Monday 11 July 2016

Generate OAuth Authorization Token using OWIN with SharePoint

As a SharePoint developer, you are aware that SharePoint provides OAuth Authorization services to generate access token from SharePoint using its own prerequisites. However, this approach has its own limitations. We can generate same token without using OAuth Authorization provided by SharePoint. In this blog, I will take you through the process of generation of Bearer Token for a custom third party client application to authenticate and authorize with SharePoint and perform operations on SharePoint data using the generated access token.

Let's first know how a SharePoint token works

When a user signs in to SharePoint, the user's security token is validated. The token is issued by an identity provider. SharePoint supports several kinds of user authentication.  For more information on this, see Authentication, authorization, and security in SharePoint 2013.

In SharePoint 2013, we can create apps using SharePoint Add–Ins. These Add-Ins are also required to be authenticated and authorized with SharePoint. These Add-ins can be authenticated and authorized in several different ways. For more information on this, see Three authorization systems for SharePoint Add-ins.

As mentioned, for all the given authorization systems to get access tokens for logged in user, either we need to create a high trust using certificates or we need to register with Microsoft Azure Access Control Service (ACS). In both these scenarios, our custom site requires to be configured with secure access i.e. HTTPS protocol with high trust certificates.

So, the workaround to create access tokens from SharePoint site other than the options provided by Microsoft is creating a custom ASP.Net Web API using OWIN.

What is OWIN

OWIN is an Open Web Interface for .Net which acts as a middleware OAuth 2.0 authorization server between SharePoint site and a third party client application. OWIN defines a standard interface between .NET web servers and web applications.

Using ASP.Net Web API and OWIN, we can authenticate and authorize users with SharePoint site and generate access token for this user, and further use this access token for CRUD operations on SharePoint site using SharePoint REST API's by passing the "Bearer" access token in the headers of the query.

Authorization Methods in SharePoint

To perform CRUD operations on SharePoint content using SharePoint REST APIs, there are different ways to pass authorization:
  1. System.Net.CredentialCache.DefaultCredentials:
    The DefaultCredentials property applies only to NTLM, negotiate, and Kerberos-based authentication.

    DefaultCredentials represents the system credentials for the current security context in which the application is running. For a client-side application, these are usually the Windows credentials (username, password, and domain) of the user running the application. For ASP.NET applications, the default credentials are the user credentials of the logged-in user, or the user being impersonated.
  2. System.Net.NetworkCredential(username, password, domain):
    The NetworkCredential class is a base class that supplies credentials in password-based authentication schemes such as basic, digest, NTLM, and Kerberos.

    This class does not support public key-based authentication methods such as Secure Sockets Layer (SSL) client authentication.
  3. Bearer Token:
    Tokens are issued to clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server. This specification describes how to make protected resource requests when the OAuth access token is a bearer token.
The First option stated above cannot be used in a custom third party client application as it does not understand the default credentials. The Second option stated above passes username, password and the domain in which the user needs to be authorized, which will cause a security threat as the client application will need to store user's password and send it whenever required.

SharePoint 2013 uses OAuth 2.0 Authorization framework for Bearer Token usage in SharePoint Add-Ins. Once the access token is generated, the custom application can use this token to perform CRUD operations on SharePoint 2013 content using SharePoint REST APIs. This token is sent through headers from the code that is running on a browser client. You will not need access token if you are making this call from a SharePoint hosted app add-in.

In a similar way, we can generate access token in ASP.Net Web API and OWIN by passing in the username and password for the first time. Once the access token is generated, we can use this token for CRUD operation for SharePoint REST APIs.

How to Generate Access Token using OWIN

Below are the steps to generate access token using OWIN
  1. Create a new empty ASP.Net Web Application Project. Select "Web API" check box under "Add folders for core references for" tab. In the Authentication, select "No Authentication".

  2. Create a class "Startup.cs" in the project at root level which will be required for OWIN.
  3. Install the required OWIN components in the solution using Nuget Package
    • Install-Package Microsoft.Owin.Host.SystemWeb
    • Install-Package Microsoft.Owin.Security
    • Install-Package Microsoft.AspNet.Identity.Owin
    The above commands will install the OWIN Hosting infrastructure as shown below

  4. Every OWIN Application has a startup class where you specify components for the application pipeline. There are different ways you can connect your startup class with the runtime, depending on the hosting model you choose (OwinHost, IIS, and IIS-Express).

    OwinStartup Attribute: This is the approach most developers will take to specify the startup class. The following attribute will set the startup class to the TestStartup class in the StartupDemo namespace.
  5. Add Configuration method with IAppBuilder parameter
  6. Configure OAuth Authorization for application which will be authenticated and authorized with a SharePoint site and Domain.
  7. Now override the methods ValidateClientAuthentication and GrantResourceOwnerCredentials as per our requirements as shown below to authenticate and authorize user from SharePoint site with User Information list in the SharePoint site.
  8. Now build and test the application by calling the GeToken method and passing "UserName" and "Password" parameters. The method will return the bearer token including token and expiry date time. This token can now be used to perform CRUD operations in SharePoint REST APIs.
Wasn’t that simple? Do try this approach and let me know how it goes for you.






Written by Mahesh Nagawade, Sharepoint Expert at Eternus Solutions
Read More »