This document provides an overview of Eric Shupps' background and areas of expertise including SharePoint add-ins, Office add-ins, Azure web applications, and the SharePoint Framework. It discusses solution design, development models, APIs, tools, languages, and deployment options for these platforms. The document also covers topics like permissions, authorization, authentication, and provides comparisons of what approaches work versus what doesn't work across different development models.
8. Web Parts
App Parts / Framework
WP
Application Pages Web Pages
Timer Jobs Web Jobs
List Templates Code
Web Templates Provisioning
Event Receivers Remote Event Receivers
9.
10. • Windows Server
• IIS
• ASP.NET
• SharePoint Server
Framework
•.NET (C#/VB)
•SharePoint Server OM
•CAML/XOML
Languages and API’s
• Visual Studio
Tools
11. • Browser
• Server
• Mobile
Framework
•HTML, JavaScript (JQuery, Knockout, Angular, React, etc.)
•CSOM, JSOM, REST, Office JS, Graph, OAuth
•C#, VB, Java, PHP, Python, Ruby, Others
Languages and API’s
• Visual Studio
• VS Code
• IDE of choice
Tools
31. Resource
Owner
Grants access to a
protected
resource
Resource
Server
Hosts the
protected
resource and
accepts access
requests
Client
Application
making protected
resource requests
on behalf of the
resource owner
Authorization
Server
Issues access
tokens
33. User requests
access
App requests
Request Token
Provider returns
Request Token
App builds auth
link w/ Request
Token
User requests URL +
Request Token
Provider returns
access token
User requests URL +
Access Token
App validates
access token
Access token
validated
User granted
access
1
2
3
34. User requests
access
App requests
Access Token
Provider returns
Access Token
App builds auth
link w/ Access
Token
User requests URL +
Access Token
App validates
access token
Access token
validated
User granted
access
1
2
35.
36. Manages identity information for principals (STS)Identity Provider
Handles requests for trusted identity claimsSecurity Token Service
Identity provider associated with a web applicationIdentity Token Issuer
Trusted resource (farm, server, etc.)Security Token Issuer
Resource information and signing certificate (JSON)Metadata Endpoint
Used to request permission to protected resourceRequest Token
Used by App to access resource on behalf of userAccess Token
Operation scope for authorizationRealm
Cloud-based security token service (IP-STS)Azure ACS
37.
38.
39.
40. App establishes context
SP validates S2S trust
App requests access token
from SP
Browser POSTS parameters to
App
SP returns parameters
User browses to App
OnPremise
App establishes context
ACS provides access token
App requests access token from ACS
Browser POSTS request token to app
SP sends request tokens to browser
SP gets request token from ACS
User browses to app
Online
1
2 3
4
5
6
7
8 9
41. OnPremise
Online
Establish client context
Get access token with S2S
Get claims from Windows
identity
Get request parameters
Get client context from SP with access token
Get access token
Read and validate context token
Parse out Context Token
Get POST parameters from SP
42.
43.
44. Client ID App URL
Tenant ID
Tenant ID
Azure ACS
Start
End
SharePoint
Tenant ID
User ID + Issuer + App + Realm
IP-STS URL
Browser or Event Receiver
Token sent to IP-STS (Azure ACS)
60. HTTP-based web service architecture that
uses nouns and verbs to define operations
Noun: “Items”
Verbs: GET, POST, PUT, DELETE
OData provides metadata, object typing and
query semantics for underlying data
structure (WCF data services)
/items(0)
Client Object Model service (client.svc)
processes queries, interacts with server OM,
returns formatted response (JSON, XML)
/items/GetByTitle(‘foo’)
65. http://<site collection>/<site>/_api/lists
Get All Lists
http://<site collection>/<site>/_api/lists/GetByTitle(‘Shared Documents’)
Get List
http://<site collection>/<site>/_api/lists/GetByTitle(‘Shared Documents’)/items/GetById(0)
Get List Item
http://<site collection>/<site>/_api/lists/GetByTitle(‘Shared Documents’)/items/
GetById(1)?$select=Title,ID
Get List Item with Specific Properties
69. http://<site collection>/<site>/_api/social.following/followed
Get Followed Users
http://<siteCollection>/<site>/_api/social.following/my/followeddocumentsuri
Get Followed Documents
http://<site collection>/<site>/_api/sp.userprofiles.peoplemanager/getmysuggestions
Get Suggestions
http://<siteCollection>/<site>/_api/sp.userprofiles.peoplemanager/
getpeoplefollowedby(accountName=@v)?@v='domainuser'
Get Followers
72. http://<site>/_api/web/lists/getbytitle(‘Products’)/items/?$filter=Price gt 30000
Filter with Comparison
http://<site>/_api/web/lists/getbytitle(‘Products’)/items()?
$select=Title,Price,Supplier_/Title&$expand=Supplier_/Title&$filter=Supplier_/Title
eq ‘Acme’
Join with Filter
http://<site collection>/<site>/_api/web/lists('<guid>')/items$top=10
Top ‘N’ Results
73.
