1. Building SharePoint 2013 Apps - Architecture,
Authentication & Connectivity API
Radi Atanassov
SharePoint MCM & MVP
OneBit Software Ltd.

2. Who’s this guy?
• Radi Atanassov
• SharePoint 2010 MCM
• SharePoint Server MVP
• OneBit Software Ltd.
• Web Platform User Group
@RadiAtanassov

3. This talk is about…
• How “apps” work
• The App infrastructure
• App authentication
• Connectivity

4. SharePoint’s extensibility history
• 2001…
• 2003… CAML?!?
• 2007 – The SharePoint OM & UI enhanced…
– Greater complexity & greater flaws
– But still a strong “platform” we all love
• 2010 – Service Applications, Ribbon, Sandbox
• 2013 – Apps & the marketplace, On-Premise Apps

5. Why is the App Model important to us?
• Cost to the business
– We don’t want SP projects to be expensive
– We want more value for the same budget
• SharePoint cannot be “fixed”
– Cannot replace the DB schema
– Cannot rewrite the OM
• Microsoft’s preferred approach moving forward
– We’ve been doing it for years
• Office now releases every 3 months

6. What is an “App” anyway?
• The new word for iFrame
• Another way of providing functionality, but keeping
custom code outside of SharePoint
• Functionality you can buy from a marketplace
• A huge marketing stunt to drive adoption
• The infrastructure, plumbing, authentication model
& framework to do things we did for a while

7. Why is authentication important to us?
• So we don’t look like we don’t know what we are doing!
• We are moving to the CLOUD…
• We need to integrate with Exchange 2013, Lync 2013 and
custom Apps
• We need to understand & design hybrid deployments
• You can’t have “Apps” without authentication
• It matters when you do on-premises or hybrid Apps

8. SharePoint Apps
APPTECTURE

9. Recap - App Hosting Models
Provider-hosted app SharePoint
Host Web Your Hosted Site
Provide your own hosting environment
Cloud-hosted apps
- Use server code
- Receive SP events
- Use OAuth to access SP
Autohosted app SharePoint
Host Web
Windows Azure + SQL Azure provisioned Azure
automatically as apps are installed
SharePoint-Hosted app SharePoint
Host Web
Provisions an isolated sub web on a host web
- Use SP artifacts & out-of-box web parts SharePoint App
- Use HTML & JavaScript for UI & client-side logic Web
- Use Workflows for middle tier logic

10. Recap - App Shapes
Full page
Implement complete app experiences
• to satisfy business scenarios
App Parts
Create app parts that can interact
with the SharePoint experience
UI command extensions
Add new commands to the ribbon and item
menus

11. Recap - App Package
Host
Web
.app Package (OPC)
App Web
WSP
(from WSP)
Azure
Slide courtesy of Mike Morton

12. App Manifest
<?xml version="1.0" encoding="utf-8" ?>
<!--Created:cb85b80c-f585-40ff-8bfc-12ff4d0e34a9-->
<App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"
Name="SharePointApp1“ ProductID="{6a680846-ddff-4a3c-beb6-cb5705289d28}"
Version="1.0.0.0“ SharePointMinVersion="15.0.0.0">
<Properties>
<Title>SharePointApp1</Title>
<StartPage>~remoteAppUrl/Pages/Default.aspx?{StandardTokens}</StartPage>
<SupportedLocales>
<SupportedLocale CultureName="en" />
<SupportedLocale CultureName="en-AU" />
<SupportedLocale CultureName="bg" />
</SupportedLocales>
</Properties>
<AppPrincipal>
<RemoteWebApplication ClientId="*" />
</AppPrincipal>
<AppPermissionRequests>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write" />
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" />
</AppPermissionRequests>
<AppPrerequisites>
<AppPrerequisite Type="Capability" ID="A83C8D70-71DE-4260-9FB8-677418EB47F2" />
</AppPrerequisites>
</App>

13. The App Domain - *.contosoapps.com
• You should use a unique domain name, not a subdomain
• Only one in the farm!
• Prevents XSS attacks and script injection into the parent
• Prevents cookie information leaking
• Separates Apps from SharePoint sites, aka “app isolation”
• The reason why AAM’s don’t work with Apps
• Use SSL, even on dev environments!
• Should use wildcard certificates on a dedicated web application
• The app domain should be in the Internet or Restricted sites security zone
in Internet Explorer
• Wildcard DNS should point to the load balancer

14. The App URL - *.contosoapps.com
• https://{appPrefix}-{UID}.{appdomain}/{appName}
• In MT scenarios each tenant has their own
{appPrefix}
• {UID} comes from the subscription service
• {appName} - the App name 
• https://app-73ff422090f6f4.mcmapps.com/ SharePointApp2

15. DEMO
REVIEW APP SETUP

16. SharePoint Apps
AUTHENTICATION WITH OFFICE 365

17. SharePoint OAuth & Office 365

18. DEMO
OAUTH IN ACTION – OFFICE 365

19. OAuth-authenticated request –
Context Token
<form id="frmRedirect"
action="https://localhost:44301/Pages/Default.aspx?SPHostUrl=...;SPLanguage=en....."
method="post">
<input type="hidden" name="SPAppToken" value="eyJ0eXAiOiJKV…CnQ" />
<input type="hidden" name="SPSiteUrl" value="https://onebitdev5.sharepoint.com" />
<input type="hidden" name="SPSiteTitle" value="OneBit Software Ltd. Team Site" />
<input type="hidden" name="SPSiteLogoUrl" value="" />
<input type="hidden" name="SPSiteLanguage" value="en-US" />
<input type="hidden" name="SPSiteCulture" value="en-US" />
<input type="hidden" name="SPRedirectMessage" value="EndpointAuthorityMatches" />
<input type="hidden" name="SPErrorCorrelationId" value="" />
<input type="hidden" name="SPErrorInfo" value="" />
</form>

20. Decoded JWT token
{
"typ":"JWT",
"alg":"HS256“
}
Audience
{
"aud":"ded48005-1c15-416e-a84b-9b1b0fb5a50e/localhost:44301@8822364f-0b55-48a9-88f8-1b1fcc2e5e89",
"iss":"00000001-0000-0000-c000-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89",
"nbf":"1360231739", Issuer
"exp":"1360274939",
"appctxsender":"00000003-0000-0ff1-ce00-000000000000@8822364f-0b55-48a9-88f8-1b1fcc2e5e89",
"appctx":"{"CacheKey":"jE7itw4EgtsIxnejiJ20ldz4VUVQagnkh5A+tShdjTU=","SecurityTokenServiceUri":"htt
ps://accounts.accesscontrol.windows.net/tokens/OAuth/2"}","refreshtoken":"IAAAALi3Arn…",
"isbrowserhostedapp":"true“
}

21. Context Token in POST
• POST https://onebitdev5.sharepoint.com/_vti_bin/client.svc/ProcessQuery HTTP/1.1
• Authorization: Bearer eyJ0eXAiOiJKV1QiLC…iKlpA
• Content-Type: text/xml Access Token inside
• Host: onebitdev5.sharepoint.com
• Content-Length: 615
• Expect: 100-continue
• Accept-Encoding: gzip, deflate
• <Request AddExpandoFieldTypeSuffix="true" SchemaV….

22. Oauth 2.0 Request
{
grant_type=refresh_token
client_id=ded48005-1c15-416e-a84b-9b1b0fb5a50e%408822364f-0b55-48a9-88f8-1b1fcc2e5e89
client_secret=9hU432522%2fupFTP7ogz6pw7IgsbY8JpW1JFjgHCcegs%3d
refresh_token=IAAAALi3…ifDZwbNk
resource=00000003-0000-0ff1-ce00-000000000000%2fonebitdev5.sharepoint.com%408822364f-0b55-48a9-
88f8-1b1fcc2e5e89
}

23. Oauth 2.0 Response
{
"token_type":"Bearer",
"access_token":"eyJ0eXAiOiJKV1Q…phfQ",
"expires_in":"43199",
"not_before":"1360233350",
"expires_on":"1360276550",
"resource":00000003-0000-0ff1-ce00-000000000000/onebitdev5.sharepoint.com@8822364f-0b55-48a9-88f8-
1b1fcc2e5e89
}

24. SharePoint Apps
OAUTH IN ACTION – ON-PREMISES

25. Server-to-Server Trust
• Trusted connection between app and SharePoint
– Eliminates need for ACS when running apps in on-premises farm
– Trust between servers configured using SSL certificates
– App code requires access to private key of SSL certificate
– Requires creating Security Token Service on SharePoint server(s)
S2S STS
1
3 4
2
SSL Cert
Public/Private
key pair (.pfx)

26. Developing High-Trust Apps
http://msdn.microsoft.com/en-us/library/fp179901.aspx

27. Terminology
• High-Trust
• Low-Trust
• Full-Trust
• Partial-Trust
• Server-2-Server Trust (S2S)…. Different from STS 
• Sandbox Solutions
• User Code Solutions 

28. Configuring Server-2-Server Trust for App Dev
DEMO

29. App security concerns
• A new attack vector, old attack principles
• A provider hosted app can be “upgraded” by the
provider. Do you trust your vendor?
• Script injection and in-flight modification
• SSL is important!
• Many more…

30. References
• Explore the app manifest and the package of an app for SharePoint
http://msdn.microsoft.com/en-us/library/fp179918.aspx
• URL strings and tokens in apps for SharePoint
http://msdn.microsoft.com/en-us/library/jj163816.aspx
• OAuth authentication and authorization flow for cloud-hosted apps in
SharePoint 2013
http://msdn.microsoft.com/en-us/library/fp142382.aspx
• How to: Create high-trust apps for SharePoint 2013 using the server-to-
server protocol (advanced topic)
http://msdn.microsoft.com/en-us/library/office/apps/fp179901.aspx
• How to: Package and publish high-trust apps for SharePoint 2013
http://msdn.microsoft.com/en-us/library/office/apps/jj860570.aspx

31. Key takeaways
• You should definitely look into SharePoint Apps!
• Do your best to understand authentication now
• Complex cloud scenario’s will come

32. Contact me
• radi@sharepoint.bg
• @RadiAtanassov
• Facebook: Radi Atanassov
• LinkedIn: http://au.linkedin.com/in/sharepointradi
• www.onebitsoftware.net
• Mobile: +359 878 823 339

33. Questions?
Please fill out the feedback stuff!
E-mail me: radi@sharepoint.bg

34. THANK YOU!
Please fill out the feedback stuff!
E-mail me: radi@sharepoint.bg