th3 office 365 rest apis - peter carson th3 office 365 rest... · th3 office 365 rest apis peter...

Post on 14-Mar-2018

228 Views

Category:

Documents

3 Downloads

Preview:

Click to see full reader

TRANSCRIPT

TH3 Office 365 REST APIsPeter Carson

Peter Carson

• President, Envision IT

• SharePoint MVP

• peter@envisionit.com

• http://blog.petercarson.ca

• www.envisionit.com

• Twitter @carsonpeter

• VP Toronto SharePoint User Group

Agenda

Envision IT Background

API Background

Documents

Search

Authentication

Q&A

Envision IT Services

• Focused exclusively on SharePoint

• Web Content Management –public web sites, Intranets, Extranets

• Portals and Collaboration – document management, forms, BI

Products

Who needs an API?

• Custom Web Parts

• Console Applications

• Workflows

• PowerShell

• SharePoint Apps

• Client Side Code (JavaScript)

How Are You Calling?• C#

– On the SharePoint Server (Full trust code)• Web Parts• Workflows• Console Apps

– Another Server (High Trust Apps)• Provider Hosted Apps• Remote Event Receivers• Console Apps

• JavaScript– SharePoint or Cloud Hosted Apps– Client side code

Full Trust Code

• Runs on the SharePoint Server

• Has access to the full server object model

• Traditional way SharePoint customizations were developed

• Not supported for Office 365

– Microsoft is not going to let you run your code on their multi-tenant farms

Calling from Outside SharePoint

• SOAP Web Services– Supported back to MOSS 2007– Difficult to work with, particularly through JavaScript

• Client Side Object Model (CSOM)– Introduced in SharePoint 2010, expanded in 2013– Libraries for C#, JavaScript, and Silverlight

• REST– Introduced in SharePoint 2010, expanded in 2013– At SPC 14 Vegas, Microsoft indicated this is the direction going forward– Ideal for JavaScript

What is REST?

• Representational State Transfer

• Designed as an alternative to SOAP

– Simpler and easier to understand

• Architectural style, not a standard

• Client-Server, Stateless, Cacheable, Layered, Uniform Interface

Office 365 REST APIs

• Documents• Search• People• Social• Mail• Calendar• Bing• Microsoft Dynamics

HTTP Verbs

Verb Purpose

GET Read from SharePoint

POST Creates new objects

PUT Updates an existing objectAny properties not set explicitly are overwritten to their default values

MERGE Updates an existing objectsPreserves any existing properties not being set

DELETE Deletes the object

Envision Shakespeare Company

• Reference project to demonstrate the features and capabilities of SharePoint 2013:– Adaptive design for PC, tablet, and mobile– Populated content including the complete works of Shakespeare– Extensive use of catalogs and content search web parts– SharePoint search with refiners and preview– Image renditions, rotators, and galleries– Video support– PowerShell build of full site– Site columns, content types, and branding with adaptive design packaged in Visual

Studio– Metadata navigation, friendly URLs, and import/export of the term store

• Available at www.envisionit.com/shakespeare

Shakespeare Package• All design files (MindMap, Axure Wireframes, Word specification, Adobe and HTML mockups)

• Visual Studio 2012 solution

– Site columns and content types

– Branding (master page, page layouts, display templates, CSS, JavaScript)

– Term store navigation control

– Term store export/import tool with full support for 2013 navigation features

– Site content, including the complete works of Shakespeare tagged for the site

– PowerShell scripts for automated creation of the site, including site collection, features, and content

• This package can be easily deployed to a Cloudshare SharePoint 2013 test environment, or an on-premise farm.

Retrieving List Data

• Top level site– http://shakespeare.labvm12.envisionit.com

• Retrieve all lists– http://shakespeare.labvm12.envisionit.com/_api/lists

• Get fields from a list by list GUID– http://shakespeare.labvm12.envisionit.com/_api/lists(guid'893525ab-

6d50-425c-8858-c6294230aa75')/Fields

• Get list items from a list by Title– http://shakespeare.labvm12.envisionit.com/_api/lists/GetByTitle('Ne

ws')/items

Turn off feed reading view

• Provides the native XML back in the browser

Data Format

• By default data is returned as XML

– Easy to consume in C#

• Alternatively you can specify JSON as the form

– JavaScript Object Notation

– Much easier to manipulate in JavaScript or jQuery

List REST Callhttp://shakespeare.labvm12.envisionit.com/Pages/News-Rest-list.aspx

var url = _spPageContextInfo.webAbsoluteUrl + '/_api/lists/GetByTitle(\'News\')/items';

var deferred = $.ajax({

url: url,

method: "GET",

headers: { "accept": "application/json;odata=verbose", },

success: function (data) {

var results = data.d.results,

$table = $('<table></table>');

$table.append('<tr><td>Title</td><td>Summary</td><td>Article Date</td></tr>');

$.each(results, function (i, item) {

$table.append('<tr><td>' + results[i].Title + '</td><td>' + results[i].ESCSummary + '</td><td>' + results[i].ArticleStartDate + '</td></tr>');

});

$('#RESTDemo').html($table);

},

error: function (err) {

// handle error

alert('Error getting the News: ' + err);

}

});

Search Driven Apps• Read from the search index rather than directly from lists• Can pull content from across multiple lists, sites, site collections, web

applications, even farms• News query for the browser

– http://shakespeare.labvm12.envisionit.com/_api/search/query?querytext=%27(path:"http://shakespeare.labvm12.envisionit.com/lists/News") (IsDocument:"True" OR contentclass:"STS_ListItem")%27&selectproperties=%27Title,owsESCSummary,ArticleStartDateOWSDATE%27

– %27 is a single quote

• http://shakespeare.labvm12.envisionit.com/Pages/News-Rest-Search.aspx

Search Rest Callvar newsItems = [];

var url = _spPageContextInfo.webAbsoluteUrl + '/_api/search/query?querytext=' +

'%27(path:"' + _spPageContextInfo.webAbsoluteUrl + '/lists/News") (IsDocument:"True" OR contentclass:"STS_ListItem")%27' +

'&selectproperties=%27Title,owsESCSummary,ArticleStartDateOWSDATE%27';

var deferred = $.ajax({

url: url,

method: "GET",

headers: { "accept": "application/json;odata=verbose", },

success: function (data) {

var results = data.d.query.PrimaryQueryResult.RelevantResults.Table.Rows.results

for (var i = 0; i < results.length; i++) {

var fields = results[i].Cells.results;

var title = '',

summary = '',

articledate = null;

for (var j = 0; j < fields.length; j++) {

if (fields[j].Key == 'Title') title = fields[j].Value;

else if (fields[j].Key == 'owsESCSummary') summary = fields[j].Value;

else if (fields[j].Key == 'ArticleStartDateOWSDATE') articledate = fields[j].Value;

}

newsItems.push({ 'Title': title, 'ESCSummary': summary, 'ArticleStartDate': articledate});

}

var $table = $('<table></table>');

$table.append('<tr><td>Title</td><td>Summary</td><td>Article Date</td></tr>');

$.each(newsItems, function (i, item) {

$table.append('<tr><td>' + newsItems[i].Title + '</td><td>' + newsItems[i].ESCSummary + '</td><td>' + newsItems[i].ArticleStartDate + '</td></tr>');

});

$('#RESTDemo').html($table);

},

error: function (err) {

// handle error

alert('Error getting the News: ' + err);

}

});

Christie Medical Business Case

• Christie Digital is a World Leader in Visual Solutions for World-Class Organizations

• Christie Medical’s web site was a subsite of Christie Digital, at www.christiedigital.com

• Marketing was looking for a distinct brand and URL for the Medical division

Christie Medical Site Build

• Net new site build• Completely independent site with its own URL and

identity• New branding and creative• Built from the ground up to leverage SharePoint 2013• Live at www.christiemed.com• Dev site is at https://christiemedical.envisionit.com/• Extensive leveraging of the Content Search Web Part

