This document discusses OAuth and authorization in SharePoint, Office 365, and Azure. It begins with an introduction to OAuth fundamentals, including the roles of clients, resource owners, authorization servers, and resource servers. It then covers OAuth implementation, including configuring trusts between on-premise and cloud-based authorization servers and the steps applications take to request and receive access tokens. The document concludes with additional resources on OAuth and authorization.
11. Resource
Owner
Grants access
to a protected
resource
Resource
Server
Hosts the
protected
resource and
accepts
access
requests
Client
Application
making
protected
resource
requests on
behalf of the
resource
owner
Authorization
Server
Issues access
tokens
17. Manages identity information for principals (STS)Identity Provider
Handles requests for trusted identity claimsSecurity Token Service
Identity provider associated with a web applicationIdentity Token Issuer
Trusted resource (farm, server, etc.)Security Token Issuer
Resource information and signing certificate (JSON)Metadata Endpoint
Used to request permission to protected resourceRequest Token
Used by App to access resource on behalf of userAccess Token
Operation scope for authorizationRealm
Cloud-based security token service (IP-STS)Azure ACS
24. App establishes context
SP validates S2S trust
App requests access token
from SP
Browser POSTS parameters
to App
SP returns parameters
User browses to App
OnPremise
App establishes context
ACS provides access token
App requests access token from ACS
Browser POSTS request token to app
SP sends request tokens to browser
SP gets request token from ACS
User browses to app
Online
1
2 3
4
5
6
7
8 9
25. OnPremise
Online
Establish client context
Get access token with S2S
Get claims from Windows
identity
Get request parameters
Get client context from SP with access
token
Get access token
Read and validate context token
Parse out Context Token
Get POST parameters from SP
26.
27.
28. Client ID App URL
Tenant ID
Tenant ID
Azure ACS
Start
End
SharePoint
Tenant ID
User ID + Issuer + App + Realm
IP-STS URL
Browser or Event Receiver
Token sent to IP-STS (Azure ACS)
32. Description Link
OAuth Working Group http://oauth.net/
OAuth Resource Guide http://bit.ly/14CWPNb
Authorization and authentication for apps in SharePoint 2013 http://bit.ly/16f8WFh
Setting up an OAuth trust between farms in SharePoint 2013 http://bit.ly/12Yr7e3
Plan for server-to-server authentication in SharePoint 2013 http://bit.ly/1chAgFl
What’s new in authentication for SharePoint 2013 http://bit.ly/1e6KaYv
Creating High-Trust apps with S2S http://bit.ly/18RL8uL
Using O365 to Authorize On-Premise Apps http://bit.ly/1fvv1Bo