Skip to content

Latest commit

 

History

History
170 lines (163 loc) · 8.17 KB

Lab.md

File metadata and controls

170 lines (163 loc) · 8.17 KB
Raw

Deep Dive into Security and OAuth

In this lab, you will create apps that use different approaches for OAuth security management and examine the process flow.

Prerequisites

  1. You must have an Office 365 tenant and Windows Azure subscription to complete this lab. If you do not have one, the lab for O3651-7 Setting up your Developer environment in Office 365 shows you how to obtain a trial.
  2. You must have [Fiddler] (http://www.telerik.com/fiddler) installed.

Exercise 1: OAuth in a Provider-Hosted App

In this exercise you create a new provider-hosted app and examine the OAuth flow.

  1. Create the new solution in Visual Studio 2013:
  2. Launch Visual Studio 2013 as administrator.
  3. In Visual Studio select File/New/Project.
  4. In the New Project dialog: 1. Select Templates/Visual C#/Office/SharePoint/Apps. 2. Click App for SharePoint 2013. 3. Name the new project ProviderHostedOAuth and click OK.
  5. In the New App for SharePoint wizard: 1. Enter the address of a SharePoint site to use for testing the app (NOTE: The targeted site must be based on a Developer Site template) 2. Select Provider-Hosted as the hosting model. 3. Click Next.
    4. Select ASP.NET MVC Web Application. 5. Click Next.
    6. Select the option labeled Use Windows Azure Access Control Service (for SharePoint cloud apps). 7. Click Finish.
    8. When prompted, log in using your O365 administrator credentials. 9. After the new project is created, set breaskpoints in HomeController.cs as shown.
  6. Start Fiddler to capture web traffic from your app.
  7. In Fiddler click Tools/Fiddler Options.
  8. Click HTTPS.
  9. Check the box entitled Decrypt HTTPS Traffic.
  10. When warned, click Yes to trust the Fiddler root certificate.
  11. Confirm any additional dialog boxes to install the certificate.
  12. Click OK to close the options dialog.
  13. Debug the app by pressing F5 in Visual Studio 2013.
  14. When prompted, sign into Office 365.
  15. When prompted, click Trust It.
  16. When the first breakpoint is hit, look for the session in Fiddler near the bottom of the list.
  17. Right click the session and select View in New Window.
  18. Click the Web Forms tab.
  19. Notice that SharePoint has included the SPHostUrl, SPLanguage, SPClientTag, and SPProductNumber query string parameters in the initial call. These are known as the Standard Tokens.
  20. Notice that the context token is included in the body as SPAppToken
    .
  21. Close the window.
  22. Return to Visual Studio, and press F5 to continue debugging.
  23. When the second breakpoint is hit, look for the session in Fiddler near the bottom of the list.
  24. Right click the session and select View in New Window.
  25. Click the Headers tab and examine the access token in the Cookies/Login section
  26. Return to Visual Studio, and press F5 to continue debugging.
  27. With the app still running, open a new browser window to /_layouts/15/AppPrincipals.aspx.
  28. Look for ProviderHostedOAuth in the list of registered apps to confirm that the app was registered during debugging.
  29. Stop debugging.

Exercise 2: OAuth with the O365 APIs

In this exercise you create a new web applicvation and examine the OAuth flow.

  1. Create the new solution in Visual Studio 2013:
  2. Launch Visual Studio 2013 as administrator.
  3. In Visual Studio select File/New/Project.
  4. In the New Project dialog: 1. Select Templates/Visual C#/Web. 2. Click ASP.NET Web Application. 3. Name the new project OfficeOAuth and click OK.
  5. In the New ASP.NET Project dialog, select Web API.
  6. Check Host in the Cloud.
  7. Click Change Authentication.
  8. In the Change Authentication dialog: 1. Click No Authentication. 2. Click OK.
  9. Click OK.
  10. If prompted, sign into Windows Azure.
  11. When the Configure Windows Azure Sites Settings dialog appears, make appropriate selectgions for your project.
  12. Click OK.
  13. If you do not have the Office 365 API Tools installed:
  14. Click Tools/Extensions and Updates.
  15. In the **Extensions and Updates" dialog, click Online.
  16. Click Visual Studio Gallery.
  17. Type Office 365 in the search box.
  18. Click Office 365 API Tools - Preview.
  19. Click Install.
  20. Add an O365 connection
  21. Right click the OfficeOAuth project and select Add/Connected Service.
  22. In the Services Manager dialog, click Sign In.
  23. Sign in with your managed account.
  24. Click Calendar.
  25. Click Permissions.
  26. Check Read user's calendar.
  27. Click **Apply.
  28. Click OK.
  29. Update the Home Controller.
  30. Expand the Controllers folder and open HomeController.cs.
  31. Replace the Index method with the following code
      public async Task<ActionResult> Index()
      {
          IOrderedEnumerable<IEvent> events = await CalendarAPISample.GetCalendarEvents();
          ViewBag.Events = events;
          return View();
      }
  1. Update the Index View.
  2. Expand the Views/Home folders and open Index.cshtml.
  3. Replace all of tyhe code with the following
   <div style="margin:25px;">
      <table>
          <tr>
            <th>Start</th>
            <th>End</th>
            <th>Subject</th>
            <th>Location</th>
          </</tr>
          @foreach (var Event in ViewBag.Events)
          {
              <tr>
                  <td>
                      <div style="width:200px;">@Event.Start.ToString()</div>
                  </td>
                  <td>
                      <div style="width:200px;">@Event.End.ToString()</div>
                  </td>
                  <td>
                      <div style="width:200px;">@Event.Subject</div>
                  </td>
                  <td>
                      <div style="width:200px;">@Event.Location.DisplayName</div>
                  </td>
              </tr>
          }
      </table>
  </div>
  ````
6. Debug the app.
1. Start **Fiddler**.
2. Press **F5** in Visual Studio 2013 to debug the application.
3. When prompted, login to Office 365 with your managed account.
4. Verify that the application displays your calendar information.
5. In **Fiddler**, locate the session entry containing the query string parameter **code**. This is the Authorization Code returned from Azure Access Control Services.<br/>
     ![](Images/16.png?raw=true "Figure 16")
6. Right click the session and select **Inspect in New Window**.
7. In the session window, click the **Web Forms** tab.
8. Examine the authorization code.<br/>
     ![](Images/17.png?raw=true "Figure 17")
9. Close the window.
10. Stop debugging.
7. Examine the Windows Azure configurtation.
1. Log into the [Windows Azure Portal](https://manage.windowsazure.com)
2. Click **Active Directory**.
3. Select your Azure Active Directory instance.
4. Click on the app entitled **OfficeOAuth.Office365App**. This entry was made for you by the Office 365 tools in Visual Studio.
5. Click **Configure**.
6. Scroll to the section entitled **Permissions to Other Applications**.
7. Examine the **Office 365 Exchange Online** permissions. These are the permissions you granted in Visual Studio.<br/>
     ![](Images/18.png?raw=true "Figure 18")

**Congratulations! You have completed investigation OAuth in Office 365.**