Permissions Worst Practices
SharePoint Permissions Worst PracticesSharePoint Permissions Worst Practices
SharePoint Permissions Worst Practices
Bobby Chang
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013
AntonioMaio2
 
Ad

Similar to Securing SharePoint Apps with OAuth (20)

SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
Securing a modern Web application with Entra ID
Securing a modern Web application with Entra IDSecuring a modern Web application with Entra ID
Securing a modern Web application with Entra ID
Joonas Westlin
 
Developing Apps for SharePoint Store
Developing Apps for SharePoint StoreDeveloping Apps for SharePoint Store
Developing Apps for SharePoint Store
Kashif Imran
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
Liam Cleary [MVP]
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim00
 
Developer’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App ModelDeveloper’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App Model
bgerman
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
Microsoft 365 Developer
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
Liam Cleary [MVP]
 
OAuth
OAuthOAuth
OAuth
Adi Challa
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
Edin Kapic
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
Liam Cleary [MVP]
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
Edin Kapic
 
Spsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentSpsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises development
BIWUG
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
Securing a modern Web application with Entra ID
Securing a modern Web application with Entra IDSecuring a modern Web application with Entra ID
Securing a modern Web application with Entra ID
Joonas Westlin
 
Developing Apps for SharePoint Store
Developing Apps for SharePoint StoreDeveloping Apps for SharePoint Store
Developing Apps for SharePoint Store
Kashif Imran
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
Liam Cleary [MVP]
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim00
 
Developer’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App ModelDeveloper’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App Model
bgerman
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
Microsoft 365 Developer
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
Liam Cleary [MVP]
 
OAuth
OAuthOAuth
OAuth
Adi Challa
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
Edin Kapic
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
Liam Cleary [MVP]
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
Edin Kapic
 
Spsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentSpsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises development
BIWUG
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
Ad

More from Kashif Imran (8)

SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
Kashif Imran
 
SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)
Kashif Imran
 
Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365
Kashif Imran
 
SharePoint 2013 Branding
SharePoint 2013 BrandingSharePoint 2013 Branding
SharePoint 2013 Branding
Kashif Imran
 
Enterprise Content Management (ECM) in the Cloud
Enterprise Content Management (ECM) in the CloudEnterprise Content Management (ECM) in the Cloud
Enterprise Content Management (ECM) in the Cloud
Kashif Imran
 
Microsoft Azure WebJobs
Microsoft Azure WebJobsMicrosoft Azure WebJobs
Microsoft Azure WebJobs
Kashif Imran
 
Azure Websites
Azure WebsitesAzure Websites
Azure Websites
Kashif Imran
 
Microsoft Azure - Introduction
Microsoft Azure - IntroductionMicrosoft Azure - Introduction
Microsoft Azure - Introduction
Kashif Imran
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
Kashif Imran
 
SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)
Kashif Imran
 
Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365
Kashif Imran
 
SharePoint 2013 Branding
SharePoint 2013 BrandingSharePoint 2013 Branding
SharePoint 2013 Branding
Kashif Imran
 
Enterprise Content Management (ECM) in the Cloud
Enterprise Content Management (ECM) in the CloudEnterprise Content Management (ECM) in the Cloud
Enterprise Content Management (ECM) in the Cloud
Kashif Imran
 
Microsoft Azure WebJobs
Microsoft Azure WebJobsMicrosoft Azure WebJobs
Microsoft Azure WebJobs
Kashif Imran
 
Azure Websites
Azure WebsitesAzure Websites
Azure Websites
Kashif Imran
 
Microsoft Azure - Introduction
Microsoft Azure - IntroductionMicrosoft Azure - Introduction
Microsoft Azure - Introduction
Kashif Imran
 

Recently uploaded (20)

UiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer OpportunitiesUiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer Opportunities
DianaGray10
 
The Future of Cisco Cloud Security: Innovations and AI Integration
The Future of Cisco Cloud Security: Innovations and AI IntegrationThe Future of Cisco Cloud Security: Innovations and AI Integration
The Future of Cisco Cloud Security: Innovations and AI Integration
Re-solution Data Ltd
 
Unlocking Generative AI in your Web Apps
Unlocking Generative AI in your Web AppsUnlocking Generative AI in your Web Apps
Unlocking Generative AI in your Web Apps
Maximiliano Firtman
 
