Saturday, May 18, 2013

OAuth in SharePoint 2013

Recently I got to hear this new term . ”OAuth”. I was reading some articles and watching some videos which was quite helpful for me .I thought of sharing this with you guys too.
OAuth(Open Authorization) is an internet protocol for creating and managing App identity. It is a cross platform mechanism for authenticating and authorizing Apps. [I don’t want to deviate from the main topic here. I will blog about Apps in a different post .In simple words Apps are self-contained pieces of functionality that extend the capabilities of a SharePoint website].OAuth is an emerging internet standard already used by social networking giants like Facebook, Google and Twitter.
OAuth allows app identity to be recognized apart from user identity .Apps must be granted permissions independently of user permission .By default App is constrained in what it can do during and after installation .It can request installing user to grant specific types of permissions .Apps can be granted more permission than what the current user has(elevated permission)
OAuth Concepts and Terms
Content Owner(s) - User(s) who can grant permission to content in a site
Client App - Remote App that needs permission to site content. It needs to be authenticated and granted permission to site content. The Client App runs its own App server
Content Server - Web server that runs the site with content (SharePoint web server)
Authentication Server - Trusted server that authenticates Apps and creates OAuth tokens.

Windows Azure Access Control Services (ACS)
ACS is required for OAuth implementation in SharePoint2013.ACS acts as an authentication server. It should be trusted by the Content Server and the Client App. ACS is automatically configured for sites in Office 365 tenancy.In the case of an On-Premise farm, a trust to ACS must be configured with PowerShell.
Registering a new App Principal [in simple words – adding a new App ;-)]
SharePoint2013 has an application page for registering SharePoint Apps. http://sitename/_layouts/15/appregnew.aspx  
This can be done via PowerShell too.
The components for this registration process are:
AppID (Client ID) - GUID to identify application.                                                                
AppSecret - Signing key to sign, encrypt and decrypt messages. Both ACS and Client App would have App Secret. AppSecret is a Base64 encoded string.                                                                         
Title - Title of the App.                                                                                                               
App URI - Base DNS name to get to the App.                                                                          
Redirect URL
OAuth Protocol Flow in SharePoint 2013
The picture below might not be that eye catching. I created it in a Visio. It is a humble effort to make it look presentable J

1. SharePoint authenticates user using claims [and creates SAML tokens]
2. SharePoint requests context token for user
3. ACS returns context token
4. SharePoint pass context token to User.
5. User POSTS to Client App passing context token.
6. Client App is able to pull refresh token out of context token. Client App then passes refresh token to ACS to request OAuth token.
7. ACS returns OAuth token to Client App
8. Client App makes CSOM/REST calls to SharePoint site passing OAuth token.
9. SharePoint returns content to Client App
10. Client App returns HTML to user device

Note: ACS and OAuth can be used in Office 365 and in On-Premise farms.Trusts to ACS already configured for Office 365 sites. On-Premise farms require explicit configuration.

No comments:

Post a Comment