SharePoint and Office Development Workshop

@eshupps sharepointcowboywww.sharepointcowboy.com
slideshare.net/eshupps linkedin.com/in/eshupps
Eric Shupps
Office Servers & Services MVP

Introduction
SharePoint Add-Ins
Office Add-Ins
Azure Web Applications
SharePoint Framework

http://www.slideshare.net/eshupps
https://www.github.com/eshupps

Solution Design
Skills and Prerequisites
Development Models
API’s
OAuth

Solution
Full
Trust
Sandbox
FeatureManifest
Web
Part
WSP
Platform
Add-In
OAuth
Azure AD
SSO
Remote
API’s
Web
Sites
App
Part
Consent
Application & Publishing Pages Framework

Web Parts
App Parts / Framework
WP
Application Pages Web Pages
Timer Jobs Web Jobs
List Templates Code
Web Templates Provisioning
Event Receivers Remote Event Receivers

• Windows Server
• IIS
• ASP.NET
• SharePoint Server
Framework
•.NET (C#/VB)
•SharePoint Server OM
•CAML/XOML
Languages and API’s
• Visual Studio
Tools

• Browser
• Server
• Mobile
Framework
•HTML, JavaScript (JQuery, Knockout, Angular, React, etc.)
•CSOM, JSOM, REST, Office JS, Graph, OAuth
•C#, VB, Java, PHP, Python, Ruby, Others
Languages and API’s
• Visual Studio
• VS Code
• IDE of choice
Tools

Full Trust
Coverage
Capability
Integration
Familiarity
Add-Ins
Contextual
PHA/SHA
Extensibility
Framework
X-Platform
Customizations
Modern
Azure
Flexible
SSO
Multi-Tenant
Deployment

• Provider Hosted (External)
• SharePoint Hosted (Internal)
Environment
•CSOM/JSOM
•REST/Unified
API’s
• OAuth
• Consent Framework
Security
•Store
•Catalog
Deployment

•Provider Hosted (External)Environment
•Office JS
•REST
API’s
• OAuth
Security
•Store
•File
Deployment

• Provider Hosted (External)Environment
•CSOM/JSOM
•REST/Unified
API’s
• Azure AD
• OAuth
Security
•Marketplace
•Azure Portal
Deployment

Host Web
API’s
Azure
Web
Site
App Launcher

Resource
Owner
Grants access to a
protected
resource
Resource
Server
Hosts the
protected
resource and
accepts access
requests
Client
Application
making protected
resource requests
on behalf of the
resource owner
Authorization
Server
Issues access
tokens

Client
Resource
Owner
Authorization
Server
Resource
Server
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource

User requests
access
App requests
Request Token
Provider returns
Request Token
App builds auth
link w/ Request
Token
User requests URL +
Request Token
Provider returns
access token
User requests URL +
Access Token
App validates
access token
Access token
validated
User granted
access
1
2
3

User requests
access
App requests
Access Token
Provider returns
Access Token
App builds auth
link w/ Access
Token
User requests URL +
Access Token
App validates
access token
Access token
validated
User granted
access
1
2

Manages identity information for principals (STS)Identity Provider
Handles requests for trusted identity claimsSecurity Token Service
Identity provider associated with a web applicationIdentity Token Issuer
Trusted resource (farm, server, etc.)Security Token Issuer
Resource information and signing certificate (JSON)Metadata Endpoint
Used to request permission to protected resourceRequest Token
Used by App to access resource on behalf of userAccess Token
Operation scope for authorizationRealm
Cloud-based security token service (IP-STS)Azure ACS

App establishes context
SP validates S2S trust
App requests access token
from SP
Browser POSTS parameters to
App
SP returns parameters
User browses to App
OnPremise
App establishes context
ACS provides access token
App requests access token from ACS
Browser POSTS request token to app
SP sends request tokens to browser
SP gets request token from ACS
User browses to app
Online
1
2 3
4
5
6
7
8 9

OnPremise
Online
Establish client context
Get access token with S2S
Get claims from Windows
identity
Get request parameters
Get client context from SP with access token
Get access token
Read and validate context token
Parse out Context Token
Get POST parameters from SP

Client ID App URL
Tenant ID
Tenant ID
Azure ACS
Start
End
SharePoint
Tenant ID
User ID + Issuer + App + Realm
IP-STS URL
Browser or Event Receiver
Token sent to IP-STS (Azure ACS)

{
"typ":"JWT"
"alg":"RS256"
"x5t":"kriMPdmBvx68skT8-mPAB3BseeA"}.{"aud":
"00000003-0000-0ff1-ce00- 000000000000
/binarywaveinc.sharepoint.com@
2ae1caa2-a173-4989-b8f5-9da45655b8f4"
"iss":"00000001-0000-0000-c000-000000000000@
2ae1caa2-a173-4989-b8f5-9da45655b8f4"
"nbf":1400013357
"exp":1400056557
"nameid":"1003000086ad02d6"
"actor":"c90047b7-392a-42e7-8c52-65afa92e5d0d@
2ae1caa2-a173-4989-b8f5-9da45655b8f4"
"identityprovider":"urn:federation:microsoftonline“
}
SharePoint
Host Web
Tenant ID
Start
Azure ACS
Tenant ID
End
Tenant ID
UPN
STS ID