Canadian book publishing: Insights from the latest salary survey - Tech Forum...
Canadian book publishing: Insights from the latest salary survey - Tech Forum...Canadian book publishing: Insights from the latest salary survey - Tech Forum...
Canadian book publishing: Insights from the latest salary survey - Tech Forum...
BookNet Canada
 
Jignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah - The Innovator and Czar of ExchangesJignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah Innovator
 
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
Ivano Malavolta
 
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
CSUC - Consorci de Serveis Universitaris de Catalunya
 
AI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of DocumentsAI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of Documents
UiPathCommunity
 
Transcript: Canadian book publishing: Insights from the latest salary survey ...
Transcript: Canadian book publishing: Insights from the latest salary survey ...Transcript: Canadian book publishing: Insights from the latest salary survey ...
Transcript: Canadian book publishing: Insights from the latest salary survey ...
BookNet Canada
 
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à GenèveUiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPathCommunity
 
Financial Services Technology Summit 2025
Financial Services Technology Summit 2025Financial Services Technology Summit 2025
Financial Services Technology Summit 2025
Ray Bugg
 
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Mike Mingos
 
Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Everything You Need to Know About Agentforce? (Put AI Agents to Work)Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Cyntexa
 
Mastering Testing in the Modern F&B Landscape
Mastering Testing in the Modern F&B LandscapeMastering Testing in the Modern F&B Landscape
Mastering Testing in the Modern F&B Landscape
marketing943205
 
AI You Can Trust: The Critical Role of Governance and Quality.pdf
AI You Can Trust: The Critical Role of Governance and Quality.pdfAI You Can Trust: The Critical Role of Governance and Quality.pdf
AI You Can Trust: The Critical Role of Governance and Quality.pdf
Precisely
 
Bepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firmBepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firm
Benard76
 
How to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabberHow to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabber
eGrabber
 
AsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API DesignAsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API Design
leonid54
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 
UiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer OpportunitiesUiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer Opportunities
DianaGray10
 
The Future of Cisco Cloud Security: Innovations and AI Integration
The Future of Cisco Cloud Security: Innovations and AI IntegrationThe Future of Cisco Cloud Security: Innovations and AI Integration
The Future of Cisco Cloud Security: Innovations and AI Integration
Re-solution Data Ltd
 
Unlocking Generative AI in your Web Apps
Unlocking Generative AI in your Web AppsUnlocking Generative AI in your Web Apps
Unlocking Generative AI in your Web Apps
Maximiliano Firtman
 
Canadian book publishing: Insights from the latest salary survey - Tech Forum...
Canadian book publishing: Insights from the latest salary survey - Tech Forum...Canadian book publishing: Insights from the latest salary survey - Tech Forum...
Canadian book publishing: Insights from the latest salary survey - Tech Forum...
BookNet Canada
 
Jignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah - The Innovator and Czar of ExchangesJignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah Innovator
 
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
Ivano Malavolta
 
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
CSUC - Consorci de Serveis Universitaris de Catalunya
 
AI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of DocumentsAI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of Documents
UiPathCommunity
 
Transcript: Canadian book publishing: Insights from the latest salary survey ...
Transcript: Canadian book publishing: Insights from the latest salary survey ...Transcript: Canadian book publishing: Insights from the latest salary survey ...
Transcript: Canadian book publishing: Insights from the latest salary survey ...
BookNet Canada
 
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à GenèveUiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPathCommunity
 
Financial Services Technology Summit 2025
Financial Services Technology Summit 2025Financial Services Technology Summit 2025
Financial Services Technology Summit 2025
Ray Bugg
 
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Mike Mingos
 
Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Everything You Need to Know About Agentforce? (Put AI Agents to Work)Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Cyntexa
 
Mastering Testing in the Modern F&B Landscape
Mastering Testing in the Modern F&B LandscapeMastering Testing in the Modern F&B Landscape
Mastering Testing in the Modern F&B Landscape
marketing943205
 
AI You Can Trust: The Critical Role of Governance and Quality.pdf
AI You Can Trust: The Critical Role of Governance and Quality.pdfAI You Can Trust: The Critical Role of Governance and Quality.pdf
AI You Can Trust: The Critical Role of Governance and Quality.pdf
Precisely
 
Bepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firmBepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firm
Benard76
 
How to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabberHow to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabber
eGrabber
 
AsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API DesignAsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API Design
leonid54
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 

