This section begins with a brief
overview of the new Cloud App Model. This is followed by a discussion of the critical role that OAuth plays
in SharePoint 2013 authentication. The section concludes with two
examples that illustrate the use and process of app authentication,
including a detailed discussion of the OAuth process.
Cloud App Model
The new SharePoint 2013 Cloud App Model enables developers to provide solutions, called apps
in the new terminology, to extend the capabilities of SharePoint 2013.
The new app model
describes a new paradigm for a solution that is self-contained,
installs and uninstalls easily, does not negatively impact SharePoint
performance, is applicable to SharePoint 2013 on-premise or in the
cloud, and is easy to use. Like it or not, this is the new world. Two key points are pertinent to our discussion:
- SharePoint apps refer to complete solutions for customizing SharePoint 2013 that were created using the new app model.
- SharePoint apps require claims authentication on the SharePoint web application.
SharePoint apps can be obtained from one of two sources: the Office Store (sometimes also referred to as the SharePoint Store),
located publically on the Internet and managed by Microsoft, and an
enterprise application store located inside the SharePoint 2013 farm
known as the app catalog. An app
catalog is created within a SharePoint 2013 web application. The
important point here is that these app locations are installation
points for the app; the app is not installed in the store. The store is
where administrators and any users with the proper permissions go to
install an app, or download the app for inclusion in the app catalog.
One of the key drivers for the new app model is
to ensure that SharePoint apps do not negatively affect the performance
of the SharePoint environment, and therefore they are applicable to
both on-premises environments owned by corporations, and public,
multi-tenant environments such as Office 365. This is accomplished by
not allowing any of the actual code from the app to be installed inside
the SharePoint environment; SharePoint does not host the app. The
SharePoint app is hosted in one of three places:
- Provider-hosted — This type of app
is hosted on a separate set of servers from the SharePoint farm. These
servers can be located on-premise as part of the corporate enterprise
or hosted in the cloud.
- Autohosted in Windows Azure — This
is only available for SharePoint 2013 online, which is part of Office
365. The app runs as a web role in Windows Azure, and uses ACS to
obtain the security token.
- SharePoint-hosted — The app is
hosted in a SharePoint 2013 website that is part of the site collection
where the app is installed. This has historically been referred to as a
subsite, but in the app model it is referred to as a subweb or app web.
In a multi-tenant scenario such as SharePoint 2013 Online, the app runs
in the app catalog.
The administrator should note that apps running
on-premise are either provider-hosted or SharePoint-hosted. Every
authentication method is supported by on-premises apps with one very
notable exception: SAML authentication is supported only for certain
identity providers.
OAuth
The flexibility of the app model means
that components of an application could be in SharePoint, on an app
server on the corporate intranet, or hosted on the public Internet. If
these components request secured SharePoint resources, then these
requests need to be authenticated. SharePoint 2013 uses OAuth 2.0 to
allow applications to access SharePoint resources in one of three ways:
- With the combined permissions of the application and the user
- With only the permissions of the application
- With only the permissions of the user
Resource access is enabled by defining a trust
relationship between the application and SharePoint 2013. If necessary,
it also uses a relationship between SharePoint 2013 and Windows Azure
Access Control Service (ACS). These trust relationships are very
similar to how SharePoint interacts with an STS in the user
authentication scenario. Note the following key points about OAuth’s
role in SharePoint authentication:
- OAuth enables users to approve an application to act on their behalf without sharing their username and password.
- OAuth is used only for access tokens that are used to retrieve data
from SharePoint 2013. In the context of the app model, this means it is
used to authorize app requests for SharePoint resources.
- App permissions are based on trust, and are granted upon initial installation of the app.
- Apps installed from the SharePoint Store can use ACS as its STS.
- OAuth is not used for user authentication.
- OAuth is used as part of the server-to-server authentication capability.
- OAuth is used as part of the “app authentication” process, which is discussed in the next section.