SlideShare uma empresa Scribd logo

Securing SharePoint Apps with OAuth

Transferir como PPTX, PDF
Kashif Imran
Kashif Imran

Securing SharePoint apps with OAuth.

Tecnologia
1 de 31
Securing SharePoint Apps Using OAuth Kashif Imran kashif_imran@hotmail.com
Agenda • Issues with SharePoint Development/Security In the Past • SharePoint Apps • Security Primer • App Authentication in SharePoint 2013 • OAuth • OAuth Flow in SharePoint 2013 and Security Tokens • Managing App Principals • Questions
Issues with SharePoint Security • Farm Solutions • Runs within the SharePoint workerprocess (w3wp.exe) • Access to Server Object Model • By default runs with current user’s permission • Developer can use SPSecurity.RunWithElevatedPrivileges that reverts code to Windows identity of host application pool • Farm stability issues • Installation and upgrade (iisreset) • Upgrade farm to newer version of SharePoint • Sandboxed Solutions • SPUCWorkerProcess.exe • Access to Server Object Model • Feature activation has full access to content (runs as site administrator) • Always runs as current user, can not use SPSecurity.RunWithElevatedPrivileges • Deprecated in SharePoint 2013 in favor of developing apps for SharePoint
SharePoint Apps • A web application that is registered with SharePoint using an app manifest. • Customize and extend SharePoint without full-trust access • Get its own security principal • Interacts with SharePoint using Client Object Model/REST • Distributed as app package (.app) to the public marketplace or corporate app catalog • Installed at site or tenant scope • Any Programming language/technology that can communicate with SharePoint via REST and OAuth
Types of SharePoint Apps • SharePoint-hosted • App resources stored in child site known as (app web) • App can only have client-side code • Cloud-Hosted • App resources deployed on remote server known as remote web • App can have both client-side and server-side code • 2 Types of Cloud-Hosted Apps • Autohosted (Hosted in Azure) • Provider-hosted (Deployed by provider)
Security Primer • Authentication (AuthN) • Authentication establishes an identity • SP 2010 supports user authentication • SP 2013 supports user and app authentication • Authorization (AuthZ) • Based on ACL • Ensure current principal has the proper permissions • SP 2010 supports permission only for users • SP 2013 supports permission for users and apps • Security Principal • An entity that is understood by a security system • An entity on which you can configure permission for resources • Examples: User in AD, FBA User, AD Group or FBA Role, SharePoint App
Claims-based Identity Model • Way for applications to acquire the identity information about internal or external users • Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority” • Applications do not need to authenticate users, store user accounts or passwords, etc. • Original intention behind the claims-based identity model was to enable federation between organization, but claims are not just for federation • Claim • Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc. • Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up in some directory • Claims are NOT what a user can or can not do, they are what a user is or is not • Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer • Issuer, Type, Value => (Google, Email, darwaish@gmail.com) • Security Token • Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in) • Successful outcome of sign in • SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)
Relying Party and STS • Relying Party (RP) • An application that relies on claims • Claims aware application • Claims-based application • Security Token Service • Service component that builds, signs and issues security tokens • Implicit authN (no token, no party) • WS-Trust, WS-Fed, SAML • IP-STS: • authenticates a client and creates SAML token • Façade for one or more identity stores • RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS) • Transforms token issues by another STS • Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts • Façade for one boundary • Federation Patterns • Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies. • Active: Code to acquire tokens explicitly
Windows Identity Foundation (WIF) • .NET library encapsulating the inner workings of WS-Federation and WS-Trust • System.IdentityModel • System.IdentityModel.Services • IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType, IsAuthenicated, Name) • IClaimsPrincipal = IPrincipal + Identities • IClaimsIdentity = IIdentity + Claims • Claims: Property bag, Subject, issuer, originalissuer, claimtype, value, valuetype
SharePoint Claims
App Authentication in SharePoint 2013 • App are first class security principals and granted permissions separate from user permission • Granted as all or none and No hierarchy of permission • App authentication is only supported in CSOM and REST API end points • App authentication is NOT supported in custom web service entry points • Apps have Full rights against app web, can request permissions for other webs • Full Control permission can not be used for OfficeStore apps • Project Server permissions available if PWA is installed
Demo App Permissions