74. url: http://site url/_api/web/lists/GetByTitle(‘Test')/items
method: POST
body: { '__metadata': { 'type': 'SP.Data.TestListItem' }, 'Title': 'Test'}
headers:
Authorization = "Bearer " + accessToken
X-RequestDigest = form digest value
accept: "application/json;odata=verbose"
content-type: "application/json;odata=verbose"
content-length:1024
Create a List Item
url: http://site url/_api/web/lists/GetByTitle(‘Test')/items(item id)
method: POST
body: { '__metadata': { 'type': 'SP.Data.TestListItem' }, 'Title': 'TestUpdated'}
headers:
Authorization = "Bearer " + accessToken
X-RequestDigest = form digest value
“IF-MATCH”: etag or “*”
“X-HTTP-Method”:”MERGE”,
accept: "application/json;odata=verbose"
content-type: "application/json;odata=verbose"
content-length:1024
Edit a List Item
75. • Used to prevent replay attacks
• Updates will fail without digest value
• Local
• $("#__REQUESTDIGEST").val()
• Remote
• POST to /_api/contextinfo
82. App Web
• Not primary user
context
• Declarative artifacts or
code
• Iterative deployments
destroy content
• Only provisioned via
SPHA or PHA with
declarative artifacts
Host Web
• Code only – no
declarative artifacts
• Requires Cross Domain
calls
• Injection remnants
difficult to remove
83. • On-Premise
• Modify and manipulate – do not replace
Master Pages
•PHA: External (CDN)
•SPHA: External or App Web
Dependencies
• On-Premise: Declarative or Programmatic
• Online: Programmatic
Assets
•Do not rely upon remote event receivers
•Beware the dangers of injection
Retraction
84.
85. Data Sources
• Lists
• Managed
Metadata
• Search
• BCS
• External
Components
• Master Pages
• Client Web Parts
• Scripts
88. • Apps
• SSL
• DNS
• [PHA] Server to Server (S2S) High Trust or Hybrid Low Trust
Configuration
• [SHA] None
• [PHA] Servers, Networking, Authentication, Admin Access
Resources
•Corporate Catalog
•Developer Site
•Store
Distribution
89. • Apps
Configuration
• [SHA] None
• [PHA] Servers, Networking, Authentication, Admin Access
Resources
• Corporate Catalog
• Developer Site
• Store
Distribution
102. • Common web standards
• Language & platform agnostic (HTML + JavaScript)
• Desktop or Browser
• Text
• HTML
• OOXML
• Table
• Matrix
103. • Base Requirement
• Callbacks
• Word, Excel, PowerPoint, Access,
Outlook, Project
• Typed Objects
• Promises
• Word, Excel
104. Capability Word Excel PowerPoint Outlook Project
Get/set data as text, table or matrix All All Text N/A Text
Settings All All All Roaming N/A
Get file All N/A Compressed N/A N/A
Bindings All All N/A N/A N/A
Custom XML Parts All N/A N/A N/A N/A
HTML and OOXML All N/A N/A N/A N/A
Mailbox N/A N/A N/A All N/A
105.
106.
107.
108. • Submit to Office store
• Configure licensing
• Individual purchase*
Store
• Upload to Corporate Catalog in Office 365
• Add from Ribbon or Settings
Catalog
•Copy to network share
•Set trusted location in Office client
•Add from Developer ribbon
File Share
114. Bound to single AD domain
Cannot be accessed by other domains
Simplified authorization model
Owned by single authorizing domain
Accessible by any Azure AD domain
Authorized by Azure admin for individual domains
App owner must manage tenant registration
117. Developers cannot modify login experience
User interface is suboptimal
Access to resources requires permission definition
OAuth tokens for O365
POST to app with user/tenant details
App launcher in O365
Users notified of app availability in alerts
118. Manifest: oauth2AllowImplicitFlow = true
Token and authorization endpoints
Tenant ID = “common” for multi-tenant
WSFED “common” endpoint
Non-customizable consent page in MSFT domain
GET: https://login.microsoftonline.com/common/oauth2/authorize?client_id={client
ID}& response_type=token&redirect_uri={redirect URI}
119. Application
Delegated
Minimum: “Sign in and read user profile”
Beware permission level restrictions
Exchange Yammer Azure AD
SharePoint Online Power BI Azure Management
O365 Management Skype
131. Server-side component that hosts SPFx elementsCanvas
Local canvas instance used for offline testingWorkbench
Web server and component packaging extensionsNode.js
Task runner similar to MSBuildGulp
Generates base project output from templatesYeoman Generator
JavaScript superset providing typed objects, classes &extension methodsTypeScript
Used to deploy SPFx components (same as add-ins)Catalog
JavaScript framework used in core components (optional)React
136. Patience
Lots of disk space
Love of command-line utilities
More patience
A good helmet
A virtual machine with lots of snapshots
Vesa’s email address
Waldek’s mobile number
Fond memories of real development in Visual Studio
A new career path
OAuth is an open standard for authorization. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.
Grew out of collaboration between Twitter, Google, and other social computing vendors, as a means to provide user access and API integration, primarily via OpenID, without requiring individual accounts.