Securing SharePoint Apps with OAuth

  • 1. Securing SharePoint Apps Using OAuth Kashif Imran kashif_imran@hotmail.com
  • 2. Agenda • Issues with SharePoint Development/Security In the Past • SharePoint Apps • Security Primer • App Authentication in SharePoint 2013 • OAuth • OAuth Flow in SharePoint 2013 and Security Tokens • Managing App Principals • Questions
  • 3. Issues with SharePoint Security • Farm Solutions • Runs within the SharePoint workerprocess (w3wp.exe) • Access to Server Object Model • By default runs with current user’s permission • Developer can use SPSecurity.RunWithElevatedPrivileges that reverts code to Windows identity of host application pool • Farm stability issues • Installation and upgrade (iisreset) • Upgrade farm to newer version of SharePoint • Sandboxed Solutions • SPUCWorkerProcess.exe • Access to Server Object Model • Feature activation has full access to content (runs as site administrator) • Always runs as current user, can not use SPSecurity.RunWithElevatedPrivileges • Deprecated in SharePoint 2013 in favor of developing apps for SharePoint
  • 4. SharePoint Apps • A web application that is registered with SharePoint using an app manifest. • Customize and extend SharePoint without full-trust access • Get its own security principal • Interacts with SharePoint using Client Object Model/REST • Distributed as app package (.app) to the public marketplace or corporate app catalog • Installed at site or tenant scope • Any Programming language/technology that can communicate with SharePoint via REST and OAuth
  • 5. Types of SharePoint Apps • SharePoint-hosted • App resources stored in child site known as (app web) • App can only have client-side code • Cloud-Hosted • App resources deployed on remote server known as remote web • App can have both client-side and server-side code • 2 Types of Cloud-Hosted Apps • Autohosted (Hosted in Azure) • Provider-hosted (Deployed by provider)
  • 6. Security Primer • Authentication (AuthN) • Authentication establishes an identity • SP 2010 supports user authentication • SP 2013 supports user and app authentication • Authorization (AuthZ) • Based on ACL • Ensure current principal has the proper permissions • SP 2010 supports permission only for users • SP 2013 supports permission for users and apps • Security Principal • An entity that is understood by a security system • An entity on which you can configure permission for resources • Examples: User in AD, FBA User, AD Group or FBA Role, SharePoint App
  • 7. Claims-based Identity Model • Way for applications to acquire the identity information about internal or external users • Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority” • Applications do not need to authenticate users, store user accounts or passwords, etc. • Original intention behind the claims-based identity model was to enable federation between organization, but claims are not just for federation • Claim • Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc. • Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up in some directory • Claims are NOT what a user can or can not do, they are what a user is or is not • Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer • Issuer, Type, Value => (Google, Email, darwaish@gmail.com) • Security Token • Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in) • Successful outcome of sign in • SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)
  • 8. Relying Party and STS • Relying Party (RP) • An application that relies on claims • Claims aware application • Claims-based application • Security Token Service • Service component that builds, signs and issues security tokens • Implicit authN (no token, no party) • WS-Trust, WS-Fed, SAML • IP-STS: • authenticates a client and creates SAML token • Façade for one or more identity stores • RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS) • Transforms token issues by another STS • Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts • Façade for one boundary • Federation Patterns • Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies. • Active: Code to acquire tokens explicitly
  • 9. Windows Identity Foundation (WIF) • .NET library encapsulating the inner workings of WS-Federation and WS-Trust • System.IdentityModel • System.IdentityModel.Services • IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType, IsAuthenicated, Name) • IClaimsPrincipal = IPrincipal + Identities • IClaimsIdentity = IIdentity + Claims • Claims: Property bag, Subject, issuer, originalissuer, claimtype, value, valuetype
  • 11. App Authentication in SharePoint 2013 • App are first class security principals and granted permissions separate from user permission • Granted as all or none and No hierarchy of permission • App authentication is only supported in CSOM and REST API end points • App authentication is NOT supported in custom web service entry points • Apps have Full rights against app web, can request permissions for other webs • Full Control permission can not be used for OfficeStore apps • Project Server permissions available if PWA is installed