SP Permission Policies • App + User Policy • Both user and app require permission on the resource • App-Only Policy • Only app needs permissions on resource • Allow app code to elevate above permission of current user • Only supported for server-side code in cloud-hosted apps • AllowAppOnlyPolicy=“true” in AppManifest.xml • Permission granted during install (all or nothing) • User Policy • Not used when app makes a call to SharePoint
SP 2013 AuthN Flow for CSOM/REST Endpoint
Types of App Authentication in SharePoint • 3 basic types of app authentication • Internal authentication • External authentication using OAuth • Office 365 • External authentication using S2S • On-premise
Internal Authentication • Used in Client-side calls from pages in app web or remote web which use cross domain library • Incoming calls require a SAML token holding an established user identity • Call targets unique domain of app web associated with an app • SharePoint maps target URL to instance of an app • App code is not required to create and manage security tokens
App Web • App by default has full permissions to read/write content to app web • No default permissions on any location in the SharePoint host environment • App.master provides UI to go back to host web • Isolated in its own private domain • https://{ TenancyName}-{14 char App UID}. sharepoint.com/ sites/{ ParentSiteName}/{ AppName}/ • http:// apps-{ UniqueID}. sp2013apps.local/ sites/{ ParentSiteName}/{ AppName}/ • Why Private Domain? • XSS: JavaScript code can not call back to host web • JavaScript do not run with the same established user identity as host web • SharePoint environment sees JavaScript callbacks from appweb with unique URLs and can authenticate apps • {StandardTokens}: { HostUrl}, {AppWebUrl}, { Language} • Use Internal Authentication: App is not required to create/manage security tokens
Demo App Web and Internal Authentication
External Authentication • Calls to SP from server-side code running in remote web • Used for both OAuth and S2S • Incoming calls require access token with app identity • Access token can optionally carry user identity as well • Call can target any CSOM or REST endpoint in any site • App code is required to create and manage security tokens
Demo External Authentication
OAuth • Manage app permission on the web • OAuth.net • Internet protocol/spec for creating/mapping app identity • A cross platform, open protocol for authenticating apps • Internet standard used by Google, Facebook, Twitter • Authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user • SP2013 uses OAuth 2.0 (very different from OAuth 1.0) • OAuth specs provides details on how to create access tokens • Used for external auth in Office 365 • Delegated authorization codes or access tokens are issues by OAuth STS (Windows Azure Control Services) • Remote web must communicate with ACS to obtain access tokens • Access tokens pass to SharePoint host in CSOM or REST API calls • WS-Federation STS and SAML passive sign-in STS are primarily intended to issue sign-in tokens • In SP2013, OAuth STS is uses only for issuing context tokens and not used as identity providers
OAuth Concepts • Content Owner(s) • SharePoint user(s) who can grant permissions to site content • Content Server • SharePoint web server that hosts site with the content that is to be accessed • Client App/ClientID/AppID • Remote web that needs permissions to access site content • Authentication Server • Trusted service that provides apps with access tokens allowing access to content • Windows Azure ACS in Sp2013 apps case
App Principals • Tenancy-scoped configuration for app identity • App principals must be registered with SharePoint and ACS • App Principal Properties • Client Id: GUID based identifier for app principal • Client Secret: Key to encrypt message between app and ACS • App Host Domain: Base URL of domain hosting remote web • Redirect URL: URL to a page used to configure security
Security Tokens used in OAuth • Context Token • Contextual information passed to app • JWT • Valid for 12 hours • Cache key: identify unique user (user, app, tenant) • Refresh Token • Used by client app to acquire an access token • Valid for 6 months • Access Token • Token passed to SharePoint to app when using external authentication • Valid for 12 hours
OAuth Workflow in Office 365
Context Token
Access Token
Steps to use OAuth in O365 • Create new Cloud-hosted app project • Register App Principal • Registration handled automatically in autohosted apps • Registration requires manual steps in provider hosted apps • Registration requires extra steps for apps published to Office Store. Have to get client id/secret from Seller Dashboard • App principal properties • Client ID: Guid or app principal • Clint secret: key used to encrypt message sent between app and ACS • App host domain: base url which defined hosting domain for remote web • Redirect URL: URL to a page used to configure on the fly security • Add code in remote web to manage tokens • Code required to retrieve access tokens from ACS • Explicit code required to add access token to csom and rest api calls
Demo OAuth Tokens and App Principal
Managing App Principals in O365 • /_layouts/15/… • AppRegNew.aspx • AppInv.aspx • AppPrincipals.aspx • PowerShell for SPOnline to administer SharePoint apps and app principals
Questions • ???