Bing Maps Integration

CSWP Challenges

• CSWP is a very powerful web part

• Enterprise CAL only or E3/E4 in Office 365

– Not an issue on an anonymous site, full Enterprise features are included

• Limits results to a maximum of 50

– Paging is supported for going beyond this

– This obviously doesn’t work for the Bing Maps mashup

REST Challenges

• By default the REST API is not available anonymously

• Should only minimally relax security for it to work

• Done through the queryparametertemplate.xml file– Placed in a document library in the root site collection

– Requires the farm, site, and web IDs, and what search capabilities should be turned on anonymously

• Waldek Mastykarz (MVP) has an excellent post describing this– http://www.mavention.com/blog/configuring-sharepoint-2013-

search-rest-api-anonymous-users

REST Implementationvar localSite = _spPageContextInfo.webAbsoluteUrl;

var url = localSite +

'/_api/search/query?querytext=' +

'%27(path:"' + localSite + '/lists/distributors") (IsDocument:"True" OR contentclass:"STS_ListItem")%27' +

'&selectproperties=%27Title,WorkAddressOWSMTXT,WorkCountryOWSTEXT,PrimaryNumberOWSTEXT,LogoImageOWSIMGE,UrlOWSTEXT,LatitudeOWSNMBR,LongitudeOWSNMBR%27' +

'&QueryTemplatePropertiesUrl=%27spfile://webroot/queryparametertemplate.xml%27' +

'&rowlimit=500';

Simcoe County District School Board

– 50,000 students

– Over 6,000 employees

– Board office in Barrie

– Bordered by the Holland Marsh in the south, the Trent-Severn Waterway in the east, Grey County in the west and Muskoka in the north

Simcoe County District School Board

• 119 schools and centres– 87 elementary– 16 secondary– 6 learning centres– 10 alternative

• Each needs their own web site– Being built on SharePoint 2013– Elementary panel first– Each has their own unique URL– Content authored both at the school and centrally from the board

• www.scdsb.on.ca– Pre-existing SharePoint 2010 site– Future goal is to rebuild in SharePoint 2013

Forest Hill Public School

• First pilot school

• Located in Midhurst, Ontario

• Local school content author training completed

• Launch content loaded

• Going through final QA

• Launch end of April 2014

• http://for.scdsb.on.ca

Site Features

• Fully adaptive design• SharePoint 2013 host named site collection• Template makes it easy to bring up new school sites• News and events can be targeted by the board to any number of

school sites– Target by panel, weather zone, trustee, language– Presented in a blended view with the school news and events

• Home page rotator, links, hours, content pages all managed by the school staff

• SEO-friendly URLs – term store navigation

Desktop

Tablet and Smartphone

Events

• Fully adaptive calendar

• REST search driven

• jQuery and Twitter Bootstrap adaptive design

Authentication

• Examples so far have been reading and displaying information

• Calls are coming from SharePoint hosted JavaScript

• Security is less onerous

– APIs just need to make sure results are security trimmed

• Updating requires one additional item

Posting

• When posting, you need to provide the form digest value– Prevents replay attacks

• Your master page should have it – <SharePoint:FormDigest runat=”server” />

• Time expiring, so refresh if you’re staying on one page for a long time– UpdateFormDigest(_spPageContextInfo.webServerRelative

Url, _spFormDigestRefreshInterval)

POST Samplefunction addListItem(url, listname, metadata, success, failure) {

// Prepping our update

var item = $.extend({

"__metadata": { "type": getListItemType(listname) }

}, metadata);

// Executing our add

$.ajax({

url: url + "/_api/web/lists/getbytitle('" + listname + "')/items",

type: "POST",

contentType: "application/json;odata=verbose",

data: JSON.stringify(item),

headers: {

"Accept": "application/json;odata=verbose",

"X-RequestDigest": $("#__REQUESTDIGEST").val()

