Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Developing Apps for SharePoint Store
1. Developing Apps for
SharePoint and Office Store
Kashif Imran
kashif_imran@hotmail.com
2. Agenda
• SharePoint Solutions
• SharePoint Apps
• Developer Environment and Server Infrastructure
• Types of SharePoint Apps
• SharePoint App Shapes/User Experience
• Packaging and Publishing Apps
• Security in SharePoint Apps
• Questions
3. SharePoint Solutions
• Farm Solutions
• Runs within the SharePoint workerprocess (w3wp.exe)
• Access to Server Object Model
• By default runs with current user’s permission
• Developer can use SPSecurity.RunWithElevatedPrivileges that reverts code to Windows
identity of host application pool
• Farm stability issues
• Installation and upgrade (iisreset)
• Upgrade farm to newer version of SharePoint
• Sandboxed Solutions
• SPUCWorkerProcess.exe
• Access to Server Object Model
• Feature activation has full access to content (runs as site administrator)
• Always runs as current user, can not use SPSecurity.RunWithElevatedPrivileges
• Deprecated in SharePoint 2013 in favor of developing apps for SharePoint
4. SharePoint App
• A web application that is registered with SharePoint using an app
manifest.
• Customize and extend SharePoint without full-trust access
• Get its own security principal
• Interacts with SharePoint using Client Object Model/REST
• Distributed as app package (.app) to the public marketplace or
corporate app catalog
• Installed at site or tenant scope
• Any Programming language/technology that can communicate with
SharePoint via REST and OAuth
5. SharePoint APIs
• Server Object Model
• Client Object Model
• .NET Client OM
• Silverlight (and Mobile) Client OM
• JavaScript Client OM
• REST/OData Endpoints
• ASP.NET (asmx) web services
• Only supported for backward compatibility
• Direct Remote Procedure Calls (RPC) calls to the owssvr.dll
• Only supported for backward compatibility
7. Developer Environment
• SharePoint 2013 Developer Site (Office 365 or On-premises)
• Visual Studio 2012
• Developer Tools for Visual Studio 2012
• SharePoint client components
• Windows Identity Foundation SDK
• Workflow Tools SDK and Workflow Client SDK
• Visual Studio 2012 and Office Developer Tools on SharePoint 2013
Environment
8. SharePoint Infrastructure for Apps
• Apps always installed and run within the context of a tenancy
• SharePoint tenancy: Set of site collections that are configured managed as
a single unit.
• Farm-wide tenancy (default tenancy) for on-premises farms
• Service Applications
• App Management Service
• Security principals, permissions and licensing and other app configuration details
• Previsioned using CA or PowerShell
• Subscription Settings Service
• Tenant configuration
• Previsioned using PowerShell
• Creates a default tenant
• Office 365 has both of these already configured for tenant
9. Types of SharePoint Apps
• SharePoint-hosted
• App resources stored in child
site known as (app web)
• App can only have client-side code
• Cloud-Hosted
• App resources deployed on remote server
known as remote web
• App can have both client-side and
server-side code
• 2 Types of Cloud-Hosted Apps
• Autohosted (Hosted in Azure)
• Provider-hosted (Deployed by provider)
10. SharePoint-hosted App
• During installation app web is created as child to site where app is
installed
• App start page is hosted in SharePoint
• App web contains CSS, JavaScript and other resources (SharePoint
Lists and Libraries etc.)
• Can contain Server Controls (XsltListViewWebPart) and Client-side
code served out of isolated domain
12. App Manifest
• Metadata for app
• AppManifest.xml
• Start Page Element
• SharePoint-hosted
• For SharePoint-hosted must use ~appWebUrl
• ~ appWebUrl/Pages/ Default.aspx
• App’s start page is not known until the app has been installed
• Autohosted
• ~remoteAppUrl stays in the appmanifest and replaced by Offce 365
• Provider-hosted
• ~remoteAppUrl must be replaced with absolute URL when app is published
• During debugging VS replaces ~remoteAppUrl with URL of remote web
• {StandardTokens} => replaced by SharePoint environment SPHostUrl, SPLanguage
13. App Web
• App by default has full permissions to read/write content to app web
• No default permissions on any location in the SharePoint host environment
• App.master provides UI to go back to host web
• Isolated in its own private domain
• https://{ TenancyName}-{14 char App UID}. sharepoint.com/ sites/{ ParentSiteName}/{
AppName}/
• http:// apps-{ UniqueID}. sp2013apps.local/ sites/{ ParentSiteName}/{ AppName}/
• Why Private Domain?
