OAuth is a security protocol that enables users to grant third-party access to their resources without sharing their passwords. It also provides a way to grant limited access (in scope, duration, etc.)
OAuth 1.0 was published in December 2007 and quickly become the industry standard for web-based access delegation. A minor revision (OAuth 1.0 Revision A) was published in June 2008 to fix a security hole. In April 2010, OAuth 1.0 was published as RFC 5849.
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
SharePoint 2013 tutorial: Steps to add items from csv file to SharePoint Online List using PowerShell in CSOM
Cross platform app authorization and Internet standard supported by Azure, Facebook, Twitter, Google and more.
1. Context Token – Information about the resource owner & client that can be used to get an Access Token later – baser 64 encoded
2. Refresh Token– token used to get an Access Token from the Authorization Server
3. Access Token – token passed to the resource Server authorizing the client to access Resources
OAuth for SharePoint 2013:
OAuth is not the protocol for authenticating users to access SharePoint. It would still be done by Claims Authentication. The OAuth comes into picture when we want to authenticate and authorize SharePoint 2013 Apps.
OAuth is the internet protocol for creating and managing app identity. It is also a cross-platform mechanism for authentication and authorizing apps. The OAuth is also the emerging internet standard which is used by Facebook, Twitter and Google.
SharePoint 2013 tutorial: Show hide div based on user permission using SPServices in SharePoint 2013
OAuth gives the power and flexibility of having app identity in addition to the user identity. Here are the some pointers about App Identity
– App should be granted permissions independently of user permission
– App can request specific permission from the user during installation
– App can be granted more permission than the user (Elevation)
– App is constrained to what it can do during and after installation
SharePoint 2013 tutorial : Steps to add html Master Page to SharePoint 2013 or SharePoint online using Design Manager
Here are some important concepts around OAuth
1. Content Owner – User who grants permission to content in a site
2. Client App – This is the remote App (running on a Cloud or Hosted environment) that needs permission to Site Content. In our case it is SharePoint 2013 App
3. Content Server – The web server that serves the content to be accessed by App. In our case it is SharePoint 2013 Server (Cloud or On-Premise)
4. Authentication Server – Trusted server that authenticates apps and creates OAuth tokens. In our case it is Azure ACS server or OAuth compatible authentication server
Let’s see what is happening in each step in the above picture.
1. The user accesses the SharePoint 2013 portal and SharePoint 2013 authenticates the user using Claims Authentication
2. SharePoint 2013 requests for the Context Token for the user, from Windows Azure ACS (Access Control Services) or SharePoint OnPrem
3. ACS returns Context Token to Content Server
4. SharePoint 2013 web server passes the Context Token to the user
5. User accesses App using Context Token
6. Client App pulls Refresh Token from the Context Token and requests ACS for oAuthToken
7. ACS server returns OAuth token to the client app
8. Client App makes CSOM/REST calls to SharePoint site by passing OAuth Token
9. SharePoint 2013 returns site content to App based on the App Permission Manifests
10. Client App returns the App Content to the user
If the app needs to connect the SharePoint server, ACS server must be trusted by Content server & by the 3rd party App. We can connect ACS in 2 ways… you are using: SharePoint Online Wave 15 and SharePoint OnPrem. F you have SharePoint Online Wave 14 then you are out of luck – no OAuth for you.