Recomendados

Building a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable FunctionsBuilding a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable FunctionsJoonas Westlin
 
ECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsEric Shupps
 
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerO365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerNCCOMMS
 
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...NCCOMMS
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantNCCOMMS
 
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas VochtenOffice Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas VochtenITProceed
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePointAlan Marshall
 
SPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsSPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsNCCOMMS
 

Recomendados

Building a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable FunctionsBuilding a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable FunctionsJoonas Westlin
 
ECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsEric Shupps
 
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerO365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerNCCOMMS
 
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...NCCOMMS
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantNCCOMMS
 
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas VochtenOffice Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas VochtenITProceed
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePointAlan Marshall
 
SPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsSPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsNCCOMMS
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on AzureMostafa
 
[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI ScenariosEuropean Collaboration Summit
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365Microsoft TechNet - Belgium and Luxembourg
 
Azure staticwebapps
Azure staticwebappsAzure staticwebapps
Azure staticwebappsUdaiappa Ramachandran
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azureMichele Leroux Bustamante
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryPavel Revenkov
 
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Nordic Infrastructure Conference
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An IntroductionMatthias Güntert
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CJoonas Westlin
 
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettCloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettBrian T. Jackett
 
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentDEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentFelipe Prado
 
Introduction à Application Insights
Introduction à Application InsightsIntroduction à Application Insights
Introduction à Application InsightsMSDEVMTL
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directoryKrunal Trivedi
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3Michele Leroux Bustamante
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular jsStormpath
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social LoginMichele Leroux Bustamante
 
[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It Literally[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It LiterallyEuropean Collaboration Summit
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Stormpath
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identitiesJoonas Westlin
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsJames Tramel
 
OAuth in SharePoint 2013
OAuth in SharePoint 2013OAuth in SharePoint 2013
OAuth in SharePoint 2013Dinusha Kumarasiri
 

Mais conteúdo relacionado

Mais procurados

Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on AzureMostafa
 
[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI ScenariosEuropean Collaboration Summit
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365Microsoft TechNet - Belgium and Luxembourg
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryPavel Revenkov
 
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Nordic Infrastructure Conference
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An IntroductionMatthias Güntert
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CJoonas Westlin
 
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettCloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettBrian T. Jackett
 
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentDEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentFelipe Prado
 
Introduction à Application Insights
Introduction à Application InsightsIntroduction à Application Insights
Introduction à Application InsightsMSDEVMTL
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directoryKrunal Trivedi
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular jsStormpath
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Stormpath
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identitiesJoonas Westlin
 

Mais procurados (20)

Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on Azure
 
[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
 
Azure staticwebapps
Azure staticwebappsAzure staticwebapps
Azure staticwebapps
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
 
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An Introduction
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
 
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T JackettCloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
Cloud Dev with Azure Functions - DogFoodCon 2018 - Brian T Jackett
 
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentDEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
 
Introduction à Application Insights
Introduction à Application InsightsIntroduction à Application Insights
Introduction à Application Insights
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directory
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social Login
 
[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It Literally[Roine] Serverless: Don't Take It Literally
[Roine] Serverless: Don't Take It Literally
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
 

Destaque

Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsJames Tramel
 
CVNUG - Share Point Development
CVNUG - Share Point DevelopmentCVNUG - Share Point Development
CVNUG - Share Point Developmentryanaoliveira
 
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...Geoff Varosky
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...SPC Adriatics
 
SharePoint Permissions Overview
SharePoint Permissions OverviewSharePoint Permissions Overview
SharePoint Permissions OverviewFrancois Pienaar
 
SharePoint Security A to Z
SharePoint Security A to ZSharePoint Security A to Z
SharePoint Security A to ZSteve Goldberg
 
Solving business problems: No-code approach with SharePoint designer workflow...
Solving business problems: No-code approach with SharePoint designer workflow...Solving business problems: No-code approach with SharePoint designer workflow...
Solving business problems: No-code approach with SharePoint designer workflow...Bhakthi Liyanage
 
SharePoint Development(Lesson 5)
SharePoint Development(Lesson 5)SharePoint Development(Lesson 5)
SharePoint Development(Lesson 5)MJ Ferdous
 
SharePoint Permissions 101
SharePoint Permissions 101SharePoint Permissions 101
SharePoint Permissions 101Thomas Duff
 
Governance of content, permissions & apps in sharepoint 2013
Governance of content, permissions & apps in sharepoint 2013Governance of content, permissions & apps in sharepoint 2013
Governance of content, permissions & apps in sharepoint 2013Kashish Sukhija
 
SharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedSharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedBenjamin Niaulin
 
Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013AntonioMaio2
 
SharePoint Permissions Worst Practices
SharePoint Permissions Worst PracticesSharePoint Permissions Worst Practices
SharePoint Permissions Worst PracticesBobby Chang
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013AntonioMaio2
 

Destaque (15)

Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
 
OAuth in SharePoint 2013
OAuth in SharePoint 2013OAuth in SharePoint 2013
OAuth in SharePoint 2013
 
CVNUG - Share Point Development
CVNUG - Share Point DevelopmentCVNUG - Share Point Development
CVNUG - Share Point Development
 
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
Best Practices in SharePoint Development - Just Freakin Work! Overcoming Hurd...
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
SharePoint Permissions Overview
SharePoint Permissions OverviewSharePoint Permissions Overview
SharePoint Permissions Overview
 
SharePoint Security A to Z
SharePoint Security A to ZSharePoint Security A to Z
SharePoint Security A to Z
 
Solving business problems: No-code approach with SharePoint designer workflow...
Solving business problems: No-code approach with SharePoint designer workflow...Solving business problems: No-code approach with SharePoint designer workflow...
Solving business problems: No-code approach with SharePoint designer workflow...
 
SharePoint Development(Lesson 5)
SharePoint Development(Lesson 5)SharePoint Development(Lesson 5)
SharePoint Development(Lesson 5)
 
SharePoint Permissions 101
SharePoint Permissions 101SharePoint Permissions 101
SharePoint Permissions 101
 
Governance of content, permissions & apps in sharepoint 2013
Governance of content, permissions & apps in sharepoint 2013Governance of content, permissions & apps in sharepoint 2013
Governance of content, permissions & apps in sharepoint 2013
 
SharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedSharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons Learned
 
Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013
 
SharePoint Permissions Worst Practices
SharePoint Permissions Worst PracticesSharePoint Permissions Worst Practices
SharePoint Permissions Worst Practices
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013
 

Semelhante a Securing SharePoint Apps with OAuth

SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...Brian Culver
 
Developing Apps for SharePoint Store
Developing Apps for SharePoint StoreDeveloping Apps for SharePoint Store
Developing Apps for SharePoint StoreKashif Imran
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoLiam Cleary [MVP]
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Joris Poelmans
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Developer’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App ModelDeveloper’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App Modelbgerman
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft 365 Developer
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...Liam Cleary [MVP]
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentEdin Kapic
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?Liam Cleary [MVP]
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentEdin Kapic
 
Spsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentSpsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentBIWUG
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
 

Semelhante a Securing SharePoint Apps with OAuth (20)

SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
 
Developing Apps for SharePoint Store
Developing Apps for SharePoint StoreDeveloping Apps for SharePoint Store
Developing Apps for SharePoint Store
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Developer’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App ModelDeveloper’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App Model
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
 
OAuth
OAuthOAuth
OAuth
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
 
Spsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentSpsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises development
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
 

Mais de Kashif Imran

SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)Kashif Imran
 
Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Kashif Imran
 
SharePoint 2013 Branding
SharePoint 2013 BrandingSharePoint 2013 Branding
SharePoint 2013 BrandingKashif Imran
 
Enterprise Content Management (ECM) in the Cloud
Enterprise Content Management (ECM) in the CloudEnterprise Content Management (ECM) in the Cloud
Enterprise Content Management (ECM) in the CloudKashif Imran
 
Microsoft Azure WebJobs
Microsoft Azure WebJobsMicrosoft Azure WebJobs
Microsoft Azure WebJobsKashif Imran
 
Microsoft Azure - Introduction
Microsoft Azure - IntroductionMicrosoft Azure - Introduction
Microsoft Azure - IntroductionKashif Imran
 

Mais de Kashif Imran (8)

SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
 
SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)
 
Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365
 
SharePoint 2013 Branding
SharePoint 2013 BrandingSharePoint 2013 Branding
SharePoint 2013 Branding
 
Enterprise Content Management (ECM) in the Cloud
Enterprise Content Management (ECM) in the CloudEnterprise Content Management (ECM) in the Cloud
Enterprise Content Management (ECM) in the Cloud
 
Microsoft Azure WebJobs
Microsoft Azure WebJobsMicrosoft Azure WebJobs
Microsoft Azure WebJobs
 
Azure Websites
Azure WebsitesAzure Websites
Azure Websites
 
Microsoft Azure - Introduction
Microsoft Azure - IntroductionMicrosoft Azure - Introduction
Microsoft Azure - Introduction
 

