APPLICATION AUTHENTICATION

Now that you understand what application identities are and how to create and set them up in SharePoint, you can take a look at how those identities are used as part of the authentication between applications and SharePoint.

Whenever an app that is subject to external authentication needs to make an API call into SharePoint it must first confirm it has a valid and usable set of authentication tokens to do so. The two key tokens are:

  • Context token
  • Access token

The context token is passed when an application is launched. It contains information about who the calling user is and details about the SharePoint site where the application was launched. The access token is used when an application makes a call to a SharePoint API.

Several steps make up the authentication flow when these two tokens are issued and used, but there are five main occurrences that make up high-level flow when a user launches an app in SharePoint:

1. User logs into SharePoint.
2. SharePoint gets a context token for the user.
3. Context token is passed to the app when launched.
4. App uses the context token to request an access token.
5. Access token is passed with API calls.

The full process for app authentication is slightly more complex, as shown in Figure 10-1. This detailed, step-by-step version of process is explained in the following steps:

FIGURE 10-1

image
1. User requests a SharePoint page with an App Part included.
2. SharePoint requests a context token from ACS for the user, including context information about the user and a refresh token that can be used for requesting access tokens.
3. ACS returns the signed context token to SharePoint.
4. SharePoint returns the page with an iFrame for the App Part, including the content token as a query string parameter on the URL for the iFrame source.
5. The browser renders the page and iFrame, and a request to the remote app is made to render the App Part iFrame contents. The context token is passed on the URL.
6. The app code validates the content token to ensure its authenticity using a shared secret that only the app and SharePoint/ACS know. The app then uses the refresh token to request an access token from ACS.
7. ACS returns an access token. These can be cached and used multiple times. The expiry time is provided in the token so the app knows when to request a new one.
8. The app makes an API call to SharePoint such as a CSOM call or REST API request. The access token is included in the authorization HTTP header.
9. The SharePoint API call returns the data requested.
10. The app renders the page content and the result is returned.
NOTE Both the context token and access tokens are Base64-encoded JavaScript Object Notation (JSON) objects that follow the JSON Web Token (JWT) format. If you are interested in viewing the full structure of the tokens you can Base64-decode the tokens, which gives you the JSON-formatted token.

In the case of SharePoint Online Azure Control Services (ACS), the STS is involved in creating both the context token and access tokens. In purely on-premises situations, SharePoint acts as the STS. You can find more on this topic later in this chapter in the “On-Premises App Authentication” section.

To assist with the various token-centric processes, such as validating tokens and requesting new ones from code, the default Visual Studio 2012 SharePoint application templates provide a helper class called TokenHelper. It wraps up the calls to ACS and so on to simplify the process for you.

The best way to illustrate some of the helper functions and classes that TokenHelper.cs provides is to walk through an example exercise, as follows.

TRY IT OUT: Using TokenHelper (Tokens.zip)
In this exercise you create a simple SharePoint Autohosted application and use the TokenHelper class to access the ContextToken passed. You can find the code for this exercise in the download package for this chapter in the file called Tokens.zip.
1. Create a new SharePoint app project in Visual Studio by choosing File ⇒ New ⇒ Project. Pick the App for SharePoint 2013 project template.
2. Name your app SharePointApp and click OK.
3. If required, specify the URL of your SharePoint online site for the site to use for debugging.
4. Ensure Autohosted is selected in the hosting type drop-down menu.
5. Click Finish.
6. Locate and open the TokenHelper.cs file.
7. Find the CreateJsonWebSecurityTokenHandler function and make the function public instead of private as follows: 
public static JsonWebSecurityTokenHandler CreateJsonWebSecurityTokenHandler()
8. Locate and open the Default.aspx.cs file.
9. Replace the Page_Load function with the following code: 
protected void Page_Load(object sender, EventArgs e)
{
    var contextToken = TokenHelper.GetContextTokenFromRequest(Page.Request);
    var hostWeb = Page.Request["SPHostUrl"];
 
    JsonWebSecurityTokenHandler tokenHandler = 
    TokenHelper.CreateJsonWebSecurityTokenHandler();
    SecurityToken securityToken = tokenHandler.ReadToken(contextToken);
    JsonWebSecurityToken jsonToken = securityToken as JsonWebSecurityToken;
    SharePointContextToken token = SharePointContextToken.Create(jsonToken);
 
    Response.Write("<b>Context Token:</b> " + contextToken);
    Response.Write("<b>STS:</b> " + token.SecurityTokenServiceUri);
}
10. Press F5 to run and debug the project.
11. If prompted to trust the application, click Trust It.
12. When presented with the list of apps in your site, locate and click your new application.
13. A Web page appears that contains the Base64-encoded context token and the URL of the STS that issued the token. In the case of ACS it is as follows: 
https://accounts.accesscontrol.windows.net/tokens/OAuth/2
14. Copy the ContextToken value to the clipboard.
15. In a new window, navigate to www.base64decode.org and paste the ContextToken into the Value to decode box.
16. Click Decode to decode the Base64-encoded string. A JSON representation of your ContextToken appears, and you can see where all the values passed are included.
How It Works
In this exercise you created a new application that accepted the ContextToken from SharePoint. You used the TokenHelper class to assist with decoding and parsing out the SharePointContextToken object. Contained within the decoded context token is information about the token, including the issuing party — in this case, Azure Access Control Services acting as the STS.

