Shyam Narayan (@dotnetbounce), a Microsoft Premier Field Engineer took us through the approaches to application hosting in SharePoint 2013.
Application Identity models in SP2013
- SP2010 provided two models for custom code – Full Trust and Sandboxed
- Apps in SP2013 now have their own identity
- Fine grained permissions can now be configured – analogy of the app on your smartphone asking for specific permissions
- Site Collection – I want Full Control
- User Profiles – I need Read access to this
- Taxonomy – I want Write access to this
App Hosting Models
- SharePoint Hosted
- Auto Hosted
- Custom code or solutions you’ve built that get provisioned and hosted out of SharePoint.
- Completely hosted within SharePoint or iFramed in
- Only client side scripting supported –* no server side code*
- Isolated web created to host the app
- SharePoint artefact provisioning supported via CAML
- Data storage location – Content Database
- Supported in On-Premise and SharePoint online
- Cannot write feature receivers in this model
- Remote event receivers are the new way for doing this – a callout to a remote web server
Client Side code – the object model (CSOM) is now RESTful and includes *full server side API *access. You can access all these services:
- User Profiles
- and more…
Then there was a Visual Studio 2012 based demo.
- You can now write code off a SharePoint box (round of applause from the room), no longer need to be writing code on a SharePoint server itself.
- AppManifest.xml is where you manage permissions requirements for your app.
- Consists of Scope, Permission, Properties – seehttp://msdn.microsoft.com/en-us/office/apps
- You can still provision lists and libraries declaratively
- App deployment is essentially XML files being provision to SharePoint
- Even external content types can be deployed declaratively – the example was a data source from Netflix
- Need to configure the farm in Central Admin to support app provisioning
- New service application – the App Management Service, also need the SharePoint Foundation Subscription Settings Service (enables multi-tenancy).
- Also need to ensure the Settings Service Application has been provisioned
- Apps get a DNS style prefix – needs DNS wildcard configuration for the main domain and then SharePoint will resolve the requests for the app name.
- For example http://appffgfgfg04343.app.wingtip.com
Auto Hosted Apps
- The Office365 app hosting model – not available in on-premise
- Leverages integration between Office365 and Windows Azure
- Leverages Azure Web roles and SQL Azure
- Auto Provisioning of Azure components
- Really easy to build locally and then deploy to the cloud – all the configuration settings are handled for you behind the scenes
- Leverages ACS (Access Control Services) as the app identity broker. Think of it as ADFS in the cloud
- Visual Studio F5 deployment to the cloud
OAuth – Interaction
- Request comes from Browser to SharePoint
- Gets bounced off to ACS
- ACS returns a context token to SharePoint, which is returned to the Browser
- Gets routed via o365apps.net
- 3 key tokens
- Context Token
- Access Token
This is only for the App authentication, not authentication of the user
- For on-premise development
- High trust applications behind the firewall
- Can assert any user’s identity
- Requires configuration to establish trust between SharePoint farm and S2S app
- Needs to be done for every app you run / deploy
Configure S2S – challenging to get right.
- App Isolation needs to be configured
- Disable App Pool Principal check (set value to 0)
- Generate Public / Private certificate pair
- Generate Client Id
- Set up Security Token Issuer
- Register App Principal
- Update Web.Config and ensure user profiles exist
At this point in the session I am feeling that the new way forward for app development in SharePoint is looking mighty complicated. They’ve obviously done a lot of work to make the cloud stuff smooth, but for on-premise stuff it seems pretty clunky and complex. And looks nothing like what came before it in SP2010. Hopefully I’m just having a brain fade and it’s not that hard – but coming right after the responsive web apps session this SharePoint content seemed pretty jarring.