building office 365 app with aad oauth - microsoft · oauth •widely adopted open standard for...
TRANSCRIPT
Office 365 DevDays
2017.11.4-6 | 上海
Office 365 DevDays
2017.11.4-6 | 上海
Building Office 365 App with AAD OAuth
薛伟文 - Office 中国研发团队
Raymond Xue – Office China Incubation Team
OAuth Introduction
AAD App Models
Office 365 Web App
Development
目 录CONTENTS
Terms
• Authentication (AuthN)• To proove who you are (are you really John Doe?)
• Authorization (AuthZ)• To confirm what you may or may not do (scope, permission, etc.)
• Single Sign On (SSO)• An optimization of the authentication sequence to remove the burden of repeating
actions placed on the end user. To facilitate SSO, an element called an Identity Provider can act as a proxy on a user's behalf to provide evidence of authentication events to 3rd parties requesting information about the user. These Identity Providers are trusted 3rd parties and need to be trusted both by the user (to maintain the user's identity information as the loss of this information can result in the compromise of the users identity) and the Web services which may grant access to valuable resources and information based upon the integrity of the identity information provided by the IP.
Office 365 App = OAuth + AAD + REST API
OAuth
• Widely adopted open standard for authorization
• Provides client app a “secure delegated access” to server resources on behalf of the resource owner without explicitly taking username and password
• Begins in Nov. 2006 as OAuth 1.0 (RFC 5849)
• OAuth 2.0 published in Oct. 2012 (RFC 6749, RFC 6750)
• Supported by most major IDP (ID providers)• Microsoft (MSA, Office 365), Google, Yahoo!, Amazon, Dropbox,
Facebook, PayPal, etc.• 微信, QQ,百度,新浪微博,网易,搜狐
How OAuth 2.0 Works?
• Resource Owner - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user
• Client - An application making protected resource requests on behalf of the resource owner and with its authorization
• Authorization Server - The server (usually IDP) issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
• Resource Server - The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
User
Resource Owner
Client
Authorization Server
Resource Server
(1)
Au
tho
riza
tio
n
Re
qu
est
(2) A
uth
oriza
tion
G
rant
(3) Authorization Grant
(4) Access Token
(5) Access Token
(6) Protected Resource
3rd Party App
OAuth Grant Types
• Authorization Code Grant
• Implicit Grant
• Resource Owner Password Credentials Grant
• Client Credentials Grant
Access Token
• The credential for accessing resource servers
• JSON Web Token (JWT) format (RFC 6750)
• Base64 encoded string• Encrypted signature for
authentication• Has expiry (optional)• Try out the JWT decoder:
http://jwt.calebb.net/
OAuth 2.0 in Azure AD(Authorization Code Grant)
ResourceOwner
AuthorizationServer
Resource Server(Office 365 Services)
Client
Actual Call Flow
OAuth 2.0 in Azure ADhttp://msdn.microsoft.com/en-us/library/azure/dn645545.aspx
https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-protocols-oauth-code
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#web-browser-to-web-application
https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-authentication-scenarios#web-browser-to-web-application
Setting AAD App for Office 365
• Create AAD app on Azure portal• Native app or web app
• Set the “app permission”• What the app can do on behalf of the users (on Office 365 resources)
• Obtain “app ID (client ID)” and “app secret”
Setting up an AAD appDemonstration
Office 365 & Azure – A Tale of Two Instances• 中国版 vs. 全球版
• 21Vianet 运维 vs. Microsoft 运维• 中国国内数据中心 vs. 海外(香港)数据中心
• 两个互不相通的实例• Azure portal• Auth endpoint• Resource endpoints
• API endpoint 对照• https://msdn.microsoft.com/office/office365/APi/o365-china-endpoints
中国版 (21Vianet 运维) 全球版 (Microsoft 运维)
Authorization https://login.chinacloudapi.cn https://login.microsoftonline.com
Outlook/Calendar/Contact https://partner.outlook.cn https://outlook.office.com
SharePoint https://{tenant}.sharepoint.cn/{site-path}/_api/v1.0 https://{tenant}.sharepoint.com/{site-path}/_api/v1.0
OneDrive for Business https://{tenant}-my.sharepoint.cn/_api/v1.0/me https://{tenant}-my.sharepoint.com/_api/v1.0/me
Graph API https://microsoftgraph.chinacloudapi.cn https://graph.microsoft.com
Graph Explorer https://developer.microsoft.com/zh-cn/graph/graph-explorer-china https://developer.microsoft.com/en-us/graph/
Azure Portal https://www.azure.cn https://azure.microsoft.com
App Demo
Graph Explorer
• 中国版• https://developer.microsoft.com/zh-cn/graph/graph-explorer-china
• 全球版• https://developer.microsoft.com/en-us/graph/
Code Walkthrough
Office 365 DevDays
Thank you