Progress can sometimes be difficult. Unlike times past, when developers had limited options for building Office and SharePoint solutions, the current landscape offers a confusing array of options for building on-premises, cloud and hybrid solutions. From SharePoint add-ins to Azure web applications, there is a lot to know about how, when, where and why to use each development model. In this full day interactive workshop, we will explore each option, discuss the pros and cons, determine the optimal conditions for each, and see them in action with a series of deep-dive demonstrations. You will learn the pre-requisites for building modern Office and SharePoint applications, gain exposure to the tools and platforms, walk through detailed use cases and equip yourself with the knowledge of not only how to create apps and add-ins but also which to use in each situation.
5. Hello, everyone!
Let’s get going
That will be just fine
Please be quiet
This is really good!
Howdy, y’all!
Lesgitafterit
Ayiteden
Kwityerjackjawin
Cantbeatitwiddastick
I am about to get started Imfixintagitrdone
10. Web Parts
App Parts / Framework
WP
Application Pages Web Pages
Timer Jobs Web Jobs
List Templates Code
Web Templates Provisioning
Event Receivers Webhooks
11.
12. • Windows Server
• IIS
• ASP.NET
• SharePoint Server
Framework
•.NET (C#/VB)
•SharePoint Server OM
•CAML/XOML
Languages and API’s
• Visual Studio
Tools
13. • Browser
• Server
• Mobile
Framework
•HTML, JavaScript (JQuery, Knockout, Angular, React, etc.)
•CSOM, JSOM, REST, Office JS, Graph, OAuth
•C#, VB, Java, PHP, Python, Ruby, Others
Languages and API’s
• Visual Studio
• VS Code
• IDE of choice
Tools
25. User requests
access
App requests
Request Token
Provider returns
Request Token
App builds auth
link w/ Request
Token
User requests URL +
Request Token
Provider returns
access token
User requests URL +
Access Token
App validates
access token
Access token
validated
User granted
access
1
2
3
26. User requests
access
App requests
Access Token
Provider returns
Access Token
App builds auth
link w/ Access
Token
User requests URL +
Access Token
App validates
access token
Access token
validated
User granted
access
1
2
27.
28. Manages identity information for principals (STS)Identity Provider
Handles requests for trusted identity claimsSecurity Token Service
Identity provider associated with a web applicationIdentity Token Issuer
Trusted resource (farm, server, etc.)Security Token Issuer
Resource information and signing certificate (JSON)Metadata Endpoint
Used to request permission to protected resourceRequest Token
Used by App to access resource on behalf of userAccess Token
Operation scope for authorizationRealm
Cloud-based security token service (IP-STS)Azure ACS
29.
30.
31.
32. Client ID App URL
Tenant ID
Tenant ID
Azure ACS
Start
End
SharePoint
Tenant ID
User ID + Issuer + App + Realm
IP-STS URL
Browser or Event Receiver
Token sent to IP-STS (Azure ACS)
51. HTTP-based web service architecture that
uses nouns and verbs to define operations
Noun: “Items”
Verbs: GET, POST, PUT, DELETE
OData provides metadata, object typing and
query semantics for underlying data
structure (WCF data services)
/items(0)
Client Object Model service (client.svc)
processes queries, interacts with server OM,
returns formatted response (JSON, XML)
/items/GetByTitle(‘foo’)
55. http://<site collection>/<site>/_api/lists
Get All Lists
http://<site collection>/<site>/_api/lists/GetByTitle(‘Shared Documents’)
Get List
http://<site collection>/<site>/_api/lists/GetByTitle(‘Shared Documents’)/items/GetById(0)
Get List Item
http://<site collection>/<site>/_api/lists/GetByTitle(‘Shared Documents’)/items/
GetById(1)?$select=Title,ID
Get List Item with Specific Properties
59. http://<site collection>/<site>/_api/social.following/followed
Get Followed Users
http://<siteCollection>/<site>/_api/social.following/my/followeddocumentsuri
Get Followed Documents
http://<site collection>/<site>/_api/sp.userprofiles.peoplemanager/getmysuggestions
Get Suggestions
http://<siteCollection>/<site>/_api/sp.userprofiles.peoplemanager/
getpeoplefollowedby(accountName=@v)?@v='domainuser'
Get Followers
62. http://<site>/_api/web/lists/getbytitle(‘Products’)/items/?$filter=Price gt 30000
Filter with Comparison
http://<site>/_api/web/lists/getbytitle(‘Products’)/items()?
$select=Title,Price,Supplier_/Title&$expand=Supplier_/Title&$filter=Supplier_/Title
eq ‘Acme’
Join with Filter
http://<site collection>/<site>/_api/web/lists('<guid>')/items$top=10
Top ‘N’ Results
63.
64. url: http://site url/_api/web/lists/GetByTitle(‘Test')/items
method: POST
body: { '__metadata': { 'type': 'SP.Data.TestListItem' }, 'Title': 'Test'}
headers:
Authorization = "Bearer " + accessToken
X-RequestDigest = form digest value
accept: "application/json;odata=verbose"
content-type: "application/json;odata=verbose"
content-length:1024
Create a List Item
url: http://site url/_api/web/lists/GetByTitle(‘Test')/items(item id)
method: POST
body: { '__metadata': { 'type': 'SP.Data.TestListItem' }, 'Title': 'TestUpdated'}
headers:
Authorization = "Bearer " + accessToken
X-RequestDigest = form digest value
“IF-MATCH”: etag or “*”
“X-HTTP-Method”:”MERGE”,
accept: "application/json;odata=verbose"
content-type: "application/json;odata=verbose"
content-length:1024
Edit a List Item
65. • Used to prevent replay attacks
• Updates will fail without digest value
• Local
• $("#__REQUESTDIGEST").val()
• Remote
• POST to /_api/contextinfo
72. App Web
• Not primary user
context
• Declarative artifacts or
code
• Iterative deployments
destroy content
• Only provisioned via
SPHA or PHA with
declarative artifacts
Host Web
• Code only – no
declarative artifacts
• Requires Cross Domain
calls
• Injection remnants
difficult to remove
73. • On-Premise
• Modify and manipulate – do not replace
Master Pages
•PHA: External (CDN)
•SPHA: External or App Web
Dependencies
• On-Premise: Declarative or Programmatic
• Online: Programmatic
Assets
•Do not rely upon remote event receivers
•Beware the dangers of injection
Retraction
74.
75. • Apps
• SSL
• DNS
• [PHA] Server to Server (S2S) High Trust or Hybrid Low Trust
Configuration
• [SHA] None
• [PHA] Servers, Networking, Authentication, Admin Access
Resources
•Corporate Catalog
•Developer Site
•Store
Distribution
76. • Apps
Configuration
• [SHA] None
• [PHA] Servers, Networking, Authentication, Admin Access
Resources
• Corporate Catalog
• Developer Site
• Store
Distribution
90. • Common web standards
• Language & platform agnostic (HTML + JavaScript)
• Desktop or Browser
• Text
• HTML
• OOXML
• Table
• Matrix
91. • Base Requirement
• Callbacks
• Word, Excel, PowerPoint, Access,
Outlook, Project
• Typed Objects
• Promises
• Word, Excel
92. Capability Word Excel PowerPoint Outlook Project
Get/set data as text, table or matrix All All Text N/A Text
Settings All All All Roaming N/A
Get file All N/A Compressed N/A N/A
Bindings All All N/A N/A N/A
Custom XML Parts All N/A N/A N/A N/A
HTML and OOXML All N/A N/A N/A N/A
Mailbox N/A N/A N/A All N/A
93.
94.
95.
96. • Submit to Office store
• Configure licensing
• Individual purchase*
Store
• Upload to Corporate Catalog in Office 365
• Add from Ribbon or Settings
Catalog
•Copy to network share
•Set trusted location in Office client
•Add from Developer ribbon
File Share
104. Bound to single AD domain
Cannot be accessed by other domains
Simplified authorization model
Owned by single authorizing domain
Accessible by any Azure AD domain
Authorized by Azure admin for individual domains
App owner must manage tenant registration
107. Developers cannot modify login experience
User interface is suboptimal
Access to resources requires permission definition
OAuth tokens for O365
POST to app with user/tenant details
App launcher in O365
Users notified of app availability in alerts
108. Authorization
Exchange
authorization codes
for access tokens
Refresh tokens enable
long-lived sessions
Designed for native
clients and server-side
API’s
Client
Credential
Requires app
authorization consent
from administrator
Shared secrets or
certificates used to
request tokens
Designed for service
apps and server-to-
server scenarios
Implicit
Retrieve access tokens
directly from single
endpoint
No refresh tokens
(local session
management only)
Designed for SPA's
(requires manifest
modification)
109. Manifest: oauth2AllowImplicitFlow = true
Token and authorization endpoints
Tenant ID = “common” for multi-tenant
WSFED “common” endpoint
Non-customizable consent page in MSFT domain
GET: https://login.microsoftonline.com/common/oauth2/authorize?client_id={client
ID}& response_type=token&redirect_uri={redirect URI}&prompt=admin_consent
110. Application
Delegated
Minimum: “Sign in and read user profile”
Beware permission level restrictions
Exchange Yammer Azure AD
SharePoint Online Power BI Azure Management
O365 Management Skype
126. • Windows Server
• IIS
• ASP.NET
• SharePoint Server
Framework
•.NET (C#/VB)
•SharePoint Server OM
•CAML/XOML
Languages and API’s
• Visual Studio
Tools
127. • Browser
• Server
• Mobile
Framework
•HTML, JavaScript (JQuery, Knockout, Angular, React, etc.)