Introduction
Model
Security
Customizations
Deployment

HTTP-based web service architecture that
uses nouns and verbs to define operations
Noun: “Items”
Verbs: GET, POST, PUT, DELETE
OData provides metadata, object typing and
query semantics for underlying data
structure (WCF data services)
/items(0)
Client Object Model service (client.svc)
processes queries, interacts with server OM,
returns formatted response (JSON, XML)
/items/GetByTitle(‘foo’)

Client.svc
Server
OM
Content
DB
READ
CREATE
UPDATE
DELETE
POST
GET
PUT, MERGE, DELETE

http://contoso/_api/items/GetById(1)?$select=Title,ID
Location Service Resource Path Query Options

http://<site collection>/<site>/_api/sites/features/GetById(guid’<value>’)
http://<site collection>/<site>/_api/sites/eventreceivers
View Event Receivers
http://<site collection>/<site>/_api/web/webinfos/add
{ 'd' :{
'parameters': {
'__metadata': {'type': 'SP.WebInfoCreationInformation' },
'Url': 'RestSubWeb',
'Title': 'RestSubWeb',
'Description': 'rest created web',
'Language':1033,
'WebTemplate':'sts',
'UseUniquePermissions':false}
}}
Create a Site
Get Feature

http://<site collection>/<site>/_api/lists
Get All Lists
http://<site collection>/<site>/_api/lists/GetByTitle(‘Shared Documents’)
Get List
http://<site collection>/<site>/_api/lists/GetByTitle(‘Shared Documents’)/items/GetById(0)
Get List Item
http://<site collection>/<site>/_api/lists/GetByTitle(‘Shared Documents’)/items/
GetById(1)?$select=Title,ID
Get List Item with Specific Properties

http://<site collection>/<site>/_api/search/query?queryText=‘Value’
Simple Term
http://<site collection>/<site>/_api/search/query?queryText=‘PreferredName:
Robert Smith’
Item Property
http://<site collection>/<site>/_api/search/suggest?queryText=‘quarterly sales’
Suggestions

http://<site collection>/<site>/_api/social.following/followed
Get Followed Users
http://<siteCollection>/<site>/_api/social.following/my/followeddocumentsuri
Get Followed Documents
http://<site collection>/<site>/_api/sp.userprofiles.peoplemanager/getmysuggestions
Get Suggestions
http://<siteCollection>/<site>/_api/sp.userprofiles.peoplemanager/
getpeoplefollowedby(accountName=@v)?@v='domainuser'
Get Followers

http://<site>/_api/Web/Lists(guid’<value>′)/Items(1)/FieldValuesAsHtml
HTML Values
http://<site>/_api/web/lists/getbytitle(‘Products’)/items()/?$select=Title,
Price,effectivebasepermissions
Get Permissions
http://<site>/_api/web/lists/getbytitle('Products')/items()?$select=Title,
Price,Supplier_/Title&$expand=Supplier_/Title
Join

http://<site>/_api/web/lists/getbytitle(‘Products’)/items/?$filter=Price gt 30000
Filter with Comparison
http://<site>/_api/web/lists/getbytitle(‘Products’)/items()?
$select=Title,Price,Supplier_/Title&$expand=Supplier_/Title&$filter=Supplier_/Title
eq ‘Acme’
Join with Filter
http://<site collection>/<site>/_api/web/lists('<guid>')/items$top=10
Top ‘N’ Results

url: http://site url/_api/web/lists/GetByTitle(‘Test')/items
method: POST
body: { '__metadata': { 'type': 'SP.Data.TestListItem' }, 'Title': 'Test'}
headers:
Authorization = "Bearer " + accessToken
X-RequestDigest = form digest value
accept: "application/json;odata=verbose"
content-type: "application/json;odata=verbose"
content-length:1024
Create a List Item
url: http://site url/_api/web/lists/GetByTitle(‘Test')/items(item id)
method: POST
body: { '__metadata': { 'type': 'SP.Data.TestListItem' }, 'Title': 'TestUpdated'}
headers:
Authorization = "Bearer " + accessToken
X-RequestDigest = form digest value
“IF-MATCH”: etag or “*”
“X-HTTP-Method”:”MERGE”,
accept: "application/json;odata=verbose"
content-type: "application/json;odata=verbose"
content-length:1024
Edit a List Item

• Used to prevent replay attacks
• Updates will fail without digest value
• Local
• $("#__REQUESTDIGEST").val()
• Remote
• POST to /_api/contextinfo

PermissionsAuthorizationAuthentication

App Web
• Not primary user
context
• Declarative artifacts or
code
• Iterative deployments
destroy content
• Only provisioned via
SPHA or PHA with
declarative artifacts
Host Web
• Code only – no
declarative artifacts
• Requires Cross Domain
calls
• Injection remnants
difficult to remove