App and User Context in API Calls

SharePoint provides the ability for apps to make calls to SharePoint with access tokens that are either on behalf of a user or without user context, also known as app-only context. When an access token is used that is on behalf of a user, SharePoint treats the call as if the user is making the call. This means it is subject to the same permissions that user has. Additionally, an app can make an app-only call to SharePoint, which means no user context is passed and only the permissions that the app has been granted apply.

The TokenHelper class provides helper methods for getting each of these types of tokens. To get an access token that includes the calling user’s context, use the following method:

TokenHelper.GetAccessToken

To get an app-only access token, use the following method:

TokenHelper.GetAppOnlyAccessToken

See the “Application Authorization” section later in this chapter for more on app and user authorization and how permissions are determined by SharePoint.

Managing Tokens in Your Application

As previously mentioned, when an application is launched by a user a context token is passed to it. After this has happened it is up to the application to handle the tokens and potentially store them for future use or pass between app pages. These tasks are left to the application to manage because SharePoint has no knowledge of the inner workings of the application. The developer must decide how she wants to manage these tokens when the application passes them after it is launched. Some basic options are available, including the following:

  • Cache the token for a period of time.
  • Pass the token around as needed but don’t store it.

To assist with caching, the tokens provide a CacheKey and an expiry that can make caching more straightforward for the developer. The CacheKey is a property on the token that is unique to that particular token. It can be used, as the name suggests, as a primary key for that token in a cache of the developer’s choosing, such as ASP.NET application state. Additionally, the expiry time can be used in the application to flush the old tokens from the cache after they have expired.

CACHE THE REFRESH TOKEN
As part of the context token, SharePoint provides another token called a refresh token. This token is typically valid for six months and can be used to request access tokens for a particular user. This capability is very handy if your app needs to make calls into SharePoint as a particular user when the user isn’t using the app; for example, on a timed basis such as a timer job.

The following exercise walks through a simple example of how to use ASP.NET application state to cache the appropriate tokens so that they can be used between page requests.

TRY IT OUT: Caching Tokens (TokenCache.zip)
In this exercise you create an Autohosted application that, when run, receives and then caches the ContextToken using application state. You can find the code for this exercise in the download package for this chapter in the file called TokenCache.zip.
1. Create a new SharePoint App project in Visual Studio by choosing File ⇒ New ⇒ Project. Select the App for SharePoint 2013 project template.
2. Name your app SharePointTokenCacheApp and click OK.
3. If required, specify the URL of your SharePoint online site for the site to use for debugging.
4. Ensure Autohosted is selected in the hosting type drop-down menu.
5. Click Finish.
6. Locate and open the TokenHelper.cs file.
7. Find the CreateJsonWebSecurityTokenHandler function and make the function public instead of private as follows: 
public static JsonWebSecurityTokenHandler CreateJsonWebSecurityTokenHandler()
8. Locate and open the Default.aspx file and add the following code inside the <div> tags: 
<asp:Button ID="Button1" runat="server" Text="Process" OnClick="Button1_Click"/>
9. Locate and open the Default.aspx.cs file and replace the contents with the following code: 
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Microsoft.IdentityModel.S2S.Tokens;
 
namespace SharePointTokenCacheAppWeb.Pages
{
    public partial class Default : System.Web.UI.Page
    {
 
        protected void Page_Load(object sender, EventArgs e)
        {
            if (!this.IsPostBack)
            {
                var contextToken = 
                TokenHelper.GetContextTokenFromRequest(Page.Request);
                var hostWeb = Page.Request["SPHostUrl"];
 
                JsonWebSecurityTokenHandler tokenHandler = 
                TokenHelper.CreateJsonWebSecurityTokenHandler();
                SecurityToken securityToken = tokenHandler.ReadToken(contextToken);
                JsonWebSecurityToken jsonToken = 
                securityToken as JsonWebSecurityToken;
                SharePointContextToken token = 
                SharePointContextToken.Create(jsonToken);
 
                Application[token.CacheKey] = contextToken;
 
                Button1.CommandArgument = token.CacheKey;
 
            }
        }
 
        protected void Button1_Click(object sender, EventArgs e)
        {
            var contextToken = 
            (string)Application[((Button) sender).CommandArgument];
            var hostWeb = Page.Request["SPHostUrl"];
 
            using (var clientContext = 
            TokenHelper.GetClientContextWithContextToken(hostWeb, contextToken, 
            Request.Url.Authority))
            {
                clientContext.Load(clientContext.Web, web => web.Title);
                clientContext.ExecuteQuery();
                Response.Write(clientContext.Web.Title);
                clientContext.ToString();
            }
        } 
    }
}
10. Press F5 to run and debug the project.
11. If prompted to trust the application, click Trust It.
12. When presented with the list of apps in your site, locate and click your new application.
13. A Web page appears with the Process button on it. Click the button. The page will display the Title of your Website.
How It Works
In this exercise you created a new application that cached the ContextToken passed to it in the ASP.NET application cache. It used the CacheKey property to uniquely key the token in the cache. This allowed subsequent page requests to locate the ContextToken in the cache and use it to make API calls to SharePoint. Without caching the ContextToken in this manner, subsequent page requests or postbacks wouldn’t include the ContextToken in the POST parameters and API calls wouldn’t be possible.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset