Office 365 DevDays

2017.11.4-6 | 上海

Office 365 DevDays

2017.11.4-6 | 上海

Building Office 365 App with AAD OAuth

薛伟文 - Office 中国研发团队

Raymond Xue – Office China Incubation Team

OAuth Introduction

AAD App Models

Office 365 Web App

Development

目 录CONTENTS

Terms

• Authentication (AuthN)• To proove who you are (are you really John Doe?)

• Authorization (AuthZ)• To confirm what you may or may not do (scope, permission, etc.)

• Single Sign On (SSO)• An optimization of the authentication sequence to remove the burden of repeating

actions placed on the end user. To facilitate SSO, an element called an Identity Provider can act as a proxy on a user's behalf to provide evidence of authentication events to 3rd parties requesting information about the user. These Identity Providers are trusted 3rd parties and need to be trusted both by the user (to maintain the user's identity information as the loss of this information can result in the compromise of the users identity) and the Web services which may grant access to valuable resources and information based upon the integrity of the identity information provided by the IP.

Office 365 App = OAuth + AAD + REST API

OAuth

• Widely adopted open standard for authorization

• Provides client app a “secure delegated access” to server resources on behalf of the resource owner without explicitly taking username and password

• Begins in Nov. 2006 as OAuth 1.0 (RFC 5849)

• OAuth 2.0 published in Oct. 2012 (RFC 6749, RFC 6750)

• Supported by most major IDP (ID providers)• Microsoft (MSA, Office 365), Google, Yahoo!, Amazon, Dropbox,

Facebook, PayPal, etc.• 微信， QQ，百度，新浪微博，网易，搜狐

How OAuth 2.0 Works?

• Resource Owner - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user

• Client - An application making protected resource requests on behalf of the resource owner and with its authorization

• Authorization Server - The server (usually IDP) issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

• Resource Server - The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

User

Resource Owner

Client

Authorization Server

Resource Server

(1)

Au

tho

riza

tio

n

Re

qu

est

(2) A

uth

oriza

tion

G

rant

(3) Authorization Grant

(4) Access Token

(5) Access Token

(6) Protected Resource

3rd Party App

OAuth Grant Types

• Authorization Code Grant

• Implicit Grant

• Resource Owner Password Credentials Grant

• Client Credentials Grant

Access Token

• The credential for accessing resource servers

• JSON Web Token (JWT) format (RFC 6750)

• Base64 encoded string• Encrypted signature for

authentication• Has expiry (optional)• Try out the JWT decoder:

http://jwt.calebb.net/

OAuth 2.0 in Azure AD(Authorization Code Grant)

ResourceOwner

AuthorizationServer

Resource Server(Office 365 Services)

Client

Actual Call Flow

OAuth 2.0 in Azure ADhttp://msdn.microsoft.com/en-us/library/azure/dn645545.aspx

https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-protocols-oauth-code

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#web-browser-to-web-application

https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-authentication-scenarios#web-browser-to-web-application

Setting AAD App for Office 365

• Create AAD app on Azure portal• Native app or web app

• Set the “app permission”• What the app can do on behalf of the users (on Office 365 resources)

• Obtain “app ID (client ID)” and “app secret”

Setting up an AAD appDemonstration

Office 365 & Azure – A Tale of Two Instances• 中国版 vs. 全球版

• 21Vianet 运维 vs. Microsoft 运维• 中国国内数据中心 vs. 海外(香港)数据中心

• 两个互不相通的实例• Azure portal• Auth endpoint• Resource endpoints

• API endpoint 对照• https://msdn.microsoft.com/office/office365/APi/o365-china-endpoints

中国版 (21Vianet 运维) 全球版 (Microsoft 运维)

Authorization https://login.chinacloudapi.cn https://login.microsoftonline.com

Outlook/Calendar/Contact https://partner.outlook.cn https://outlook.office.com

SharePoint https://{tenant}.sharepoint.cn/{site-path}/_api/v1.0 https://{tenant}.sharepoint.com/{site-path}/_api/v1.0

OneDrive for Business https://{tenant}-my.sharepoint.cn/_api/v1.0/me https://{tenant}-my.sharepoint.com/_api/v1.0/me

Graph API https://microsoftgraph.chinacloudapi.cn https://graph.microsoft.com

Graph Explorer https://developer.microsoft.com/zh-cn/graph/graph-explorer-china https://developer.microsoft.com/en-us/graph/

Azure Portal https://www.azure.cn https://azure.microsoft.com

App Demo

Graph Explorer

• 中国版• https://developer.microsoft.com/zh-cn/graph/graph-explorer-china

• 全球版• https://developer.microsoft.com/en-us/graph/

Code Walkthrough

Office 365 DevDays

Thank you