• On-Premise
• Modify and manipulate – do not replace
Master Pages
•PHA: External (CDN)
•SPHA: External or App Web
Dependencies
• On-Premise: Declarative or Programmatic
• Online: Programmatic
Assets
•Do not rely upon remote event receivers
•Beware the dangers of injection
Retraction

Data Sources
• Lists
• Managed
Metadata
• Search
• BCS
• External
Components
• Master Pages
• Client Web Parts
• Scripts

• Apps
• SSL
• DNS
• [PHA] Server to Server (S2S) High Trust or Hybrid Low Trust
Configuration
• [SHA] None
• [PHA] Servers, Networking, Authentication, Admin Access
Resources
•Corporate Catalog
•Developer Site
•Store
Distribution

• Apps
Configuration
• [SHA] None
• [PHA] Servers, Networking, Authentication, Admin Access
Resources
• Corporate Catalog
• Developer Site
• Store
Distribution

Introduction
Components
Model
Creation
Deployment

• Manifest
• App
• Content
• Images
• Scripts

• Common web standards
• Language & platform agnostic (HTML + JavaScript)
• Desktop or Browser
• Text
• HTML
• OOXML
• Table
• Matrix

• Base Requirement
• Callbacks
• Word, Excel, PowerPoint, Access,
Outlook, Project
• Typed Objects
• Promises
• Word, Excel

Capability Word Excel PowerPoint Outlook Project
Get/set data as text, table or matrix All All Text N/A Text
Settings All All All Roaming N/A
Get file All N/A Compressed N/A N/A
Bindings All All N/A N/A N/A
Custom XML Parts All N/A N/A N/A N/A
HTML and OOXML All N/A N/A N/A N/A
Mailbox N/A N/A N/A All N/A

• Submit to Office store
• Configure licensing
• Individual purchase*
Store
• Upload to Corporate Catalog in Office 365
• Add from Ribbon or Settings
Catalog
•Copy to network share
•Set trusted location in Office client
•Add from Developer ribbon
File Share

Introduction
Model
Security
Creation and Configuration
Deployment

Bound to single AD domain
Cannot be accessed by other domains
Simplified authorization model
Owned by single authorizing domain
Accessible by any Azure AD domain
Authorized by Azure admin for individual domains
App owner must manage tenant registration

Developers cannot modify login experience
User interface is suboptimal
Access to resources requires permission definition
OAuth tokens for O365
POST to app with user/tenant details
App launcher in O365
Users notified of app availability in alerts

Manifest: oauth2AllowImplicitFlow = true
Token and authorization endpoints
Tenant ID = “common” for multi-tenant
WSFED “common” endpoint
Non-customizable consent page in MSFT domain
GET: https://login.microsoftonline.com/common/oauth2/authorize?client_id={client
ID}& response_type=token&redirect_uri={redirect URI}

Application
Delegated
Minimum: “Sign in and read user profile”
Beware permission level restrictions
Exchange Yammer Azure AD
SharePoint Online Power BI Azure Management
O365 Management Skype

Visual Studio templates are incomplete
• Database
• Tenants, IssuingAuthorityKeys, SignupTokens
• Registration Module
• XML Response Parser
• Tenant and User Information
• Auth Tokens
• Federation, Realm and Identity Configuration
• HTTPS Redirection
• Sign-In Page (optional)

• AD Apps
• SSL
• DNS
• SSO
• Permissions
• Multi-tenant
Configuration
•Servers, Networking, Authentication, Admin Access
•Azure AD Premium*
Resources
• Admin Authorization
• User/Group Assignment*
Distribution

Introduction
Setup
Creation
Deployment

Server-side component that hosts SPFx elementsCanvas
Local canvas instance used for offline testingWorkbench
Web server and component packaging extensionsNode.js
Task runner similar to MSBuildGulp
Generates base project output from templatesYeoman Generator
JavaScript superset providing typed objects, classes &extension methodsTypeScript
Used to deploy SPFx components (same as add-ins)Catalog
JavaScript framework used in core components (optional)React

Skills
• HTML + CSS
• Adv. JavaScript
• Oauth
• TypeScript
Software
• Code Editor (Any)
• Node.js/NPM/Gulp
• Yeoman Generator
Services
• SP Online
• CDN

• Node.js
• NPM
• GitHub
• VS Code (optional)
• Node.js
• NPM
• GitHub
• Homebrew (optional)
• NVM (optional)
• VS Code (optional)

Patience
Lots of disk space
Love of command-line utilities
More patience
A good helmet
A virtual machine with lots of snapshots
Vesa’s email address
Waldek’s mobile number
Fond memories of real development in Visual Studio
A new career path

SharePoint and Office Development Workshop

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (9)

Similar to SharePoint and Office Development Workshop

Similar to SharePoint and Office Development Workshop (20)

More from Eric Shupps

More from Eric Shupps (16)

Recently uploaded

Recently uploaded (20)

SharePoint and Office Development Workshop

Editor's Notes