![Page 1: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/1.jpg)
Drag picture to placeholder or click icon to add
Handling Cross-Domain calls & authentication in SharePoint 2013Stephane Eyskens
![Page 2: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/2.jpg)
About me • SharePoint Server MVP since 2008
• Blog : http://www.silver-it.com
• @stephaneeyskens
![Page 3: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/3.jpg)
Poll Who has already developed Apps for Customers?
Who has deployed an App to the Office Store?
Who has used CORS in a real-world project?
![Page 4: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/4.jpg)
Take AwayCORS is
your friend
SharePoint X-DOM Libraries do not make X-DOM calls
HTML5 is your friend
too
Everything is a question of HTTP Headers in the end
![Page 5: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/5.jpg)
Cross-Domain Challenges?
Same-Origin Policy
Authentication across domains
isn’t easy
![Page 6: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/6.jpg)
Same-origin Policy reminder
http://intranet.contoso.com
http ://collaboration.contoso.com : 80 /
Protocol HOST Port
![Page 7: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/7.jpg)
Same-Origin Policy Workaround #1
Using a Proxy
PROS
• Works with every browser
CONS
• One more hop
• Must handle scaling
• Not easy to authenticate against target domain
![Page 8: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/8.jpg)
Same-Origin Policy Workaround #2
JSONP
PROS
• None
CONS
• Is a browser hack
• In theory limited to GET unless you hack it even more
![Page 9: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/9.jpg)
Same-Origin Policy Workaround #3
Using a reverse proxy
• Browse requests http://intranet/fakeurl/someservice/
• Reverse-Proxy converts to http://target/someservice/
![Page 10: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/10.jpg)
Same-Origin Policy Workaround #3
Using a reverse proxy
PROS
• Works with every browser
• Possibility to forward authentication credentials using SiteMinder.
• Transparent auth if SSO is available
• No coding effort
CONS
• More an onprem solution
• Enterprise RP usually not available on dev boxes
![Page 11: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/11.jpg)
Demos
Reverse Proxy on a Dev Box
![Page 12: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/12.jpg)
Same-Origin Policy Workaround #4
IFRAMES
PROS
• Super easy
• No more cross domain
• Authentication is handled by the browser
CONS
• IFRAMES are set to same-origin by SP OOTB
• IFRAMES are not a real integration
![Page 13: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/13.jpg)
Demos
IFRAMES
![Page 14: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/14.jpg)
IFRAME Recap • Remove x-frame-options or
allow explicit origins via Reverse Proxy or HTTP Module
• Use <WebPartPages:AllowFraming runat="server" />
![Page 15: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/15.jpg)
Same-Origin Policy Workaround #5
HTML5 PostMessage API
![Page 16: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/16.jpg)
HTML5 PostMessage API
PROS
• Fast as a rocket
• Partially supported by all the browsers
• Authentication is handled by the browser
CONS
• IFRAMES are set to same-origin by SP OOTB
• Security Risks involved
• Hard to maintain
![Page 17: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/17.jpg)
Demos
HTML5 PostMessage API
![Page 18: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/18.jpg)
HTML5 PostMessage API Recap
• Remove x-frame-options or allow explicit origins
• In code, check the origin of the sender
• SharePoint 2013 makes already use of this API in CustomActions & Popup windows
![Page 19: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/19.jpg)
Same-Origin Policy Workaround #6
SharePoint # Domain Libraries
PROS
• OOTB
CONS
• Only usable in Apps
• Only targeting SharePoint OOB endpoints in an authenticated manner. Provider-Hosted Apps cannot do both CSOM & JSOM at the same time
• Non OOTB endpoints must be registered in AppManifest & are called anonymously
![Page 20: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/20.jpg)
Demos
I’m going to get you confused now
![Page 21: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/21.jpg)
Same-Origin Policy Workaround #7
CORS
![Page 22: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/22.jpg)
Same-Origin Policy Workaround #8
CORS
PROS
• Granular control on the server
• Possibility to forward authentication credentials
• Emerging standard (recently enabled on Azure Storage)
CONS
• Requires IE 10+
• Requires configuration efforts on the server
• Currently, not possible to enable CORS on o365
![Page 23: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/23.jpg)
Demo• Consume custom REST
services Hosted inside of SharePoint
![Page 24: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/24.jpg)
CORS Config Recap
• Add the necessary HTTP Response Headers
• Use either a Reverse Proxy, a custom HTTP Module, a rewriter engine to deal with the headers
• Use the Max-Age attribute to cache preflight request.
• When using Access-Control-Allow-Credentials you can’t use * as Allowed Origin
![Page 25: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/25.jpg)
CORS in a Hybrid Architecture
![Page 26: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/26.jpg)
DEMO
![Page 27: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/27.jpg)
How to consume Claims Aware WCF Services hosted outside of SharePoint?
• Make the WCF Claims Aware, create a cert, add it to the WCF bindings, export it
• Trust the cert in SP
• Use the SharePoint API (SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser)
• Not working with Cross-Domain Libs
• Not working with CORS (oops)
• Need to implement a custom proxy
![Page 28: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/28.jpg)
Alternative to CORS
Create your own REST endpoints
PROS
• Accessible from Apps
• Can be used together with SP # domain libraries
• Well integrated to SP
CONS
• OnPrem only
• Hard
![Page 29: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/29.jpg)
Foundation Server
_api/web_api/site_api/lists_api/navigation_api/events_api/contextinfo
_api/search_api/SP.UserProfiles.PeopleManager _api/social.feed_api/social.following_api/publishing….
OOTB REST endpoints
• http://office.microsoft.com/en-us/store/rest-api-demo-WA104068939.aspx
• http://sprest.architectingconnectedsystems.com/
![Page 30: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/30.jpg)
Demo
• Develop custom REST endpoints
![Page 31: Handling Cross-Domain calls & authentication in SharePoint 2013](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7b6664a7959181f8b4602/html5/thumbnails/31.jpg)
Summary
• Cross Domain Libraries are not the only option
• All the other options work with and without Apps
• With Apps, some approaches « bypasses » the App Security Model
• Extending REST endpoints is hard but facilitates authentication aspects