},

success: function (data) {

success(data); // Returns the newly created list item information

},

error: function (data) {

failure(data);

}

});

}

DELETE Samplefunction deleteListItem(url, listname, id, success, failure) {

// getting our item to delete, then executing a delete once it's been returned

getListItem(url, listname, id, function (data) {

$.ajax({

url: data.d.__metadata.uri,

type: "POST",

headers: {

"Accept": "application/json;odata=verbose",

"X-Http-Method": "DELETE",

"X-RequestDigest": $("#__REQUESTDIGEST").val(),

"If-Match": data.d.__metadata.etag

},

success: function (data) {

success(data);

},

error: function (data) {

failure(data);

}

});

});

};

OAuth

• Standard way for apps to authenticate to web sites

• Not just for SharePoint

– Facebook, Twitter

• In SharePoint it requires Windows Azure Access Control Services (ACS)

OAuth Authentication ProcessProvider App Windows Azure AD

Browse app

No Token

User

Return page

REST call with Token

Save Token in session

Return JSON data

Redirect to SP Request Auth Code

Redirect to App Return Auth Code

Request Access Token

ReturnToken

High Trust Apps

• Server to server trust

• Uses digital certificates to establish a trust between the remote web application and SharePoint 2013

• Can only be installed to on premises SharePoint, not to Microsoft SharePoint Online

• User security is up to the app. SharePoint trusts the app implicitly

Common Consent Framework

• Enables web applications to access multiple workloads and resources across Office 365– Can create web applications that access Microsoft OneDrive for Business files,

SharePoint Lists, Exchange Calendars using Single-Sign On and an OAuthProvider.

• Windows Azure Active Directory implements common consent– All user accounts, application registrations, and permissions are stored in

Windows Azure AD– It implements the OAuth protocol for authorizing access from your web

application to Office 365 resources

• Once your web application is registered in Windows Azure AD, administrators can grant it access to Office 365 resources or users can grant access to their own resources in Office 365.

One Authentication to Office 365 APIs

Sign-On experience using Organizational Account

Combined Consent Across all Office 365 APIs

Basic Auth Protocol Flow with Office 365

AppAAD OAuth2 server

Authorization/Token Issuing endpoints

Office 365 Exchange API

endpoint

Use Code to get Exchange API Token

Token Response

Call API with Token

Use refresh token to get SharePoint API Token

Token Response

Call API with Token

Office 365 SharePoint API

endpoint

User

AuthorizationRequest

User Login & Consent

Code

Graph API

• Part of Azure AD

• Provides a REST interface to query and update Window Azure AD (WAAD)

• Create and manage users, groups

• Assign subscriptions for Office 365

• Changing quickly over the last several months

Provider App Challenge

• No way to programmatically install apps on new sites and pages

• App model expects that a user will install and trust the app

• Not appropriate for many business apps

Roll Your Own REST

• Visual Studio WebAPI• Build your business logic on the server (but not on

SharePoint)– Field level security– Business rules– Reading and writing from multiple data sources

• Create a REST interface for your client side code• Use Server to Server Trust to communicate with

SharePoint

Alternative Authentication Process with JWT

Provider AppClient Side Code Thinktecture

Browse app

No JWT

Redirected to IP

User

Return JWT Security Token

Return page

REST call with Token

JWT

JWT

App trusts IP

Save Token in session

Return JSON data

JWT

Frameworks

• Great open source community

• jQuery is a given when working with REST

• HandlebarJS is a templating engine for formatting the results

• KnockoutJS and AngularJS for building single page apps

– Microsoft is investing heavily in supporting AngularJS, including Visual Studio support

Questions and Answers

Links

• http://blog.petercarson.ca• www.envisionit.com• www.envisionit.com/shakespeare• www.christiemed.com• for.scdsb.on.ca• Get started with the SharePoint 2013 REST service• www.plusconsulting.com/blog/2013/05/crud-on-list-items-

using-rest-services-jquery• How to: Create high-trust apps for SharePoint 2013

top related