  • 13. SP Permission Policies • App + User Policy • Both user and app require permission on the resource • App-Only Policy • Only app needs permissions on resource • Allow app code to elevate above permission of current user • Only supported for server-side code in cloud-hosted apps • AllowAppOnlyPolicy=“true” in AppManifest.xml • Permission granted during install (all or nothing) • User Policy • Not used when app makes a call to SharePoint
  • 14. SP 2013 AuthN Flow for CSOM/REST Endpoint
  • 15. Types of App Authentication in SharePoint • 3 basic types of app authentication • Internal authentication • External authentication using OAuth • Office 365 • External authentication using S2S • On-premise
  • 16. Internal Authentication • Used in Client-side calls from pages in app web or remote web which use cross domain library • Incoming calls require a SAML token holding an established user identity • Call targets unique domain of app web associated with an app • SharePoint maps target URL to instance of an app • App code is not required to create and manage security tokens
  • 17. App Web • App by default has full permissions to read/write content to app web • No default permissions on any location in the SharePoint host environment • App.master provides UI to go back to host web • Isolated in its own private domain • https://{ TenancyName}-{14 char App UID}. sharepoint.com/ sites/{ ParentSiteName}/{ AppName}/ • http:// apps-{ UniqueID}. sp2013apps.local/ sites/{ ParentSiteName}/{ AppName}/ • Why Private Domain? • XSS: JavaScript code can not call back to host web • JavaScript do not run with the same established user identity as host web • SharePoint environment sees JavaScript callbacks from appweb with unique URLs and can authenticate apps • {StandardTokens}: { HostUrl}, {AppWebUrl}, { Language} • Use Internal Authentication: App is not required to create/manage security tokens
  • 18. Demo App Web and Internal Authentication
  • 19. External Authentication • Calls to SP from server-side code running in remote web • Used for both OAuth and S2S • Incoming calls require access token with app identity • Access token can optionally carry user identity as well • Call can target any CSOM or REST endpoint in any site • App code is required to create and manage security tokens
  • 21. OAuth • Manage app permission on the web • OAuth.net • Internet protocol/spec for creating/mapping app identity • A cross platform, open protocol for authenticating apps • Internet standard used by Google, Facebook, Twitter • Authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user • SP2013 uses OAuth 2.0 (very different from OAuth 1.0) • OAuth specs provides details on how to create access tokens • Used for external auth in Office 365 • Delegated authorization codes or access tokens are issues by OAuth STS (Windows Azure Control Services) • Remote web must communicate with ACS to obtain access tokens • Access tokens pass to SharePoint host in CSOM or REST API calls • WS-Federation STS and SAML passive sign-in STS are primarily intended to issue sign-in tokens • In SP2013, OAuth STS is uses only for issuing context tokens and not used as identity providers
  • 22. OAuth Concepts • Content Owner(s) • SharePoint user(s) who can grant permissions to site content • Content Server • SharePoint web server that hosts site with the content that is to be accessed • Client App/ClientID/AppID • Remote web that needs permissions to access site content • Authentication Server • Trusted service that provides apps with access tokens allowing access to content • Windows Azure ACS in Sp2013 apps case
  • 23. App Principals • Tenancy-scoped configuration for app identity • App principals must be registered with SharePoint and ACS • App Principal Properties • Client Id: GUID based identifier for app principal • Client Secret: Key to encrypt message between app and ACS • App Host Domain: Base URL of domain hosting remote web • Redirect URL: URL to a page used to configure security
  • 24. Security Tokens used in OAuth • Context Token • Contextual information passed to app • JWT • Valid for 12 hours • Cache key: identify unique user (user, app, tenant) • Refresh Token • Used by client app to acquire an access token • Valid for 6 months • Access Token • Token passed to SharePoint to app when using external authentication • Valid for 12 hours
  • 25. OAuth Workflow in Office 365
  • 28. Steps to use OAuth in O365 • Create new Cloud-hosted app project • Register App Principal • Registration handled automatically in autohosted apps • Registration requires manual steps in provider hosted apps • Registration requires extra steps for apps published to Office Store. Have to get client id/secret from Seller Dashboard • App principal properties • Client ID: Guid or app principal • Clint secret: key used to encrypt message sent between app and ACS • App host domain: base url which defined hosting domain for remote web • Redirect URL: URL to a page used to configure on the fly security • Add code in remote web to manage tokens • Code required to retrieve access tokens from ACS • Explicit code required to add access token to csom and rest api calls
  • 29. Demo OAuth Tokens and App Principal
  • 30. Managing App Principals in O365 • /_layouts/15/… • AppRegNew.aspx • AppInv.aspx • AppPrincipals.aspx • PowerShell for SPOnline to administer SharePoint apps and app principals
  翻译: