Securing SharePoint Apps with OAuth

31
Securing SharePoint Apps Using OAuth Kashif Imran [email protected]

description

Securing SharePoint apps with OAuth.

Transcript of Securing SharePoint Apps with OAuth

Page 1: Securing SharePoint Apps with OAuth

Securing SharePoint Apps Using OAuth

Kashif Imran

[email protected]

Page 2: Securing SharePoint Apps with OAuth

Agenda

• Issues with SharePoint Development/Security In the Past

• SharePoint Apps

• Security Primer

• App Authentication in SharePoint 2013

• OAuth

• OAuth Flow in SharePoint 2013 and Security Tokens

• Managing App Principals

• Questions

Page 3: Securing SharePoint Apps with OAuth

Issues with SharePoint Security

• Farm Solutions• Runs within the SharePoint workerprocess (w3wp.exe)• Access to Server Object Model• By default runs with current user’s permission• Developer can use SPSecurity.RunWithElevatedPrivileges that reverts code to Windows

identity of host application pool• Farm stability issues• Installation and upgrade (iisreset)• Upgrade farm to newer version of SharePoint

• Sandboxed Solutions• SPUCWorkerProcess.exe• Access to Server Object Model• Feature activation has full access to content (runs as site administrator)• Always runs as current user, can not use SPSecurity.RunWithElevatedPrivileges• Deprecated in SharePoint 2013 in favor of developing apps for SharePoint

Page 4: Securing SharePoint Apps with OAuth

SharePoint Apps

• A web application that is registered with SharePoint using an app manifest.

• Customize and extend SharePoint without full-trust access

• Get its own security principal

• Interacts with SharePoint using Client Object Model/REST

• Distributed as app package (.app) to the public marketplace or corporate app catalog

• Installed at site or tenant scope

• Any Programming language/technology that can communicate with SharePoint via REST and OAuth

Page 5: Securing SharePoint Apps with OAuth

Types of SharePoint Apps

• SharePoint-hosted• App resources stored in child

site known as (app web)• App can only have client-side code

• Cloud-Hosted• App resources deployed on remote server

known as remote web• App can have both client-side and

server-side code• 2 Types of Cloud-Hosted Apps

• Autohosted (Hosted in Azure)• Provider-hosted (Deployed by provider)

Page 6: Securing SharePoint Apps with OAuth

Security Primer

• Authentication (AuthN)• Authentication establishes an identity• SP 2010 supports user authentication• SP 2013 supports user and app authentication

• Authorization (AuthZ)• Based on ACL• Ensure current principal has the proper permissions• SP 2010 supports permission only for users• SP 2013 supports permission for users and apps

• Security Principal• An entity that is understood by a security system• An entity on which you can configure permission for resources• Examples: User in AD, FBA User, AD Group or FBA Role, SharePoint App

Page 7: Securing SharePoint Apps with OAuth

Claims-based Identity Model

• Way for applications to acquire the identity information about internal or external users

• Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority”

• Applications do not need to authenticate users, store user accounts or passwords, etc.

• Original intention behind the claims-based identity model was to enable federation between organization, but claims are not justfor federation

• Claim• Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc.• Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up

in some directory• Claims are NOT what a user can or can not do, they are what a user is or is not• Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer• Issuer, Type, Value => (Google, Email, [email protected])

• Security Token• Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in)• Successful outcome of sign in• SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)

Page 8: Securing SharePoint Apps with OAuth

Relying Party and STS

• Relying Party (RP)• An application that relies on claims• Claims aware application• Claims-based application

• Security Token Service• Service component that builds, signs and issues security tokens• Implicit authN (no token, no party)• WS-Trust, WS-Fed, SAML• IP-STS:

• authenticates a client and creates SAML token• Façade for one or more identity stores

• RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS)• Transforms token issues by another STS• Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts• Façade for one boundary

• Federation Patterns• Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies.• Active: Code to acquire tokens explicitly

Page 9: Securing SharePoint Apps with OAuth

Windows Identity Foundation (WIF)

• .NET library encapsulating the inner workings of WS-Federation and WS-Trust

• System.IdentityModel

• System.IdentityModel.Services

• IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType, IsAuthenicated, Name)

• IClaimsPrincipal = IPrincipal + Identities

• IClaimsIdentity = IIdentity + Claims

• Claims: Property bag, Subject, issuer, originalissuer, claimtype, value, valuetype

Page 10: Securing SharePoint Apps with OAuth

SharePoint Claims

Page 11: Securing SharePoint Apps with OAuth

App Authentication in SharePoint 2013

• App are first class security principals and granted permissions separate from user permission• Granted as all or none and No hierarchy of permission

• App authentication is only supported in CSOM and REST API end points

• App authentication is NOT supported in custom web service entry points

• Apps have Full rights against app web, can request permissions for other webs

• Full Control permission can not be used for OfficeStore apps

• Project Server permissions available if PWA is installed

Page 12: Securing SharePoint Apps with OAuth

DemoApp Permissions

Page 13: Securing SharePoint Apps with OAuth

SP Permission Policies

• App + User Policy• Both user and app require permission on the resource

• App-Only Policy• Only app needs permissions on resource

• Allow app code to elevate above permission of current user

• Only supported for server-side code in cloud-hosted apps

• AllowAppOnlyPolicy=“true” in AppManifest.xml

• Permission granted during install (all or nothing)

