Security & Identity Management Considerations for Application Development
There are various security, identity management, and authentication considerations when developing custom applications and related features in SharePoint 2013, Office 365, SharePoint Online, and Microsoft Azure.
You should always keep in mind SharePoint 2013’s “claims first” authentication architecture during your development, as well as in discussions with the business about their custom requirements.
With SharePoint 2013’s user authentication based on claims, user authentication results in creation of a claims token, which tracks name-value pairs related to the token subject. These claims tokens are stored in memory using the FEDAUTH token format.
Overview of App Authentication
SharePoint 2013’s app authentication is supported in CSOM as well as in REST API endpoints but is not supported for custom web services.
Three types of app authentication are utilized by SharePoint 2013:
- Internal authentication
- External authentication using server-to-server trusts
- External authentication using OAuth
Internal authentication is utilized when an incoming call targets a CSOM or REST API endpoint or when an incoming call carries a claims token with an established user identity.
Internal authentication is also utilized when an incoming call targets the URL of an existing SharePoint 2013 app web. This authentication does not support app-only authentication to elevate privilege(s).
There is no programming effort required in terms of access tokens; internal authentication is automatically utilized with client-side calls from pages in the app web, and it can also be utilized from remote web pages that are using the cross-domain library.
External authentication, which users both S2S and OAuth, is utilized for server-side code in the “remote web” and issues CSOM or REST API calls against the SharePoint host. The incoming calls can target host web and other sites within your organization’s tenancy.
External authentication does require custom app code to be developed to create and manage access tokens which carry the app’s identity as well as user identity because the app is required to transmit an access token in the request header when making a call to SharePoint 2013.
Apps Granted Permissions
In SharePoint 2013, how an app is granted permissions is not identical to how a user is granted permissions. App permissions have only two options, which are that they are or are not granted permissions, because it is really a simple “yes or no” type of scenario.
App permissions have no permissions hierarchy, unlike the user permissions strategy and available security hierarchy within a given site collection.
Apps with Default Permissions
An app that has been provided with default permissions has full control over the app web, as well as access to incoming query string parameters, but does not have default access to the host web.
An app with default permissions must include a permission request within its application manifest because the installer actually grants or denies permissions during the installation of the app and will automatically cancel any app install if permissions are denied.
Adding a Permission Request
As mentioned previously, an app must have a permissions request added to its application manifest. You can achieve this by opening the AppManifest.xml file in the manifest designer in Visual Studio and adding a permission request for each permission to SharePoint that the web application requires.
The Visual Studio 2013 SDK provides for project templates, tools, tests, and reference assemblies that are required to build extensions for Visual Studio 2013.
EPC Group’s Nationally Recognized Practice Areas
EPC Group leading Custom Application Development, SharePoint, Office 365, Infrastructure Design and Business Intelligence Practice areas continue to lead the way in providing our clients with the most up-to-date and relevant information that is tailored to their individual business and functional needs.
Additional “From the Consulting Trenches” strategies and methodologies are covered in EPC Group’s new book, “SharePoint 2013 Field Guide: Advice from the Consulting Trenches” covering not only SharePoint 2013, Office 365 and SharePoint Online but Information Management, ECM\RM and overall compliance strategies in this ever changing world of “Hybrid IT.”
With over 25 years of experience in Information Technology and Management Consulting, Errin O’Connor has led hundreds of large-scale enterprise implementations from Business Intelligence, Power BI, Office 365, SharePoint, Exchange, IT Security, Azure and Hybrid Cloud eﬀorts for over 165 Fortune 500 companies.