Drag picture to placeholder or click icon to add

Handling Cross-Domain calls & authentication in SharePoint 2013Stephane Eyskens

About me • SharePoint Server MVP since 2008

• Blog : http://www.silver-it.com

• @stephaneeyskens

Poll Who has already developed Apps for Customers?

Who has deployed an App to the Office Store?

Who has used CORS in a real-world project?

Take AwayCORS is

your friend

SharePoint X-DOM Libraries do not make X-DOM calls

HTML5 is your friend

too

Everything is a question of HTTP Headers in the end

Cross-Domain Challenges?

Same-Origin Policy

Authentication across domains

isn’t easy

Same-origin Policy reminder

http://intranet.contoso.com

http ://collaboration.contoso.com : 80 /

Protocol HOST Port

Same-Origin Policy Workaround #1

Using a Proxy

PROS

• Works with every browser

CONS

• One more hop

• Must handle scaling

• Not easy to authenticate against target domain

Same-Origin Policy Workaround #2

JSONP

PROS

• None

CONS

• Is a browser hack

• In theory limited to GET unless you hack it even more

Same-Origin Policy Workaround #3

Using a reverse proxy

• Browse requests http://intranet/fakeurl/someservice/

• Reverse-Proxy converts to http://target/someservice/

Same-Origin Policy Workaround #3

Using a reverse proxy

PROS

• Works with every browser

• Possibility to forward authentication credentials using SiteMinder.

• Transparent auth if SSO is available

• No coding effort

CONS

• More an onprem solution

• Enterprise RP usually not available on dev boxes

Demos

Reverse Proxy on a Dev Box

Same-Origin Policy Workaround #4

IFRAMES

PROS

• Super easy

• No more cross domain

• Authentication is handled by the browser

CONS

• IFRAMES are set to same-origin by SP OOTB

• IFRAMES are not a real integration

Demos

IFRAMES

IFRAME Recap • Remove x-frame-options or

allow explicit origins via Reverse Proxy or HTTP Module

• Use <WebPartPages:AllowFraming runat="server" />

Same-Origin Policy Workaround #5

HTML5 PostMessage API

HTML5 PostMessage API

PROS

• Fast as a rocket

• Partially supported by all the browsers

• Authentication is handled by the browser

CONS

• IFRAMES are set to same-origin by SP OOTB

• Security Risks involved

• Hard to maintain

Demos

HTML5 PostMessage API

HTML5 PostMessage API Recap

• Remove x-frame-options or allow explicit origins

• In code, check the origin of the sender

• SharePoint 2013 makes already use of this API in CustomActions & Popup windows

Same-Origin Policy Workaround #6

SharePoint # Domain Libraries

PROS

• OOTB

CONS

• Only usable in Apps

• Only targeting SharePoint OOB endpoints in an authenticated manner. Provider-Hosted Apps cannot do both CSOM & JSOM at the same time

• Non OOTB endpoints must be registered in AppManifest & are called anonymously

Demos

I’m going to get you confused now

Same-Origin Policy Workaround #7

CORS

Same-Origin Policy Workaround #8

CORS

PROS

• Granular control on the server

• Possibility to forward authentication credentials

• Emerging standard (recently enabled on Azure Storage)

CONS

• Requires IE 10+

• Requires configuration efforts on the server

• Currently, not possible to enable CORS on o365

Demo• Consume custom REST

services Hosted inside of SharePoint

CORS Config Recap

• Add the necessary HTTP Response Headers

• Use either a Reverse Proxy, a custom HTTP Module, a rewriter engine to deal with the headers

• Use the Max-Age attribute to cache preflight request.

• When using Access-Control-Allow-Credentials you can’t use * as Allowed Origin

CORS in a Hybrid Architecture

DEMO

How to consume Claims Aware WCF Services hosted outside of SharePoint?

• Make the WCF Claims Aware, create a cert, add it to the WCF bindings, export it

• Trust the cert in SP

• Use the SharePoint API (SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser)

• Not working with Cross-Domain Libs

• Not working with CORS (oops)

• Need to implement a custom proxy

Alternative to CORS

Create your own REST endpoints

PROS

• Accessible from Apps

• Can be used together with SP # domain libraries

• Well integrated to SP

CONS

• OnPrem only

• Hard

Foundation Server

_api/web_api/site_api/lists_api/navigation_api/events_api/contextinfo

_api/search_api/SP.UserProfiles.PeopleManager _api/social.feed_api/social.following_api/publishing….

OOTB REST endpoints

• http://office.microsoft.com/en-us/store/rest-api-demo-WA104068939.aspx

• http://sprest.architectingconnectedsystems.com/

Demo

• Develop custom REST endpoints

Summary

• Cross Domain Libraries are not the only option

• All the other options work with and without Apps

• With Apps, some approaches « bypasses » the App Security Model

• Extending REST endpoints is hard but facilitates authentication aspects

THANK YOU

Stephane Eyskensstephaneey@hotmail.comhttp://www.silver-it.com/@stephaneeyskens