Último

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Último (20)

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Securing SharePoint Apps with OAuth

  • 1. Securing SharePoint Apps Using OAuth Kashif Imran kashif_imran@hotmail.com
  • 2. Agenda • Issues with SharePoint Development/Security In the Past • SharePoint Apps • Security Primer • App Authentication in SharePoint 2013 • OAuth • OAuth Flow in SharePoint 2013 and Security Tokens • Managing App Principals • Questions
  • 3. Issues with SharePoint Security • Farm Solutions • Runs within the SharePoint workerprocess (w3wp.exe) • Access to Server Object Model • By default runs with current user’s permission • Developer can use SPSecurity.RunWithElevatedPrivileges that reverts code to Windows identity of host application pool • Farm stability issues • Installation and upgrade (iisreset) • Upgrade farm to newer version of SharePoint • Sandboxed Solutions • SPUCWorkerProcess.exe • Access to Server Object Model • Feature activation has full access to content (runs as site administrator) • Always runs as current user, can not use SPSecurity.RunWithElevatedPrivileges • Deprecated in SharePoint 2013 in favor of developing apps for SharePoint
  • 4. SharePoint Apps • A web application that is registered with SharePoint using an app manifest. • Customize and extend SharePoint without full-trust access • Get its own security principal • Interacts with SharePoint using Client Object Model/REST • Distributed as app package (.app) to the public marketplace or corporate app catalog • Installed at site or tenant scope • Any Programming language/technology that can communicate with SharePoint via REST and OAuth
  • 5. Types of SharePoint Apps • SharePoint-hosted • App resources stored in child site known as (app web) • App can only have client-side code • Cloud-Hosted • App resources deployed on remote server known as remote web • App can have both client-side and server-side code • 2 Types of Cloud-Hosted Apps • Autohosted (Hosted in Azure) • Provider-hosted (Deployed by provider)
  • 6. Security Primer • Authentication (AuthN) • Authentication establishes an identity • SP 2010 supports user authentication • SP 2013 supports user and app authentication • Authorization (AuthZ) • Based on ACL • Ensure current principal has the proper permissions • SP 2010 supports permission only for users • SP 2013 supports permission for users and apps • Security Principal • An entity that is understood by a security system • An entity on which you can configure permission for resources • Examples: User in AD, FBA User, AD Group or FBA Role, SharePoint App
  • 7. Claims-based Identity Model • Way for applications to acquire the identity information about internal or external users • Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority” • Applications do not need to authenticate users, store user accounts or passwords, etc. • Original intention behind the claims-based identity model was to enable federation between organization, but claims are not just for federation • Claim • Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc. • Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up in some directory • Claims are NOT what a user can or can not do, they are what a user is or is not • Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer • Issuer, Type, Value => (Google, Email, darwaish@gmail.com) • Security Token • Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in) • Successful outcome of sign in • SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)
  • 8. Relying Party and STS • Relying Party (RP) • An application that relies on claims • Claims aware application • Claims-based application • Security Token Service • Service component that builds, signs and issues security tokens • Implicit authN (no token, no party) • WS-Trust, WS-Fed, SAML • IP-STS: • authenticates a client and creates SAML token • Façade for one or more identity stores • RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS) • Transforms token issues by another STS • Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts • Façade for one boundary • Federation Patterns • Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies. • Active: Code to acquire tokens explicitly
  • 9. Windows Identity Foundation (WIF) • .NET library encapsulating the inner workings of WS-Federation and WS-Trust • System.IdentityModel • System.IdentityModel.Services • IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType, IsAuthenicated, Name) • IClaimsPrincipal = IPrincipal + Identities • IClaimsIdentity = IIdentity + Claims • Claims: Property bag, Subject, issuer, originalissuer, claimtype, value, valuetype
  • 11. App Authentication in SharePoint 2013 • App are first class security principals and granted permissions separate from user permission • Granted as all or none and No hierarchy of permission • App authentication is only supported in CSOM and REST API end points • App authentication is NOT supported in custom web service entry points • Apps have Full rights against app web, can request permissions for other webs • Full Control permission can not be used for OfficeStore apps • Project Server permissions available if PWA is installed
  • 13. SP Permission Policies • App + User Policy • Both user and app require permission on the resource • App-Only Policy • Only app needs permissions on resource • Allow app code to elevate above permission of current user • Only supported for server-side code in cloud-hosted apps • AllowAppOnlyPolicy=“true” in AppManifest.xml • Permission granted during install (all or nothing) • User Policy • Not used when app makes a call to SharePoint
  • 14. SP 2013 AuthN Flow for CSOM/REST Endpoint
  • 15. Types of App Authentication in SharePoint • 3 basic types of app authentication • Internal authentication • External authentication using OAuth • Office 365 • External authentication using S2S • On-premise
  • 16. Internal Authentication • Used in Client-side calls from pages in app web or remote web which use cross domain library • Incoming calls require a SAML token holding an established user identity • Call targets unique domain of app web associated with an app • SharePoint maps target URL to instance of an app • App code is not required to create and manage security tokens
  • 17. App Web • App by default has full permissions to read/write content to app web • No default permissions on any location in the SharePoint host environment • App.master provides UI to go back to host web • Isolated in its own private domain • https://{ TenancyName}-{14 char App UID}. sharepoint.com/ sites/{ ParentSiteName}/{ AppName}/ • http:// apps-{ UniqueID}. sp2013apps.local/ sites/{ ParentSiteName}/{ AppName}/ • Why Private Domain? • XSS: JavaScript code can not call back to host web • JavaScript do not run with the same established user identity as host web • SharePoint environment sees JavaScript callbacks from appweb with unique URLs and can authenticate apps • {StandardTokens}: { HostUrl}, {AppWebUrl}, { Language} • Use Internal Authentication: App is not required to create/manage security tokens
  • 18. Demo App Web and Internal Authentication
  • 19. External Authentication • Calls to SP from server-side code running in remote web • Used for both OAuth and S2S • Incoming calls require access token with app identity • Access token can optionally carry user identity as well • Call can target any CSOM or REST endpoint in any site • App code is required to create and manage security tokens
  • 21. OAuth • Manage app permission on the web • OAuth.net • Internet protocol/spec for creating/mapping app identity • A cross platform, open protocol for authenticating apps • Internet standard used by Google, Facebook, Twitter • Authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user • SP2013 uses OAuth 2.0 (very different from OAuth 1.0) • OAuth specs provides details on how to create access tokens • Used for external auth in Office 365 • Delegated authorization codes or access tokens are issues by OAuth STS (Windows Azure Control Services) • Remote web must communicate with ACS to obtain access tokens • Access tokens pass to SharePoint host in CSOM or REST API calls • WS-Federation STS and SAML passive sign-in STS are primarily intended to issue sign-in tokens • In SP2013, OAuth STS is uses only for issuing context tokens and not used as identity providers
  • 22. OAuth Concepts • Content Owner(s) • SharePoint user(s) who can grant permissions to site content • Content Server • SharePoint web server that hosts site with the content that is to be accessed • Client App/ClientID/AppID • Remote web that needs permissions to access site content • Authentication Server • Trusted service that provides apps with access tokens allowing access to content • Windows Azure ACS in Sp2013 apps case
  • 23. App Principals • Tenancy-scoped configuration for app identity • App principals must be registered with SharePoint and ACS • App Principal Properties • Client Id: GUID based identifier for app principal • Client Secret: Key to encrypt message between app and ACS • App Host Domain: Base URL of domain hosting remote web • Redirect URL: URL to a page used to configure security
  • 24. Security Tokens used in OAuth • Context Token • Contextual information passed to app • JWT • Valid for 12 hours • Cache key: identify unique user (user, app, tenant) • Refresh Token • Used by client app to acquire an access token • Valid for 6 months • Access Token • Token passed to SharePoint to app when using external authentication • Valid for 12 hours
  • 25. OAuth Workflow in Office 365
  • 28. Steps to use OAuth in O365 • Create new Cloud-hosted app project • Register App Principal • Registration handled automatically in autohosted apps • Registration requires manual steps in provider hosted apps • Registration requires extra steps for apps published to Office Store. Have to get client id/secret from Seller Dashboard • App principal properties • Client ID: Guid or app principal • Clint secret: key used to encrypt message sent between app and ACS • App host domain: base url which defined hosting domain for remote web • Redirect URL: URL to a page used to configure on the fly security • Add code in remote web to manage tokens • Code required to retrieve access tokens from ACS • Explicit code required to add access token to csom and rest api calls
  • 29. Demo OAuth Tokens and App Principal
  • 30. Managing App Principals in O365 • /_layouts/15/… • AppRegNew.aspx • AppInv.aspx • AppPrincipals.aspx • PowerShell for SPOnline to administer SharePoint apps and app principals