Mechanism
of Provider Hosted Apps in SharePoint
The
code for provider hosted app lies in remote web.
Remote web is a web application that is hosted outside SharePoint server. For
on prem installations one needs to set up high trust between SharePoint and
remote web using certificates.
·
How should we call the web services
for Provider hosted app?
As
remote web and SharePoint host site collection lie in different domains you
need to use cross domain
library (SP.RequestExecutor) to make cross domain calls to SharePoint
host site collection using REST APIs.
I’ll start with some briefing on
OAuth and the key concepts that we need to understand about OAuth. OAuth is the
internet protocol for creating and managing app identity. It is also a
cross-platform mechanism for authentication and authorizing apps. The OAuth is
also the emerging internet standard which is used by Facebook, Twitter and
Google.
OAuth gives the power and
flexibility of having app identity in addition to the user identity. Here are
the some pointers about App Identity
- App
should be granted permissions independently of user permission
- App
can request specific permission from the user during installation
- App
can be granted more permission than the user (Elevation)
- App
is constrained to what it can do during and after installation
Here are some important concepts
around OAuth
1. Content Owner – User who grants
permission to content in a site
2. Client App – This is the remote
App (running on a Cloud or Hosted environment) that needs permission to Site
Content . In our case it is SharePoint 2013 App
3. Content Server – The web server
that serves the content to be accessed by App. In our case it is SharePoint
2013 Server (Cloud or On-Premise)
4. Authentication Server – Trusted
server that authenticates apps and creates oAuth tokens. In our case it is
Azure ACS server or oAuth compatible authentication server
Let’s see what is happening in each step in the above picture.
Step 1 –> The user accesses the
SharePoint 2013 portal and SharePoint 2013 authenticates the user using Claims
Authentication
Step 2 –> SharePoint 2013
requests for the Context Token for the user, from Windows Azure ACS (Access
Control Services)
Step 3 –> ACS returns Context
Token
Step 4 –> SharePoint 2013 passes
the Context Token to the user
Step 5 –> User accesses App
using Context Token
Step 6 –> Client App pulls
Refresh Token from the Context Token and requests ACS for oAuthToken
Step 7 –> ACS server returns
OAuth token to the client app
Step 8 –> Client App makes
CSOM/REST calls to SharePoint site by passing OAuth Token
Step 9 –> SharePoint 2013
returns site content to App based on the App Permission Manifests
Step 10 –> Client App returns
the App Content to the user
