Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
1. Building SharePoint 2013 Apps - Architecture,
Authentication & Connectivity API
Radi Atanassov
SharePoint MCM & MVP
OneBit Software Ltd.
2. Who’s this guy?
• Radi Atanassov
• SharePoint 2010 MCM
• SharePoint Server MVP
• OneBit Software Ltd.
• Web Platform User Group
@RadiAtanassov
3. This talk is about…
• How “apps” work
• The App infrastructure
• App authentication
• Connectivity
4. SharePoint’s extensibility history
• 2001…
• 2003… CAML?!?
• 2007 – The SharePoint OM & UI enhanced…
– Greater complexity & greater flaws
– But still a strong “platform” we all love
• 2010 – Service Applications, Ribbon, Sandbox
• 2013 – Apps & the marketplace, On-Premise Apps
5. Why is the App Model important to us?
• Cost to the business
– We don’t want SP projects to be expensive
– We want more value for the same budget
• SharePoint cannot be “fixed”
– Cannot replace the DB schema
– Cannot rewrite the OM
• Microsoft’s preferred approach moving forward
– We’ve been doing it for years
• Office now releases every 3 months
6. What is an “App” anyway?
• The new word for iFrame
• Another way of providing functionality, but keeping
custom code outside of SharePoint
• Functionality you can buy from a marketplace
• A huge marketing stunt to drive adoption
• The infrastructure, plumbing, authentication model
& framework to do things we did for a while
7. Why is authentication important to us?
• So we don’t look like we don’t know what we are doing!
• We are moving to the CLOUD…
• We need to integrate with Exchange 2013, Lync 2013 and
custom Apps
• We need to understand & design hybrid deployments
• You can’t have “Apps” without authentication
• It matters when you do on-premises or hybrid Apps
9. Recap - App Hosting Models
Provider-hosted app SharePoint
Host Web Your Hosted Site
Provide your own hosting environment
Cloud-hosted apps
- Use server code
- Receive SP events
- Use OAuth to access SP
Autohosted app SharePoint
Host Web
Windows Azure + SQL Azure provisioned Azure
automatically as apps are installed
SharePoint-Hosted app SharePoint
Host Web
Provisions an isolated sub web on a host web
- Use SP artifacts & out-of-box web parts SharePoint App
- Use HTML & JavaScript for UI & client-side logic Web
- Use Workflows for middle tier logic
10. Recap - App Shapes
Full page
Implement complete app experiences
• to satisfy business scenarios
App Parts
Create app parts that can interact
with the SharePoint experience
UI command extensions
Add new commands to the ribbon and item
menus
11. Recap - App Package
Host
Web
.app Package (OPC)
App Web
WSP
(from WSP)
Azure
Slide courtesy of Mike Morton
13. The App Domain - *.contosoapps.com
• You should use a unique domain name, not a subdomain
• Only one in the farm!
• Prevents XSS attacks and script injection into the parent
• Prevents cookie information leaking
• Separates Apps from SharePoint sites, aka “app isolation”
• The reason why AAM’s don’t work with Apps
• Use SSL, even on dev environments!
• Should use wildcard certificates on a dedicated web application
• The app domain should be in the Internet or Restricted sites security zone
in Internet Explorer
• Wildcard DNS should point to the load balancer
14. The App URL - *.contosoapps.com
• https://{appPrefix}-{UID}.{appdomain}/{appName}
• In MT scenarios each tenant has their own
{appPrefix}
• {UID} comes from the subscription service
• {appName} - the App name
• https://app-73ff422090f6f4.mcmapps.com/ SharePointApp2
29. App security concerns
• A new attack vector, old attack principles
• A provider hosted app can be “upgraded” by the
provider. Do you trust your vendor?
• Script injection and in-flight modification
• SSL is important!
• Many more…
30. References
• Explore the app manifest and the package of an app for SharePoint
http://msdn.microsoft.com/en-us/library/fp179918.aspx
• URL strings and tokens in apps for SharePoint
http://msdn.microsoft.com/en-us/library/jj163816.aspx
• OAuth authentication and authorization flow for cloud-hosted apps in
SharePoint 2013
http://msdn.microsoft.com/en-us/library/fp142382.aspx
• How to: Create high-trust apps for SharePoint 2013 using the server-to-
server protocol (advanced topic)
http://msdn.microsoft.com/en-us/library/office/apps/fp179901.aspx
• How to: Package and publish high-trust apps for SharePoint 2013
http://msdn.microsoft.com/en-us/library/office/apps/jj860570.aspx
31. Key takeaways
• You should definitely look into SharePoint Apps!
• Do your best to understand authentication now
• Complex cloud scenario’s will come