• XSS: JavaScript code can not call back to host web
• JavaScript do not run with the same established user identity as host web
• SharePoint environment sees JavaScript callbacks from appweb with unique URLs and can
authenticate apps
• {StandardTokens}: { HostUrl}, {AppWebUrl}, { Language}
• Use Internal Authentication: App is not required to create/manage security tokens
14. Autohosted App
• Provisions database and websites on demand
• Has associated remote web, can optionally have app web
• Office 365 deploys remote web in Azure during app installation
• Can store app specific data in its own database using SQL Azure
• Only supported in Office 365
• Each tenant receives its own instance of app and database
16. Provider-hosted App
• Associated remote web deployed and maintained by developer
• Remote web is deployed prior to app installation
• Often store app specific data in its own database
• Multitenancy issues: data isolation, privacy/reglulations
18. SharePoint Apps User Experience Options
• Immersive Full-page
• App Parts/Client Parts
• UI command extension/Custom Actions
19. App Parts
• IFrame on steroids
• UI element surfaced on pages in the host web via an IFrame
• Experience similar to web parts
• Client Web Part (implementation of App Part), template in Visual Studio
• Can not have any server side code that run in SharePoint host environment
• Supported for SharePoint-hosted, Autohosted and Provider-hosted
• Iframe + Start Page Tokens + Custom Properties, Contextual security
information to call back into SharePoint host environment via app identity
21. UI Custom Actions
• Add commands to host site
• Button on ribbon
• Menu command in ECB
• Other UI custom action available in Farm solutions are not available in app
model
• Supported in all three hosting models
• Contextual information about item or document via query string
• UrlAction: ~appWeburl, ~remoteAppUrl, {StandardTokens}, {ItemURL},
{HostUrl}, {SiteUrl}, {ListId}, {SelectedListId}, {SelectedItemId}
• HostWebDialog=True
23. Packaging Apps
• App Package: distributable zip file with extension .app
• AppManifest.xml
• AppIcon.png, AppIcon.png.config.xml (assigns icon a GUID)
• Resource files, CSS, JavaScript
• wsp package for SharePoint specific artifacts (lists and pages) embedded with the app package
• If app package contains inner solution package, SharePoint creates app web otherwise installs app
without app web
• App web solution package contains a single web-scoped feature (host web feature) that gets
activated by default and deploys declared elements (pages, lists)
• App web solution package can not have .NET assemblies with server-side code
• SharePoint-hosted app will create an app web because start page must be added to the app web
• Cloud-hosted apps can decide if they need app web or not
• App part and UI Custom action features are added at top level in app package and not inside the
wsp solution package
24. Packaging Autohosted Apps
• Web deploy package used for azure deployment is embedded in app
package
• *Web.zip => MyAppWeb.zip
• Optional Data Tier Application Package for SQL Azure .dacpac
• Add new SQL Database project and change target platform to SQL
Azure => It will cause project output to be .dacpac
• Use SQL Package property in app project to point to .dapac file
25. Publishing Apps
• Publish to Office Store
• Dashboard seller account (https://sellerdashboard.microsoft.com)
• Licensing and ecommerce is take care by Microsoft
• SharePoint apps, Apps for Office, Windows Azure Catalog Apps
• Upload app package and fill associated details
• Approval process
• Publish to app catalog
• Give Read access to user so they could discover and install apps
• Or install app at tenant scope
• Apps for SharePoint and Apps for Office document libraries
• Management of app requests from users
27. App Lifecycle Events
• Installed, updated, uninstalled etc.
• Because of server-side entry point, app events are only supported in
cloud hosted apps
• Handle App Installed, Handle App Uninstalling, Handle App Upgrade
28. App Authentication in SharePoint 2013
• App are first class security principals and granted permissions separate
from user permission
• Granted as all or none and No hierarchy of permission
• Security Principal: An entity understood by a security system (User,
SharePoint App)
• App authentication is only supported in CSOM and REST API end points
• App authentication is NOT supported in custom web service entry points
• Apps have Full rights against app web, can request permissions for other
webs
• Full Control permission can not be used for OfficeStore apps
• AllowAppOnlyPolicy=True in AppManifest to have app only permissions
• Project Server permissions available if PWA is installed
29. Types of App Authentication in SharePoint
• 3 basic types of app authentication
• Internal authentication
• External authentication using OAuth
• External authentication using S2S
30. Internal Authentication
• Used in Client-side calls from pages in app web or remote web which
use cross domain library
• Incoming calls require a SAML token holding an established user
identity
• Call targets unique domain of app web associated with an app
• SharePoint maps target URL to instance of an app
• App code is not required to create and manage security tokens
31. External Authentication
• Calls to SP from server-side code running in remote web
• Used for both OAuth and S2S
• Incoming calls require access token with app identity
• Access token can optionally carry user identity as well
• Call can target any CSOM or REST endpoint in any site
• App code is required to create and manage security tokens
32. OAuth
• OAuth.net
• Internet protocol/spec for creating/mapping app identity
• A cross platform, open protocol for authenticating apps
• Internet standard used by Google, Facebook, Twitter
• Authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user
• SP2013 uses OAuth 2.0 (very different from OAuth 1.0)
• OAuth specs provides details on how to create access tokens
• Used for external auth in Office 365
• Delegated authorization codes or access tokens are issues by OAuth STS (Windows Azure Control Services)
• Remote web must communicate with ACS to obtain access tokens
• Access tokens pass to SharePoint host in CSOM or REST API calls
• WS-Federation STS and SAML passive sign-in STS are primarily intended to issue sign-in tokens
• In SP2013, OAuth STS is uses only for issuing context tokens and not used as identity providers
33. OAuth Concepts
• Content Owner(s)
• SharePoint user(s) who can grant permissions to site content
• Content Server
• SharePoint web server that hosts site with the content that is to be accessed
• Client App/ClientID/AppID
• Remote web that needs permissions to access site content
• Authentication Server
• Trusted service that provides apps with access tokens allowing access to
content
• Windows Azure ACS in Sp2013 apps case
35. Security Tokens used in OAuth
• Context Token
• Contextual information passed to app
• JWT
• Valid for 12 hours
• Cache key: identify unique user
(user, app, tenant)
• Refresh Token
• Used by client app to acquire an access token
• Valid for 6 months
• Access Token
• Token passed to SharePoint to app
when using external authentication
• Valid for 12 hours
38. Managing App Principals in O365
• /_layouts/15/…
• AppRegNew.aspx
• AppInv.aspx
• AppPrincipals.aspx
• PowerShell for SPOnline to administer SharePoint apps and app
principals