•CSOM, JSOM, REST, Office JS, Graph, OAuth
•C#, VB, Java, PHP, Python, Ruby, Others
Languages and API’s
• Visual Studio
• VS Code
• IDE of choice
Tools
128. Skills
• HTML + CSS
• Adv. JavaScript
• OAuth
• TypeScript
Software
• Code Editor (Any)
• Node.js/NPM/Gulp
• Yeoman Generator
Services
• SP Online
• CDN
• Git
OS
• Windows
• Mac
• Linux
Platform
• Cloud
• On-Premises
129. TypeScript - JavaScript superset w/ typed objects, classes &extension methods
Node.js - Web server and component packaging extensions
NPM – Packaging and module management utility
Gulp – Task runner and build automation
Yeoman – Project scaffolding generator
CDN – Content delivery network (or location) for hosting
source files
React – JavaScript library of UI components
Office Fabric – Office-centric set of React UI components
133. Patience
Lots of disk space
Love of command-line utilities
More patience
A good helmet
A virtual machine with lots of snapshots
Vesa’s email address
AC’s mobile number
Fond memories of real development in Visual Studio
A new career path?
134. • Install the v8.x LTM release of Node.js from
https://nodejs.org/download/release/latest-v8.x/
• Run the x64 MSI (includes NPM)
npm install –g npm@3
nvm use 6.11.0
• Install Yeoman and Gulp: npm install –g yo gulp
• Install SPFx Yeoman generator: npm install –g
@microsoft/generator-sharepoint
• Install code editor (VS Code, Atom, Webstorm, etc.)
137. Web Part
• In-context
page
component
• Customizable
property
pane
• Connectable
• Scope: Page
Application
Customizer
• Script
injection
onto pages
• Defined
DOM
element
identifiers
• Scope: Site
Command Set
• Modify list
and item
menus
• Custom
dialogs
• Scope: List
Field
Customizer
• Change
display
options for
field
elements
• Scope: List
139. • Local test environment for
Framework solutions
• No live data integration
• Mockup and formatting only
• Simulate data operations with mock
objects
• Launch with “gulp serve”
command
• Preview changes prior to
publication
143. • Placeholders
• DOM elements
• Menus
• Data Views
• Fields
• Global via CSOM/REST
• Sites via Feature Framework
144. loadSPFX Force loading of SPFx
debugManifestsFile Load extension from localhost
componentType Create a mock SP component
key Extension GUID
location Type of extension
properties Extension property collection
?loadSPFX=true&debugManifestsFile=https://localhost:4321/temp
/manifests.js&customActions={"e5625e23-5c5a-4007-a335-
e6c2c3afa485":{"location":"ClientSideExtension.ApplicationCus
tomizer","properties":{"testMessage":"Hello as property!"}}}
149. • Only ListView is currently supported
• Shown only on the Command Bar
• Size is 16 x 16
• Can be a fixed URL or a ”data” element comprised of MIME Type
+ Base64-encoded string
150. • Called in response to command invocation (i.e. the menu item is
selected).
• Fires for each command in response to changes in the ListView
that require re-rendering.
151.
152. • Alter text
• Display graphics
• Custom validation
• Concatenate field values
• KPI Indicators
153. • Called when the extension is activated on the page. Occurs after
CONTEXT and PROPERTIES are assigned.
• Fires when each cell is rendered.
• Fires immediately before the dell is deleted. Use to deallocate
resources (such as UI elements).
161. @microsoft/graph-http
• Read and write all groups
• Read all usage reports
https://docs.microsoft.com/en-
us/sharepoint/dev/spfx/overview-graphhttpclient
169. • Do not rely on global parameters
• Pass a function as a parameter that gets current values at time of
execution
• Apply changes to multiple properties individually
173. ✘• Completely violates
established (best)
practices of separation
of concerns [MVP, MVC,
MVVM]
• Markup is embedded
with logic – no views
whatsoever - JSX is an
abomination
• Virtual DOM is
imprecise and state is
inconsistent.
• It’s fast. So what? (REST
will always be slow)
OAuth is an open standard for authorization. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.
Grew out of collaboration between Twitter, Google, and other social computing vendors, as a means to provide user access and API integration, primarily via OpenID, without requiring individual accounts.
?loadSpfx=true&debugManifestsFile=https://localhost:4321/temp/manifests.js&customActions={”[GUID]":{"location":"ClientSideExtension.ListViewCommandSet.CommandBar","properties":{"sampleTextOne":"One item is selected in the list.","sampleTextTwo":"This command is always visible."}}}