App Authentication Overview In SharePoint 2013
Within SharePoint 2013, user authentication is the validation of the user’s identity for a given authentication provider. This is the database or directory that contains the credentials for the users. This is used to verify that the user has submitted the correct information. When user authentication occurs, a user has successfully attempted to access a resource offered by SharePoint.
There are two types of authentications that occur for user authentication within SharePoint 2013 Preview:
- Claims based authentication
- Windows classic mode authentication
With a claims based authentication, there is a claims based security token in place. This is what is generated by the SharePoint Security Token Service (STS). With a windows classic mode authentication, there is a Windows security token. It is recommended that you rely on claims based authentication for your user authentication.
With SharePoint 2013, there is app authentication which is the validation of a remote SharePoint app identity. The authorization of the app is for an associated user of a secured SharePoint resource. App authentication happens when there is an external component of a SharePoint Store app or an App Catalog app. For example, when the web server located on the intranet or internet attempts to access a SharePoint resource that is secured.
If the SharePoint app doesn’t require a secured resource from SharePoint to make the page available to the user, app authentication won’t be necessary. For example, any SharePoint app that provides a stock quote and gives access to stock information through a server on the internet. It won’t require app authentication, so it can be done with the use of the SharePoint 2013 products.
There are two processes involved with app authentication:
- Authentication Verifying the application has registered correctly with a common trusted identity broker.
- Authorization Verifying that the application and the associated user requesting have the appropriate permission to perform such an operation. This includes accessing a folder, a list, or completing a query.
In order for app authorization to be performed successfully, the application needs to obtain an access token. This comes from either the Windows Azure Access Control Service (ACS) or by self-signed tokens that are used through a certificate SharePoint 2013 trusts. The access token allows the request for access to the specific SharePoint resource. This contains data that identifies the app and the associated user rather than validating the credentials of that user. It is important to understand that the access token isn’t the same as a logon token.
It is important to point out that the SharePoint Store app has access to the SharePoint server resources but it doesn’t have to obtain the credentials of the user to do so. The access is authenticated through ACS and that is trusted by the server running SharePoint 2013. Then it is authorized through the set of app and user permissions.