• User Policy• Not used when app makes a call to SharePoint

Page 14: Securing SharePoint Apps with OAuth

SP 2013 AuthN Flow for CSOM/REST Endpoint

Page 15: Securing SharePoint Apps with OAuth

Types of App Authentication in SharePoint

• 3 basic types of app authentication

• Internal authentication

• External authentication using OAuth• Office 365

• External authentication using S2S• On-premise

Page 16: Securing SharePoint Apps with OAuth

Internal Authentication

• Used in Client-side calls from pages in app web or remote web which use cross domain library

• Incoming calls require a SAML token holding an established user identity

• Call targets unique domain of app web associated with an app

• SharePoint maps target URL to instance of an app

• App code is not required to create and manage security tokens

Page 17: Securing SharePoint Apps with OAuth

App Web

• App by default has full permissions to read/write content to app web

• No default permissions on any location in the SharePoint host environment

• App.master provides UI to go back to host web

• Isolated in its own private domain• https://{ TenancyName}-{14 char App UID}. sharepoint.com/ sites/{ ParentSiteName}/{

AppName}/• http:// apps-{ UniqueID}. sp2013apps.local/ sites/{ ParentSiteName}/{ AppName}/

• Why Private Domain?• XSS: JavaScript code can not call back to host web• JavaScript do not run with the same established user identity as host web• SharePoint environment sees JavaScript callbacks from appweb with unique URLs and can

authenticate apps

• {StandardTokens}: { HostUrl}, {AppWebUrl}, { Language}

• Use Internal Authentication: App is not required to create/manage security tokens

Page 18: Securing SharePoint Apps with OAuth

DemoApp Web and Internal Authentication

Page 19: Securing SharePoint Apps with OAuth

External Authentication

• Calls to SP from server-side code running in remote web

• Used for both OAuth and S2S

• Incoming calls require access token with app identity

• Access token can optionally carry user identity as well

• Call can target any CSOM or REST endpoint in any site

• App code is required to create and manage security tokens

Page 20: Securing SharePoint Apps with OAuth

DemoExternal Authentication

Page 21: Securing SharePoint Apps with OAuth

OAuth

• Manage app permission on the web

• OAuth.net

• Internet protocol/spec for creating/mapping app identity

• A cross platform, open protocol for authenticating apps

• Internet standard used by Google, Facebook, Twitter

• Authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user

• SP2013 uses OAuth 2.0 (very different from OAuth 1.0)• OAuth specs provides details on how to create access tokens• Used for external auth in Office 365• Delegated authorization codes or access tokens are issues by OAuth STS (Windows Azure Control Services)• Remote web must communicate with ACS to obtain access tokens• Access tokens pass to SharePoint host in CSOM or REST API calls

• WS-Federation STS and SAML passive sign-in STS are primarily intended to issue sign-in tokens

• In SP2013, OAuth STS is uses only for issuing context tokens and not used as identity providers

Page 22: Securing SharePoint Apps with OAuth

OAuth Concepts

• Content Owner(s)• SharePoint user(s) who can grant permissions to site content

• Content Server• SharePoint web server that hosts site with the content that is to be accessed

• Client App/ClientID/AppID• Remote web that needs permissions to access site content

• Authentication Server• Trusted service that provides apps with access tokens allowing access to

content

• Windows Azure ACS in Sp2013 apps case

Page 23: Securing SharePoint Apps with OAuth

App Principals

• Tenancy-scoped configuration for app identity

• App principals must be registered with SharePoint and ACS

• App Principal Properties• Client Id: GUID based identifier for app principal

• Client Secret: Key to encrypt message between app and ACS

• App Host Domain: Base URL of domain hosting remote web

• Redirect URL: URL to a page used to configure security

Page 24: Securing SharePoint Apps with OAuth

Security Tokens used in OAuth

• Context Token• Contextual information passed to app• JWT• Valid for 12 hours• Cache key: identify unique user

(user, app, tenant)

• Refresh Token• Used by client app to acquire an access token• Valid for 6 months

• Access Token• Token passed to SharePoint to app

when using external authentication• Valid for 12 hours

Page 25: Securing SharePoint Apps with OAuth

OAuth Workflow in Office 365

Page 26: Securing SharePoint Apps with OAuth

Context Token

Page 27: Securing SharePoint Apps with OAuth

Access Token

Page 28: Securing SharePoint Apps with OAuth

Steps to use OAuth in O365

• Create new Cloud-hosted app project

• Register App Principal• Registration handled automatically in autohosted apps• Registration requires manual steps in provider hosted apps• Registration requires extra steps for apps published to Office Store. Have to get client

id/secret from Seller Dashboard

• App principal properties• Client ID: Guid or app principal• Clint secret: key used to encrypt message sent between app and ACS• App host domain: base url which defined hosting domain for remote web• Redirect URL: URL to a page used to configure on the fly security

• Add code in remote web to manage tokens• Code required to retrieve access tokens from ACS• Explicit code required to add access token to csom and rest api calls

Page 29: Securing SharePoint Apps with OAuth

DemoOAuth Tokens and App Principal

Page 30: Securing SharePoint Apps with OAuth

Managing App Principals in O365

• /_layouts/15/…

• AppRegNew.aspx

• AppInv.aspx

• AppPrincipals.aspx

• PowerShell for SPOnline to administer SharePoint apps and app principals

Page 31: Securing SharePoint Apps with OAuth

Questions

• ???