OAuth in the world of SharePoint 2013

The OAuth is the new buzz in the world of SharePoint 2013 App development.   OAuth is not the protocol for authenticating users to access SharePoint. It would still be done by Claims Authentication. The OAuth comes into picture when we want to authenticate and authorize SharePoint 2013 Apps.

OAuth is the internet protocol for creating and managing app identity. It is also a cross-platform mechanism for authentication and authorizing apps. The OAuth is also the emerging internet standard which is used by Facebook, Twitter and Google.

OAuth gives the power and flexibility of having app identity in addition to the user identity. Here are the some pointers about App Identity

  • App should be granted permissions independently of user permission
  • App can request specific permission from the user during installation
  • App can be granted more permission than the user (Elevation)
  • App is constrained to what it can do during and after installation

Here are some important concepts around OAuth and you can observe the below concepts diagrammatically in the below image

1. Content Owner – User who grants permission to content in a site

2. Client App – This is the remote App (running on a Cloud or Hosted environment) that needs permission to Site Content . In our case it is SharePoint 2013 App

3. Content Server – The web server that serves the content to be accessed by App. In our case it is SharePoint 2013 Server (Cloud or On-Premise)

4. Authentication Server – Trusted server that authenticates apps and creates oAuth tokens. In our case it is Azure ACS server or oAuth compatible authentication server

OAuth protocol flow in SharePoint 2013

WhatisOAuth1

Let’s see what is happening in each step in the above picture.

Step 1 –> The user accesses the SharePoint 2013 portal and SharePoint 2013 authenticates the user using Claims Authentication

Step 2 –>  SharePoint 2013 requests for the Context Token for the user, from Windows Azure ACS (Access Control Services)

Step 3 –> ACS returns Context Token

Step 4 –> SharePoint 2013 passes the Context Token to the user

Step 5 –> User accesses App using Context Token

Step 6 –> Client App pulls Refresh Token from the Context Token and requests ACS for oAuthToken

Step 7 –> ACS server returns OAuth token to the client app

Step 8 –> Client App makes CSOM/REST calls to SharePoint site by passing OAuth Token

Step 9 –> SharePoint 2013 returns site content to App based on the App Permission Manifests

Step 10 –> Client App returns the App Content to the user

Authentication Server

In order for an app to connect with your SharePoint environment, the ACS server must be trusted by the content server (i.e. your SharePoint 2013 environment) and by the 3rd party app. Making SharePoint 2013 trust/connect with ACS comes in 2 ways… you are using:

  1. SharePoint Online

    OR

  2. SharePoint OnPrem

With SharePoint Online the trust is already created, so there is no extra work for you to connect a 3rd party app with OAuth to content in your SharePoint 2013 Online instance. With SharePoint OnPrem you need to set up this trust. And setting up the trust with SharePoint OnPrem is not easy. If you have SharePoint Online Wave 14 then you are out of luck – no OAth for you.

WhatisOAuth2

 

  1. SharePoint 2013 OnPrem and OAuth is tricky to set up:
    1. You need to connect it to Azure ACS, OR
    2. Create “High Trust” apps, and usually this is when you are have everything – app and SP servers– on your internal network.
  2. SharePoint 2013 Online is ready to go with OAuth
    1. It is already integrated with Azure ACS
    2. You need to have SharePoint Online to have this working.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s